Three Lines of Defense (Three Lines Model)

The most common failure in compliance programs is unclear accountability — everyone thinks someone else is managing the risk. The Three Lines Model solves this by clearly defining who owns risk (first line), who oversees and advises (second line), and who provides independent assurance (third line). It's the governance backbone used by regulators, auditors, and boards worldwide.

First Line: Management and Operations

Role: Own and manage risk

• Business unit managers and frontline teams
• Implement controls and processes daily
• Make risk decisions in their areas of responsibility
• First to identify and escalate emerging risks
• Example: A sales manager ensures their team follows GDPR rules when handling customer data

Second Line: Risk and Compliance Functions

Role: Provide expertise, oversight, and challenge

• Compliance officers, risk managers, data protection officers
• Develop policies, frameworks, and standards
• Monitor and report on risk management effectiveness
• Advise the first line on compliance requirements
• Example: The compliance team designs the AML training program and monitors completion rates

Third Line: Internal Audit

Role: Provide independent, objective assurance

• Internal audit function reporting to the board/audit committee
• Independently evaluates the effectiveness of both first and second lines
• Reports findings directly to senior management and the board
• Does not manage risk — only assesses whether risk management works
• Example: Internal audit tests whether the AML controls are actually effective, not just documented

Board / Governing Body
├── Sets direction, provides oversight
│
├── Third Line (Internal Audit)
│   └── Independent assurance to the board
│
├── Second Line (Compliance, Risk)
│   └── Oversight, expertise, monitoring
│
└── First Line (Management, Operations)
    └── Owns and manages risk daily

Key principles:

• No gaps — every risk should be owned by someone
• No overlaps — clear delineation prevents confusion
• Independence — third line must be independent from first and second
• Alignment — all three lines work toward the same organizational objectives
• Board oversight — the governing body oversees all three lines

The IIA updated the model from "Three Lines of Defense" to "Three Lines Model" in 2020. Key changes:

• Removed "defense" language — risk management is about value creation, not just defense
• Emphasized collaboration between lines, not just separation
• Clarified the governing body's role as distinct from the three lines
• Stressed that all lines contribute to value creation, not just risk mitigation
• Acknowledged that roles may flex based on organizational context

• Second line doing first line's job — compliance team managing risks instead of advising
• Third line losing independence — internal audit reporting to management instead of the board
• First line abdicating responsibility — "that's compliance's problem"
• Understaffed second line — one compliance officer for the entire organization
• No clear escalation — risks identified but not communicated upward

• IIA Three Lines Model (2020) — the authoritative framework
• Basel Committee (banking) — applies the three lines to banking supervision
• COSO ERM — complementary enterprise risk management framework
• ISO 31000 — risk management integrates with the three lines structure