What is the three lines model and what is its purpose?

Breaking down the three lines of defense (3LoD)

The three lines defense model is widely acknowledged as the governance model of risk. It uses a comprehensive approach to manage risk. Its implementation varies among industries and by company sizes.

Business units, compliance, audit and other risk management employees are among the groups that make up the three lines of defense and each has a specific function. Here is a breakdown of the three lines:

First line of defense: Management

Management, department or process owners -- or anyone on the front lines -- are the first line of defense. Their primary responsibility is to control and take ownership of risks associated with daily activities. They also execute risk controls, develop internal policies, own processes, supervise employee policy execution and monitor risk factors with decisions and actions.

Second line of defense: Risk management and compliance

The second line of defense provides oversight and support to the first line. It includes risk management compliance areas, such as a risk manager, compliance officer or information security officer.

The second line of defense is responsible for implementing the company's risk management program and monitoring the process and application of these policies. Managers involved with the second line also identify emerging risks within the daily operation of the business.

Third line of defense: Internal and external audits

The third line of defense includes both external and internal auditors. Their main responsibility is to ensure the effectiveness of the first and second lines of defense. This line of defense also reviews and evaluates the design and execution of the risk management program. Internal auditors typically report to the board, regulators and external auditors about the company's risk management design and operation.

Key roles in the three lines model

The three lines of defense model establishes a clear division of roles and responsibilities for accountability and transparency. The IIA lists four key roles in the model, along with the breakdown of responsibilities in each role. Organizations often differ in their distribution of responsibilities, but, according to the IIA, the following are high-level overviews of each area.

The governing body

This group accepts responsibility for managing the organization on behalf of the stakeholders. Its responsibilities include the following:

• Establish the organization's vision, mission, values and strategic objectives.
• Engage stakeholders to monitor their interests.
• Maintain open communication about the goal accomplishments.
• Foster a culture of inclusivity and accountability.
• Establish the organization's risk appetite and supervise risk management including internal security controls.
• Monitor ethical, statutory and legal requirements.
• Create and manage an independent internal audit process.

First-line management roles

First-line management roles lead and direct all actions of the plan, including managing risks and applying resources to the risk goals of the organization. Responsibilities include the following:

• Identify, own, manage and mitigate risks in daily operations.
• Maintain communication with the governing body and report all risks, including planned, actual and expected outcomes, in relation to the company's objectives.
• Create and manage appropriate frameworks and procedures for the management of operations and risk. This includes internal controls.
• Ensure ethical, legal and regulatory compliance.

Second-line management roles

The second-line defense management offers support and expertise to monitor any risk management. Responsibilities include the following:

• Create ongoing processes, systems and entities for improvement to the risk management process.
• Monitor and support the first line in managing risks.
• Achieve risk management goals, such as internal control, information security, sustainability and quality assurance.
• Research and report the effectiveness of risk management, including internal control.

Third line of defense: Internal and external audit roles

Internal auditors have primary accountability for risk management to the governing body. Responsibilities include the following:

• Notify the governing body of any issues with the independence and objectivity of the risk management program.
• Provide management and the governing body with independent and unbiased assurance on the effectiveness of the risk management controls.
• Take appropriate action to put protection in place when necessary.
• Report findings and recommendations to the governing body.

External auditors provide additional assistance to protect the interests of the stakeholders and ensure regulatory compliance. Responsibilities include the following:

• Review statutory and regulatory compliance and stay current on new rules and regulations affecting the organization.
• Add external sources to meet requests of the management and governing body to assist with internal sources.

Relationships between the 3LoD roles

The relationships between the roles in the three lines of defense model are built on collaboration, oversight and independence. Each line plays a distinct part but interacts closely to ensure risk management and governance function effectively. The three lines interact with each other in the following ways:

First line interactions

• Interaction with the second line. The first line collaborates with the second line by seeking guidance on risk management practices, risk management compliance requirements and control frameworks. It might also report on risk-related matters to ensure alignment with organizational objectives.
• Interaction with the third line. While the first line operates independently, it provides information and access to the third line for independent assurance activities. This allows internal auditors to evaluate the effectiveness of risk management and control processes.

Second line interactions

• Interaction with the first line. The second line offers expertise, tools and resources to assist the first line in managing risks. This line might conduct training sessions, provide guidance on risk assessments and support the execution of controls.
• Interaction with the third line. The second line collaborates with the third line by sharing information on risk management activities and outcomes. This partnership enables internal audits to assess the effectiveness of the organization's risk management framework and make recommendations for improvement.

Third line interactions

• Interaction with the first line. The third line reviews the first line's risk management and control activities through audits and assessments. It provides feedback and recommendations to enhance the effectiveness of these processes.
• Interaction with the second line. The third line assesses the second line's oversight and support functions, ensuring that risk management and compliance activities are effective. It collaborates to identify areas for improvement and ensure alignment with organizational objectives.

Besides the three lines, the governing body maintains communication with all three lines to monitor risk management activities, receive assurance reports and provide strategic direction. This oversight ensures that the organization operates within its defined risk appetite and achieves its objectives.

6 guiding principles of the three lines model

To optimize the effectiveness of the three lines model, organizations should adopt a principle-based approach. The IIA lists these six principles to guide an organization's three lines model for risk management:

1. Governance. This gives accountability to the stakeholders and structures the organization's leadership and integrity. The organization can make risk-based decisions for the health of the organization and its stakeholders. Using recommendations from the internal audit function helps encourage the ongoing development of these risk management procedures.
2. Governing body. This group ensures that the necessary procedures and frameworks are in place to safeguard the interests of the stakeholders. It also makes sure that moral, ethical and legal standards are upheld.
3. Management and first- and second-line roles. The first-line roles ensure products or services are delivered safely to the customers. The second line helps manage the risk by offering expertise and monitoring and managing any regulatory issues or unethical behavior. The second line offers a broader responsibility, such as enterprise risk management, but the first line is responsible for managing the risk at a higher level.
4. Third-line roles. Internal audit gives an objective assurance that risk management initiatives are effective. Internal auditors use independent systems and expertise to review risk management processes. The third line reports findings to management and the governing body to make any needed improvements.
5. Third line independence. Internal audit is an independent body that provides credibility and authority to its findings. Internal audit isn't associated with management so it can provide findings that are free from bias to prevent any interference in organizational planning.
6. Creating and protecting value. The main goal of all these roles working together is to prioritize the stakeholders' interests. They align activities through cooperation and communication. All risk-based decisions should be transparent and reliable with the alignment of these areas.

Benefits of the three lines model

The three lines model helps organizations proactively manage and address risks with enhanced governance and resilience. This model helps an organization establish a foundation for growth and success. Some of the key advantages of this model include the following:

• Clear accountability. All roles and responsibilities are defined for each of the different lines of defense. The risk management duties are also allocated appropriately so there is clear ownership of risks at all levels of the organization. This helps minimize any gaps in risk oversight.
• Objective analysis. The third line provides independent and objective assessments of the risk management processes' effectiveness. The external perspective gives stakeholders confidence that risks are managed adequately. This perspective also manages insights into continuous improvement.
• Improved communication. The three lines model promotes structured communication and collaboration within the different lines of defense for the audit committee. It encourages sharing information, insights and best practices for a more effective risk management strategy for the overall organization.
• Increased governance. The risk management and compliance functions in the second line help establish and enforce consistent risk management processes. This ensures the organization follows relevant regulations and industry standards and minimizes legal and reputational risks.
• Efficient resource allocation. Distributing the risk management responsibilities across the three lines ensures that organizations allocate resources more efficiently. The operational staff can focus on day-to-day risk management and dedicated risk management and audit professionals can oversee the overall risk landscape.
• Complete risk awareness. The model looks at the holistic view of risk and considers both strategic and operational risks. By looking at these risks from a comprehensive perspective, the organization can proactively manage any emerging risks and capitalize on opportunities. The model also encourages a culture of risk-aware decision-making.
• Increased stakeholder confidence. Effective execution of the three lines of defense model increases the confidence of stakeholders, including investors, customers and employees. A transparent and well-structured risk management framework, validated by independent assessments, builds trust with investors, regulators, customers and other stakeholders.
• Continuous improvement. The three lines model encourages continuous monitoring and improvement of risk management processes. By adapting to new risks and changing business environments, organizations enhance their resilience and maintain effective risk management strategies.

Challenges with the model's effectiveness

There are numerous benefits to the three lines model, but there are also some challenges and potential drawbacks. Organizations can address these challenges with careful planning, continuous communication and training.

Some of the three lines model effectiveness challenges include the following:

• Skills and knowledge gaps. Operational staff in the first line of defense can lack the skills and expertise needed for comprehensive risk management. Organizations must provide training and support to ensure effective risk identification and mitigation.
• Too much focus on compliance. A focus on meeting regulatory requirements instead of managing risks specific to the organization can lead to dysfunctional outcomes.
• Change management. Introducing the three lines model requires change management efforts to get buy-in from employees at all levels of defense. Some employees might resist change and question the model's effectiveness.
• Resource allocation. To get adequate resourcing, organizations need to distribute risk management responsibilities across different lines. This requires personnel, training and technology. Finding the right number of resources can be a challenge if companies do not have separate risk and audit departments.
• Risk ownership. Creating clear risk ownership across different lines is challenging. Staff in the first line of defense might not fully embrace their role in risk management. This can lead to insufficient risk identification and mitigation.
• Scalability. The three lines model can be challenging to execute in a large organization with a diverse risk landscape. Larger organizations' risks evolve constantly, so adapting the model to fit the organization's specific needs is a complex process.
• Reporting. Organizations need to determine how to quantify and assess the effectiveness of each line's risk management efforts. These metrics should show the stakeholders the value of the risk management activities.
• Role ambiguity. Organizations sometimes struggle to clearly distinguish responsibilities among the three lines, leading to inefficiencies in risk management. Overlapping duties between the second and third lines can also blur accountability.
• Potential for bureaucracy. The three lines model has the potential to increase bureaucracy because of its layered structure, which can cause inefficiencies. To mitigate this, the second line must refrain from excessive involvement in day-to-day risk activities when the first line is performing effectively. This ensures the second line's contributions are truly value-adding and not redundant.

The future of the 3LoD model

The three lines of defense model is continuously evolving to remain relevant in a rapidly changing risk landscape. Some key trends shaping its future include the following:

• Enhanced integration and collaboration. The traditional separation between the three lines is evolving into a more integrated and cooperative framework. Companies are moving toward dynamic risk management approaches that integrate cross-functional teams.
• Greater agility and adaptability. Since modern risks, such as cyberattacks and climate change, are constantly shifting, the risk management framework is also becoming more agile. This evolution lets organizations quickly identify, assess and adapt to emerging challenges.
• Integration with advanced technologies. The integration of advanced technologies such as artificial intelligence, automation and data analytics is transforming the 3LoD model. These technologies enable real-time risk monitoring, automation of assurance tasks and enhanced data-driven decision-making. By adopting these technologies, organizations can achieve more efficient and effective risk management processes.
• Upskilling across all lines. With the increased complexity of risks and the adoption of new technologies, personnel in all three lines will require continuous upskilling in areas like data ethics, cyber-resilience and AI governance.
• Emphasis on strategic risk management. Internal audit's role is evolving beyond mere assurance and is increasingly encompassing strategic advisory functions. This future-oriented approach will see internal audit providing value through proactive risk anticipation and strategic insights. This will require auditors to build stronger skills in data analytics, advanced risk assessment and effective stakeholder engagement.

Learn how risk prediction models use statistical analysis and machine learning algorithms to find data patterns, enhancing risk management. Explore their practical applications across industries and the business value they offer.