The Three Lines of Defense Model
The Three Lines model answers a question every organization struggles with: who is actually responsible for managing risk? The answer is not one team. It is three, each with a distinct job, arranged so that nothing important falls through the cracks and no two groups waste effort covering the same ground. Get the lines clear and risk management becomes a system. Blur them and you get gaps dressed up as coverage.
The Three Lines model answers a question every organization struggles with: who is actually responsible for managing risk? The answer is not one team. It is three, each with a distinct job, arranged so that nothing important falls through the cracks and no two groups waste effort covering the same ground. Get the lines clear and risk management becomes a system. Blur them and you get gaps dressed up as coverage.
The model is simple, which is its strength. Three lines, three jobs, one chain of accountability that ends at the board.
The three lines
Each line has a different relationship to risk. The first owns it, the second oversees it, and the third independently checks the other two. The order is not seniority; it is separation of duties.
At a glance
| Line | Role | Reports to |
|---|---|---|
| First | Owns and manages risk in daily operations | Management |
| Second | Sets policy, provides oversight, guides the first line | Management and the board |
| Third | Independent assurance that the other lines work | The board / governing body |
The most common failure is confusing oversight with assurance. The second line guides; the third line audits. When their scopes blur, risks get overlooked precisely because everyone assumes someone else has them covered.
[[INSIGHT: The third line works only because it is independent. The moment internal audit starts helping design the controls it later reviews, it stops being assurance and becomes a fourth version of the second line. Independence is not a formality here, it is the entire point.]]
- The Three Lines model splits risk management into operations, oversight, and assurance.
- The first line owns and manages risk in daily work.
- The second line sets policy, provides oversight, and guides the first line.
- The third line, internal audit, independently checks that the first two work.
- The board sets the tone at the top by defining risk appetite and modeling it.
Frequently asked questions
What is the Three Lines of Defense model?
A model that divides risk management into three lines: business operations that own risk, risk and compliance functions that provide oversight, and internal audit that provides independent assurance. It clarifies who does what so risks are neither double-covered nor missed.
What does each line do?
The first line owns and manages risk in daily operations. The second line sets policy and provides oversight and guidance. The third line, internal audit, independently checks that the first two are working.
What is the difference between the second and third lines?
The second line provides oversight: it sets the framework and guides operations. The third line provides assurance: it independently evaluates whether the first and second lines are effective. Confusing the two leads to gaps.
What is the board’s role?
The board and senior management set the tone at the top by defining risk appetite, linking risk management to strategy, and modeling risk-conscious behavior. They rely on the second and third lines for reporting and assurance.
