The New Three Lines Model: Evolving Risk and Strategy

2 Min Read
A digital eye in blue tones with binary patterns, symbolizing the three-tiered defense model in organizational risk management.

The year 2020 could indeed be epitomized by remarks such as “We didn’t see that coming” or “Well, that escalated quickly.” Such unpreparedness for unforeseen or underestimated threats is an untenable stance for any entity. It’s evident that organizations must anticipate and manage a spectrum of risks as they move forward. Several of these risks, potentially consequential in financial and operational terms, often lie beyond the immediate control of the organization, affecting stakeholders profoundly. This underscores the necessity of a robust risk management framework like the three lines model, which delineates clear roles and responsibilities across operational management, compliance functions, and internal audit to safeguard the interests of the organization and its stakeholders.

The Relevance and Adaptability of the Three Lines Model

Major events such as the GFC in 2008 or COVID-19 in 2020, highlight the need to have a fully effective GRC approach. This involves boards and management being clear on their roles and responsibilities for governance, risk management and control. This is where the Three Lines Model comes in.

The model, originally called the Three Lines of Defense, has been in existence since the early 2000’s but came into prominence with financial institutions following the GFC in 2008. Since then it has been more widely adopted by larger organisations in the private and public sectors.

In 2020 the Institute of Internal Auditors (IIA) updated the model to make it more flexible and easier to implement for small to medium size organisations. It also changed the name to the Three Lines Model in recognition that risk management is not just about defence and protection of value, but also about opportunity and creation of value.

What is the Three Lines Model of Defense?


Graph of the model

The Three Lines Model helps organisations identify structures, processes, roles and responsibilities that best assist the achievement of objectives and facilitate strong governance and risk management. In this respect, it is a useful addition to an organisation’s governance and risk management policies.

The First Line of Defense

The First Line undertakes the following roles:

  • managing risks, actions and resources to achieve organisational objectives
  • communicating with the governing body on the outcomes related to risk management
  • establishing and maintaining structures and processes for the management of operations and risk (including internal control).
  • ensuring compliance with legal, regulatory, and ethical expectations


The Second Line of Defense


The Second Line of defense provides support, monitoring and challenge the First Line management, including:

  • development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level
  • achievement of risk management and compliance objectives
  • analysis and reporting on the adequacy and effectiveness of risk management (including internal control)


The Third Line of Defense


Unlike the First and Second Lines, the Third Line are independent assurance roles undertaken by Internal Audit:

  • maintaining primary accountability to the governing body and independence from management’s responsibilities
  • communicating independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control)
  • reporting impairments to independence and objectivity to the governing body and implementing safeguards


Implementing the Three Lines of Defense Model

The Three Lines Model can only work when it is well understood, well coordinated and supported from the top of the organisation. Every organisation can benefit from this approach, no matter their size or complexity.

While the above is a concise overview of the IIA’s Three Lines Model you can view the original paper  for a more detailed explanation.

To find out how our Camms Risk Software Solution can help you successfully implement a Three Lines Modelbook a demo with us today!

Brad Smith

Principal Consultant

Share blog post

Subscribe to our newsletter


You might also like…

Scroll to Top