People & Culture Risk Management Through the Lens of The IIA's Three Lines Model
A brief overview of the evolution of risk management and an examination of how People & Culture Risk Management functions as a second-line discipline or supports first-line roles within the IIA Three Lines Model.
The Evolution of Risk Management
Prior to the early 2000s, before major corporate collapses and the acceleration of digitalization reshaped the global risk landscape, risk management was largely driven by developments in the financial services and banking sector. Historically, many of these frameworks emerged in response to financial scandals, frauds, and systemic failures that eroded stakeholder confidence.
Major developments:
1974
Basel Committee on Banking Supervision established in response to disturbances in international currency and banking markets, particularly following the collapse of Bankhaus Herstatt in West Germany. The Herstatt failure exposed significant cross-border settlement and supervisory coordination risks, becoming a catalyst for greater international regulatory cooperation.
1985
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed to address fraudulent financial reporting following a series of accounting scandals in the 1970s and 1980s.
1992
COSO releases the Internal Control – Integrated Framework, which became a foundational reference for the design, implementation, and evaluation of internal control systems supporting effective governance, reliable reporting, and regulatory compliance.
1995
Barings Bank collapses due to unauthorized trading losses, revealing that failures in internal controls, oversight, and governance structures could be as catastrophic as market or credit exposures. This accelerated regulatory focus on operational risk within the Basel framework.
2002
Sarbanes–Oxley Act enacted following the Enron and WorldCom scandals, which had eroded stakeholder confidence in corporate governance and financial transparency.
2004
COSO releases Enterprise Risk Management – Integrated Framework, expanding the focus of risk management beyond internal control and financial reporting to encompass enterprise-wide risk management.
2013
The Institute of Internal Auditors formalizes the Three Lines of Defense model, clarifying how risk responsibilities should be distributed across operational management, risk oversight functions, and independent assurance.
2017
COSO updates the ERM framework as Enterprise Risk Management – Integrating with Strategy and Performance, reflecting the growing recognition that risk management is most effective when integrated with organizational decision-making and strategy execution.
2020
The IIA updates and reissues the framework as The Three Lines Model, emphasizing that management’s responsibility for achieving organizational objectives includes both first- and second-line roles. While operational leaders manage risks within their domains, second-line roles provide risk management expertise, support, monitoring, and challenge to strengthen risk oversight.
From Compliance to Resilience
While many risk management disciplines initially emerged in response to regulatory requirements, organizations began adopting them more broadly by layering risk management structures alongside business functions to strengthen governance and improve audit readiness. Over time, organizations that meaningfully integrated enterprise risk management practices discovered benefits that extended beyond compliance. Structured risk oversight improved organizational resilience, and helped prevent losses that could directly or indirectly affect financial performance and operational continuity.
The Rise of Domain-Specific Risk Disciplines
As risk management evolved beyond purely financial exposures, the expansion of the internet and digital technologies, together with increasing cross-border interconnectedness driven by globalization and trade liberalization, began transforming organizational systems. At the same time, regulatory regimes expanded to address a broader range of organizational risks. As a result, organizations increasingly recognized that different operational domains carried distinct risk profiles requiring specialized oversight disciplines. This led to the emergence of domain-specific risk practices such as IT risk management for technology environments, supply chain risk management for procurement and logistics operations, and operational risk management for core business processes. While functional leaders possessed deep understanding of their respective operational environments, the growing complexity of organizational systems, regulatory expectations, and interdependencies made it clear that functional awareness alone, in silos, was insufficient for effective risk management and governance.
The Three Lines Model
While business and functional leaders manage risks within their domains, the second-line roles provide risk management expertise, support, monitoring, and challenge to strengthen risk oversight across the organization.
If Functional Leaders Know the Risks, Why Is a Risk Management Layer Necessary?
Functional and business leaders possess the deepest operational understanding of their respective domains. Technology leaders understand system architecture and cyber exposure, supply chain leaders understand procurement and logistics vulnerabilities, and business leaders understand the operational realities of their processes. As a result, functional leadership is naturally positioned to identify, manage, and mitigate risks arising within their own activities. In governance terms, this responsibility forms the first line, where risk ownership and control execution reside.
However, operational proximity to risk also introduces structural limitations. Functional leaders are accountable for performance, delivery, and operational outcomes within their domains. The same processes that create value such as product development, technology deployment, procurement expansion, or operational scaling, can also introduce new exposures. Because functional leaders are responsible for achieving business objectives, risk considerations within the first line may become blurred, or at times deprioritized, alongside growth, efficiency, and performance priorities.
As organizations scale and systems become more interconnected, this dual responsibility can make it difficult for operational units to evaluate the adequacy of their own controls or the broader enterprise implications of localized decisions.
A risk management layer addresses this structural gap. Rather than replacing operational ownership of risk, it provides a separate capability responsible for establishing consistent risk frameworks; identifying cross-functional exposures; assessing, mitigating, and monitoring risks; and ensuring that risk information is visible at the enterprise level. This second-line perspective enables organizations to detect patterns that may not be visible within individual functions such as systemic control weaknesses, emerging risk concentrations, or governance gaps that span multiple domains.
The distinction between operational ownership and risk oversight is formalized in governance frameworks such as The IIA's Three Lines Model. Within this structure, management functions constitute the first line by owning and managing risks, risk management and compliance functions operate in the second line by providing expertise, support, monitoring, and challenge, and internal audit serves as the third line by providing independent and objective assurance on the effectiveness of governance, risk management, and internal control processes.
Viewed through this lens, the presence of a risk management layer is not a reflection of insufficient capability within business functions. Rather, it is a governance design principle intended to ensure that risk ownership, oversight, and assurance remain structurally distinct, enabling organizations to manage complexity, maintain control effectiveness, and support informed and risk-based decision-making across the enterprise.
People & Culture Risk Management
Operational expertise within a domain does not always translate into structured oversight of the risks arising from that domain. Technology leaders possess deep expertise in system architecture, software delivery, and infrastructure operations; however, IT Risk Management (ITRM) exists as a specialized risk discipline concerned with identifying, assessing, and monitoring technology-related risks at an enterprise level. Similarly, supply chain leaders manage procurement and logistics operations, while Supply Chain Risk Management (SCRM) focuses on vulnerabilities such as supplier concentration, geopolitical exposure, and disruption risks among others, that may affect organizational continuity. Within business operations, Operational Risk Management is concerned with the identification, assessment, mitigation, and monitoring of risks arising from failures in internal processes, people, systems, or external events that may result in financial or operational losses. In practice, this includes evaluating weaknesses in operational processes, control environments, and governance structures that could expose the organization to such losses.
In the same way, organizations face people and culture risks.
People Risk
People Risk refers to the risk of financial, operational, legal, or reputational loss arising from human capital dependency, individual actions or inactions, knowledge or capability gaps, judgment errors, or misconduct within the organization.
Culture Risk
Culture Risk arises from organizational norms and incentive structures that influence individual and collective behaviour and may, over time, embed latent vulnerabilities within the operating environment.
PCRM as a Second-Line Discipline
Within the governance structure described by The IIA's Three Lines Model, People & Culture Risk Management (PCRM) emerges as a specialized second-line discipline concerned with identifying, assessing, and monitoring these exposures across the enterprise.
While People & Culture functions operate as the underlying organizational function responsible for workforce policies, talent processes, and employee relations, the risks arising from people and organizational dynamics are not confined to that function. Individuals across all enterprise units - technology, operations, finance, sales, etc., can expose the organization to financial, operational, legal, compliance, reputational, or strategic risks through their actions or inactions, knowledge gaps, or conduct.
As a result, the scope of People & Culture Risk Management extends beyond workforce administration to examine how human factors across the enterprise may create or amplify organizational risk exposures. From this perspective, PCRM evaluates people and culture related risk not within a single function, but across the broader organizational system in which human decisions, knowledge, incentives, and behaviours interact with business processes and governance structures.
Just as technology risk is not limited to the IT function and supply chain risk extends beyond procurement to the broader network of suppliers, logistics, and operations, people-related risks emerge across the enterprise wherever human decisions, incentives, and capabilities influence organizational outcomes.
As organizations increasingly recognize that risk does not arise solely from financial exposures but from complex interactions between systems, processes, technology, and people, governance frameworks must evolve accordingly.
Just as technology environments require IT risk oversight and supply chain ecosystems require structured supply chain risk management, the people and culture dimensions within organizations introduce a distinct set of exposures that require structured oversight.
The purpose of People & Culture Risk Management is therefore to provide a structured lens for identifying, assessing, and monitoring risks arising from human capital dependencies, knowledge or capability gaps, individual and collective behavioural dynamics, organizational norms, and incentive structures at an enterprise level.
Viewed through the lens of The IIA's Three Lines Model, PCRM represents a natural extension of established risk governance principles, ensuring that people and culture - two of the most powerful forces shaping organizational outcomes - are subject to the same level of disciplined oversight as other critical risk domains.