Risk & Governanceintermediate3-6 months to implement; ongoing operationEst. 2013 by Institute of Internal Auditors (IIA)

Three Lines Model

Also known as: Three Lines of Defence, 3LoD, IIA Three Lines Model

A governance model that structures an organization's risk management and assurance activities into three distinct lines: management controls, risk oversight functions, and independent assurance.

Quick Reference

Memory Aid

1st line: Owns risk (business). 2nd line: Oversees risk (compliance/risk). 3rd line: Assures independently (audit). Board oversees all.

TL;DR

The Three Lines Model clarifies risk governance: the business (1st line) owns and manages risks, risk/compliance functions (2nd line) provide oversight and expertise, and internal audit (3rd line) provides independent assurance. All report to the governing body. Emphasize first-line ownership and inter-line collaboration.

What Is Three Lines Model?

Three groups manage risk: the people doing the work (1st line), the people overseeing risk and compliance (2nd line), and the people independently checking everything (3rd line — internal audit).

On Governance and Assurance

Internal audit is the last line of defense for an organization's board in ensuring effective governance, risk management, and internal controls.

Richard Chambers, former President and CEO, Institute of Internal Auditors (IIA)

The Three Lines Model clarifies roles and responsibilities for risk management and governance. The first line (management and operational teams) owns and manages risks in daily operations. The second line (risk management, compliance, and similar functions) provides expertise, monitoring, and challenge to the first line. The third line (internal audit) provides independent, objective assurance to the governing body. The 2020 update emphasizes that all three lines should collaborate and focus on value creation, not just compliance.

📊

Three Lines Model Structure

Three distinct lines of responsibility reporting to the governing body, each with a clear role in risk management.

Three distinct lines of responsibility reporting to the governing body, each with a clear role in risk management.

Origin & Context

Originally the 'Three Lines of Defence' model, updated in 2020 to the 'Three Lines Model' emphasizing collaboration and value creation over defensive positioning.

Core Components

1

First Line: Management & Operations

The business units and operational teams that own and manage risks in their daily activities.

Example

A sales team implements KYC (Know Your Customer) checks as part of their onboarding process — they own the compliance risk.

2

Second Line: Risk & Compliance Functions

Specialist functions that provide frameworks, policies, monitoring, and challenge to the first line.

Example

The compliance department designs the KYC policy, monitors adherence, and challenges the sales team when gaps are found.

3

Third Line: Internal Audit

An independent function that provides objective assurance on the effectiveness of governance, risk management, and controls.

Example

Internal audit conducts an annual review of KYC processes, testing sample transactions and reporting findings to the audit committee.

4

Governing Body

The board or equivalent body that oversees all three lines and ensures accountability.

Example

The audit committee receives reports from all three lines and ensures appropriate action is taken on identified risks.

💡

Did You Know?

The original 'Three Lines of Defence' model was first formalized by the IIA in 2013, but the concept had been used informally in financial services since the early 2000s. The 2020 update was the most significant revision, dropping the military 'defence' metaphor to emphasize collaboration and value creation over adversarial positioning.

When to Use Three Lines Model

Scenario 1

Establishing risk governance

Problem it solves: Unclear responsibilities for risk management lead to gaps and overlaps.

Real-World Application

A growing fintech company implements the Three Lines Model to clarify that product teams own product risks, the risk function provides oversight, and internal audit provides assurance.

Scenario 2

Regulatory compliance

Problem it solves: Regulators require clear governance structures for risk management.

Real-World Application

A bank uses the Three Lines Model to demonstrate to regulators that risk management responsibilities are clearly defined and operating effectively.

Scenario 3

Scaling governance with growth

Problem it solves: As organizations grow, informal governance breaks down.

Real-World Application

A 500-person company formalizes its risk governance using the Three Lines Model as it prepares for IPO.

🔎

2020 Update: From Defense to Value

The 2020 update renamed it from 'Three Lines of Defence' to 'Three Lines Model,' emphasizing that risk management should create and protect value, not just prevent losses.

How to Apply Three Lines Model: Step by Step

Before You Start

  • Executive and board support for governance improvement
  • Existing (or planned) risk management and audit functions
  • Clear organizational structure
Tools:RACI matrix for risk activitiesThree Lines roles and responsibilities charterReporting framework
1

Map existing activities to the three lines

Identify which teams and functions currently perform first, second, and third line activities.

Tips

  • Many organizations already have elements of all three lines, just not formalized

Common Mistakes

  • Trying to create all three lines from scratch when they already exist informally
2

Clarify roles and responsibilities

Define clear mandates for each line, avoiding overlaps and gaps.

Tips

  • First line owns risk; second line advises and monitors; third line assures independently

Common Mistakes

  • Making the second line responsible for managing risks instead of the first line
3

Establish reporting lines

Ensure each line has appropriate reporting access to the governing body.

Tips

  • Internal audit must have a direct reporting line to the audit committee or board

Common Mistakes

  • Internal audit reporting to management instead of the board — compromises independence
4

Foster collaboration

Create mechanisms for the three lines to share information and coordinate without compromising independence.

Tips

  • Regular coordination meetings between the lines
  • Shared risk registers and findings databases

Common Mistakes

  • Treating the three lines as silos that don't communicate

Value & Outcomes

Primary Benefit

Clarifies risk management roles and responsibilities, ensuring accountability and comprehensive coverage.

Additional Benefits

  • Reduces duplication and gaps in risk activities
  • Satisfies regulatory governance expectations
  • Enables appropriate independence for assurance functions

What You'll Learn

  • How to structure risk management responsibilities
  • How to maintain independence while fostering collaboration
  • How to scale governance with organizational growth

Typical Outcomes

Clear accountability for risk at every levelMore efficient use of risk and compliance resourcesStronger governance and regulatory relationships

Best Practices

📋 Preparation

  • Assess current governance maturity before implementing
  • Get board-level sponsorship for the model

🚀 Execution

  • Start by clarifying first line ownership — this is usually the biggest gap
  • Ensure internal audit independence is protected structurally
  • Coordinate the three lines through regular joint planning

🔄 Follow-Up

  • Annually assess the effectiveness of each line
  • Update roles as the organization evolves
  • Report on governance effectiveness to the board

💎 Pro Tips

  • The model is scalable — small organizations may combine first and second line roles with appropriate safeguards
  • Use the model to explain governance to non-specialists: 'Who does it, who watches, who checks'
⚠️

The biggest failure is when the first line abdicates risk ownership to the second line. 'That's compliance's job' is a red flag — risk ownership must stay with the business.

📌

Commonwealth Bank of Australia's Governance Overhaul

After a 2018 prudential inquiry revealed severe governance failures, the Commonwealth Bank of Australia restructured its entire risk governance using the Three Lines Model. The bank invested $400M in strengthening first-line risk ownership (training 48,000 staff), rebuilding second-line risk and compliance functions with 1,000 new hires, and ensuring internal audit independence by having the Chief Audit Executive report directly to the board. The overhaul became a case study in how the Three Lines Model can rebuild institutional trust.

Limitations & Pitfalls

Can create bureaucratic overhead if over-engineered

Mitigation: Scale the model to organizational size; not every organization needs large second and third line functions

Risk of first line abdicating responsibility to second line

Mitigation: Continuously reinforce that the business owns its risks; the second line advises and monitors

Apply Three Lines Model with Stratrix

Turn this framework into a professional strategy deck in under a minute. Stratrix applies Three Lines Model automatically to your business context.

Try Stratrix Free

Continue Exploring

← All Frameworks|Learn Strategy