Explaining risk maturity models and how they work sustainability risk management (SRM)

three lines model

What is the three lines model and what is its purpose?

The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.

Defined by the Institute of Internal Auditors (IIA), the model is based on the idea that these three lines of defense work together to provide structure around risk management and internal governance.

The model clearly defines roles including oversight by a governing body, senior management and independent assurance.

This model applies to all organizations and can do the following:

  • Adapt to meet organizational objectives.
  • Focus on risk management to meet and achieve objectives.
  • Understand the roles and responsibilities of all positions in the model and their relationship with one another.
  • Execute measures to align activities and objectives to the stakeholders' interests.

Explaining the three lines of defense

The three line model uses a comprehensive approach to manage risk. Business units, compliance, audit and other risk management employees are among the groups that make up the three lines of defense and each has a specific function. Here is a breakdown of the three lines:

  • First line. Management, department or process owners -- or anyone on the front lines -- are the first line of defense. Their primary responsibility is to control and take ownership of risks associated with daily activities. They also implement controls, develop internal policies, supervise employee policy execution and monitor risk factors with decisions and actions.
  • Second line. The second line of defense includes risk management and compliance areas -- such as a risk manager, compliance officer or information security officer. The second line of defense areas are responsible for implementing the company's risk management program and monitoring the process and implementation of these policies. They also identify emerging risks within the daily operation of the business.
  • Third line. The third line of defense includes both external and internal auditors. Their main responsibility is to ensure the effectiveness of the first and second lines of defense. They also review and evaluate the design and implementation of the risk management program. Internal auditors typically report to the board, regulators and external auditors about the company's risk management design and operation.

The three lines model is widely acknowledged by many industries as the governance model of risk. Its implementation varies among industries and company sizes.

Learn more about the differences between traditional and enterprise risk management here.

Chart with three lines of defense.
Here are the three defense lines of the three lines model, including accountability, delegation and alignment.

Key roles in the three lines model

The three lines model establishes a clear division of roles and responsibilities for accountability and transparency. The IIA lists the following as key roles in the model along with the breakdown of responsibilities in each role. Organizations may differ in their distribution of responsibilities, but the IIA gives these high-level overviews for each area.

The governing body

The governing body accepts responsibility for managing the organization on behalf of the stakeholders. Responsibilities include the following:

  • Engage stakeholders to monitor their interests.
  • Maintain open communication about the goal accomplishments.
  • Foster a culture of inclusivity and accountability.
  • Establish the organization's risk appetite and supervise risk management including internal controls.
  • Monitor ethical, statutory and legal requirements.
  • Create and manage an independent internal audit process.

First line management roles

The first line management roles lead and direct all actions of the plan in place, including managing risks and applying resources to the risk goals of the organization. Responsibilities include the following:

  • Maintain communication with the governing body and report all risks including planned, actual and expected outcomes in relation to the company objectives.
  • Create and manage appropriate frameworks and procedures for the management of operations and risk. This includes internal controls.
  • Ensure ethical, legal and regulatory compliance.

Second line management roles

The second line management roles offer support and expertise to monitor any risk management. Responsibilities include the following:

  • Create ongoing processes, systems and entities for improvement to the risk management process.
  • Achieve risk management goals such as internal control, information security, sustainability and quality assurance.
  • Research and report the effectiveness of risk management including internal control.

Internal audit roles

The internal audit roles have primary accountability of risk management to the governing body. Responsibilities include the following:

  • Provide management and governing body with independent and unbiased assurance on the effectiveness of the risk management controls.
  • Notify the governing body of any issues to the independence and objectivity of the risk management program.
  • Take appropriate action to put protection in place when necessary.

External assurance providers

These roles provide additional assistance to protect the interests of the stakeholders and regulatory compliance. Responsibilities include the following:

  • Review statutory and regulatory compliance and stay current on new rules and regulations affecting the organization.
  • Add external sources to meet requests of the management and governing body to assist with internal sources.

Learn more about top risk management skills here.

6 guiding principles of the three lines model

To optimize the effectiveness of the three lines model, organizations should adopt a principle-based approach. The IIA lists these six principles to guide an organization's three lines model for risk management:

  1. Governance. Governance gives accountability to the stakeholders and structures the organization's leadership and integrity. The organization can make risk-based decisions for the health of the organization and its stakeholders. Using recommendations from the internal audit function helps encourage ongoing development of these risk management procedures.
  2. Governing body roles. The governing body makes certain that the necessary procedures and frameworks are in place to safeguard the interests of the stakeholders. They also make sure that moral, ethical and legal standards are upheld.
  3. Management and first- and second-line roles. The first line roles should ensure products or services are delivered safely to the customers. The second line roles help manage the risk by offering expertise and monitoring and managing any regulatory issues or unethical behavior. The second line offers a broader responsibility such as enterprise risk management, but the first line is responsible for managing the risk at a higher level.
  4. Third line roles. Internal audit gives an objective assurance that the risk management initiatives are effective. Internal audit uses independent systems and expertise with approaches to review risk management processes. The third line roles report findings to management and governing body to make any needed improvements.
  5. Third line independence. Internal audit is an independent body that provides credibility and authority to its findings. Internal audit is not associated with management so it can provide findings that are free from bias to prevent any interference in organizational planning.
  6. Creating and protecting value. The main goal of all these roles working together is to prioritize the stakeholders' interests. They align activities through cooperation and communication. All risk-based decisions should be transparent and reliable with the alignment of these areas.

Benefits of the three lines model

The three lines model helps organizations proactively manage and address risks with enhanced governance and resilience. This model helps an organization establish a foundation for growth and success. Some of the key advantages of this model include the following:

  • Clear accountability. All roles and responsibilities are defined for each of the different lines of defense. The risk management duties are also allocated appropriately so there is clear ownership of risks at all levels of the organization. This helps minimize any gaps in risk oversight.
  • Objective analysis. The third line provides independent and objective assessments of the risk management processes' effectiveness. The external perspective gives stakeholders confidence that risks are managed adequately. This perspective also manages insights for continuous improvement.
  • Improved communication. The three lines model promotes structured communication and collaboration within the different lines of defense for the audit committee. It encourages sharing information, insights and best practices for a more effective risk management strategy for the overall organization.
  • Increased governance. The risk management and compliance functions in the second line help establish and enforce consistent risk management processes. This ensures the organization follows relevant regulations and industry standards, and minimizes legal and reputational risks.
  • Efficient resource allocation. Distributing the risk management responsibilities across the three lines ensures that organizations allocate resources more efficiently. The operational staff can focus on day-to-day risk management and dedicated risk management and audit professionals can oversee the overall risk landscape.
  • Complete risk awareness. The model looks at the holistic view of risk and considers both strategic and operational risks. By looking at these risks from a comprehensive perspective, the organization can proactively manage any emerging risks and capitalize on opportunities. The model also encourages a culture of risk-aware decision-making.

Challenges with the model's effectiveness

There are numerous benefits to the three lines model, but there are also some challenges and potential drawbacks. Organizations can address these challenges with careful planning, continuous communication and training.

Some of the three lines model effectiveness challenges include the following:

  • Skills and knowledge gap. Operational staff in the first line of defense may lack the skills and expertise needed for comprehensive risk management. Organizations may need to provide training and support to ensure effective risk identification and mitigation.
  • Too much focus on compliance. There may be more of a mentality to meet regulatory requirements instead of managing risks specific to the organization.
  • Change management. Introducing the three lines model requires change management efforts to get buy-in from employees at all levels of defense. Some employees may resist change and question the model's effectiveness.
  • Resource allocation. To get adequate resourcing, organizations need to distribute risk management responsibilities across different lines, which requires personnel, training and technology. Finding the right number of resources may be a challenge if companies do not have separate risk and audit departments.
  • Risk ownership. Creating clear risk ownership across different lines may be challenging. Staff in the first line of defense may not fully embrace their role in risk management. This could lead to insufficient risk identification and mitigation.
  • Scalability. The three lines model may be challenging to implement in a large organization with a diverse risk landscape. Larger organizations' risks may evolve constantly, so adapting the model to fit the organization's specific needs may be a complex process.
  • Reporting. Organizations need to determine how to quantify and assess the effectiveness of each line's risk management efforts. These metrics should show the stakeholders the value of the risk management activities.
This was last updated in August 2023

Continue Reading About three lines model

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG