Why It Matters
The most common failure in compliance programs is unclear accountability ā everyone thinks someone else is managing the risk. The Three Lines Model solves this by clearly defining who owns risk (first line), who oversees and advises (second line), and who provides independent assurance (third line). It's the governance backbone used by regulators, auditors, and boards worldwide.
The Three Lines
First Line: Management and Operations
Role: Own and manage risk
- Business unit managers and frontline teams
- Implement controls and processes daily
- Make risk decisions in their areas of responsibility
- First to identify and escalate emerging risks
- Example: A sales manager ensures their team follows GDPR rules when handling customer data
Second Line: Risk and Compliance Functions
Role: Provide expertise, oversight, and challenge
- Compliance officers, risk managers, data protection officers
- Develop policies, frameworks, and standards
- Monitor and report on risk management effectiveness
- Advise the first line on compliance requirements
- Example: The compliance team designs the AML training program and monitors completion rates
Third Line: Internal Audit
Role: Provide independent, objective assurance
- Internal audit function reporting to the board/audit committee
- Independently evaluates the effectiveness of both first and second lines
- Reports findings directly to senior management and the board
- Does not manage risk ā only assesses whether risk management works
- Example: Internal audit tests whether the AML controls are actually effective, not just documented
How They Interact
Board / Governing Body
āāā Sets direction, provides oversight
ā
āāā Third Line (Internal Audit)
ā āāā Independent assurance to the board
ā
āāā Second Line (Compliance, Risk)
ā āāā Oversight, expertise, monitoring
ā
āāā First Line (Management, Operations)
āāā Owns and manages risk daily
Key principles:
- No gaps ā every risk should be owned by someone
- No overlaps ā clear delineation prevents confusion
- Independence ā third line must be independent from first and second
- Alignment ā all three lines work toward the same organizational objectives
- Board oversight ā the governing body oversees all three lines
The 2020 Update
The IIA updated the model from "Three Lines of Defense" to "Three Lines Model" in 2020. Key changes:
- Removed "defense" language ā risk management is about value creation, not just defense
- Emphasized collaboration between lines, not just separation
- Clarified the governing body's role as distinct from the three lines
- Stressed that all lines contribute to value creation, not just risk mitigation
- Acknowledged that roles may flex based on organizational context
Common Mistakes
- Second line doing first line's job ā compliance team managing risks instead of advising
- Third line losing independence ā internal audit reporting to management instead of the board
- First line abdicating responsibility ā "that's compliance's problem"
- Understaffed second line ā one compliance officer for the entire organization
- No clear escalation ā risks identified but not communicated upward
Key Framework
- IIA Three Lines Model (2020) ā the authoritative framework
- Basel Committee (banking) ā applies the three lines to banking supervision
- COSO ERM ā complementary enterprise risk management framework
- ISO 31000 ā risk management integrates with the three lines structure