Imagine a city’s flood protection system. The first line of defence is the riverbank itself — the natural barrier that manages the water under normal conditions. The second line is the network of monitoring stations and engineering teams that watch the water levels, maintain the embankments, and coordinate responses when levels rise. The third line is the independent safety inspectorate that verifies the entire system is working as designed, identifies weaknesses before they become catastrophes, and reports directly to government authorities with findings that neither the riverbank managers nor the monitoring teams can suppress.
Each line has a distinct role. Each depends on the others. And a failure to understand which line is responsible for what — an inspector who starts managing embankments, a monitoring team that stops flagging risks because they are also responsible for fixing them — undermines the integrity of the entire system.
The Three Lines of Defence model in Governance, Risk Management, and Compliance (GRC) is built on exactly this logic. It is a framework for distributing GRC responsibilities across an organisation in a way that creates clarity of accountability, avoids dangerous conflicts of interest, and provides leadership and the board with the independent assurance they need to govern effectively. It is one of the most widely adopted governance frameworks in the world — embedded in regulatory guidance, audit standards, and corporate governance codes across virtually every major jurisdiction — and yet it is also one of the most frequently misunderstood and improperly implemented.
This article provides a comprehensive, precise, and practically grounded explanation of the Three Lines of Defence model — what each line means, what it does, where it sits in the organisation, and how the three lines work together to create a governance system that is both effective and trustworthy. It also explores the most common implementation failures, the updated guidance that has evolved the model in recent years, and how organisations can build the genuine capability each line requires.
The Origins and Purpose of the Model
The Three Lines of Defence concept has its roots in the financial services industry, where regulators recognised in the wake of major institutional failures that the traditional separation between business operations and risk oversight was inadequate for managing the increasingly complex risk environments of modern financial institutions. The model was formalised and popularised by the Institute of Internal Auditors (IIA), whose guidance papers on the Three Lines of Defence — and more recently the updated “Three Lines Model” published in 2020 — have become the definitive reference for the framework across industries worldwide.
The model’s fundamental purpose is to answer a governance question that is deceptively simple but practically complex: who in the organisation is responsible for managing risk and ensuring compliance, and how are these responsibilities distributed in a way that creates accountability without creating conflicts of interest?
The answer the model provides is a clear, three-level distribution of responsibility:
The first line is responsible for managing risk and compliance as an integral part of running the business. The second line is responsible for providing the oversight, frameworks, and expertise that help the first line manage its responsibilities effectively — and for providing independent assurance to leadership that the first line is doing so. The third line is responsible for providing independent assurance to the board and senior leadership that the entire GRC system — both first and second lines — is functioning as intended.
The logic of this distribution is important: the first line owns the risk and compliance responsibility because it is closest to the operations where risks arise and compliance is required. The second line provides oversight because it has the specialist expertise to identify the risks and compliance requirements that operational managers may not fully appreciate. And the third line provides independent assurance because neither the first line (which has an interest in appearing compliant) nor the second line (which is itself part of the management structure) can provide the objectivity that the board and senior leadership need to genuinely trust the governance information they receive.
The First Line: Operational Management
The first line of defence comprises all the operational and business functions of the organisation — the people and teams who are actually doing the work: delivering services, managing customer relationships, executing transactions, operating facilities, and running the processes through which the organisation pursues its objectives.
What the first line owns:
The first line is the primary owner of risk and compliance. It is responsible for identifying the risks inherent in its operations, managing those risks within the boundaries set by the organisation’s risk appetite, and ensuring that its activities comply with applicable laws, regulations, internal policies, and contractual obligations. This ownership is not delegated or outsourced to the second line — the second line supports and oversees the first line, but it does not replace the first line’s fundamental responsibility for its own risk management and compliance.
In a bank, the first line includes the retail banking branches, the corporate lending teams, the trading desks, and the operations functions. In a hospital, it includes the clinical departments, the pharmacy, the patient records function, and the facilities management team. In a manufacturing company, it includes the production lines, the supply chain function, the sales organisation, and the distribution network. In every case, the first line is the business — the part of the organisation that creates value, incurs risk, and has the primary obligation to manage both.
What effective first-line GRC looks like:
Effective first-line GRC is characterised by risk awareness that is embedded in operational decision-making — not as a separate activity managed by a dedicated risk function, but as a natural dimension of how operational managers think about their choices and their responsibilities. First-line managers who are effective risk owners know the risks in their area, maintain the controls that manage those risks, monitor those controls regularly, and escalate promptly when risks exceed tolerances or controls fail.
This means that risk management is built into day-to-day operational processes — the new product approval process includes a risk assessment, the supplier selection process includes a compliance check, the customer onboarding process includes a due diligence review. Compliance is not a separate track that runs alongside operational work; it is an integral dimension of how operational work is designed and executed.
The most common first-line failures:
The most consistent first-line failure is the belief that risk management and compliance are someone else’s responsibility — specifically, the second line’s. When first-line managers delegate their risk ownership to the risk function or their compliance ownership to the compliance team, the model breaks down: the people closest to the risks and compliance requirements are no longer actively managing them, and the second-line oversight function is being asked to perform a management role that it is not designed for and that creates a significant conflict of interest.
A subtler but equally damaging first-line failure is the performance-compliance trade-off — the implicit or explicit organisational message that meeting performance targets matters more than managing risk and maintaining compliance, which creates exactly the conditions in which risk accumulates unmanaged and compliance failures occur unaddressed until they become crises.
The Second Line: Risk and Compliance Oversight Functions
The second line of defence comprises the specialist functions — typically risk management, compliance, legal, and in some frameworks health and safety and quality assurance — that provide the expertise, frameworks, and oversight that the first line needs to manage its GRC responsibilities effectively, and that provide management and the executive with assurance that the first line is doing so.
What the second line owns:
The second line is responsible for developing and maintaining the GRC frameworks that the first line uses — the risk management methodology, the risk appetite framework, the policy architecture, the compliance monitoring programme. It provides the specialist expertise that first-line managers need to understand and manage their risk and compliance obligations — training the first line, advising on risk assessment approaches, interpreting regulatory requirements, and helping operational managers understand the implications of regulatory changes for their activities.
The second line is also responsible for independent oversight of the first line’s GRC performance — monitoring the risk register, reviewing control effectiveness, testing compliance with regulatory requirements, and reporting to leadership on the adequacy of first-line GRC performance. This monitoring and oversight role is the second line’s most important accountability — and the one that creates the most significant tension with the advisory role, because it requires the second line to exercise independent judgment about the adequacy of the first line’s performance while maintaining the collaborative relationship that effective advisory support requires.
The critical distinction: oversight versus management
The second line’s role is oversight and support — not management. This distinction is essential and frequently blurred in practice. When a risk function takes ownership of risk mitigation actions that should be owned by the business, or when a compliance team implements compliance controls rather than overseeing the business’s implementation of them, the second line has crossed from oversight into management — and in doing so, has removed the independence that makes second-line oversight meaningful.
A second line that manages controls cannot objectively assess whether those controls are adequate. A second line that owns compliance processes cannot objectively report on compliance performance. The independence of the second line’s oversight function — its ability to tell leadership honestly whether the first line is managing its GRC responsibilities effectively — depends on maintaining the distinction between oversight and management in practice, not just in principle.
The second line’s relationship with leadership:
The second line reports to senior management — typically the Chief Risk Officer, the Chief Compliance Officer, or equivalent GRC leadership roles — who in turn report to the Chief Executive and have escalation rights to the board. This reporting structure gives the second line the management access needed to ensure that its oversight findings are heard and acted upon at a sufficiently senior level, while maintaining the separation from the board that distinguishes the second line from the third.
The Third Line: Internal Audit
The third line of defence is internal audit — the independent assurance function that provides the board and senior leadership with objective assessment of the adequacy and effectiveness of the organisation’s entire GRC system, including both the first-line risk management and compliance activities and the second-line oversight functions.
What the third line owns:
The third line is responsible for providing independent, objective assurance that the organisation’s governance, risk management, and control processes are functioning as intended. It does this through a systematic programme of audit activities — reviewing business processes, testing controls, assessing risk management effectiveness, evaluating compliance programmes, and examining governance structures — and reporting its findings directly to the board or board audit committee.
The third line’s independence from management is its defining characteristic and its most important asset. Unlike the first and second lines, which are part of the management structure, internal audit reports to the board — not to the Chief Executive or the Chief Risk Officer. This reporting line gives the board the assurance it needs: that the audit findings it receives have not been filtered or shaped by the management functions whose performance they are assessing.
The scope of internal audit in the Three Lines model:
Internal audit’s scope in the Three Lines of Defence model encompasses all three lines — it audits not just the first-line business processes but also the second-line risk management and compliance functions. This is an important and sometimes overlooked aspect of the model: the second line’s oversight of the first line is itself subject to third-line oversight. The board should receive not just assurance that the business is managing its risks and compliance obligations effectively, but assurance that the risk management and compliance functions overseeing those activities are themselves operating with the expertise, independence, and rigour that their roles require.
The most common third-line failures:
The most significant failure of the third line is the loss of independence — which can occur in several ways. Independence is compromised when internal audit reports to management rather than to the board, when audit resources or scope are determined by management rather than the audit committee, when the Chief Audit Executive’s compensation is determined by the management functions whose performance they are auditing, or when internal audit is asked to perform management functions (implementing systems, managing remediation activities) that subsequently become the subject of audit review.
A subtler independence risk is the familiarity threat — the tendency of internal auditors who work closely with the same business areas over extended periods to develop relationships and perspectives that reduce their critical distance. Internal audit functions that do not actively manage this risk through rotation, fresh perspective, and a genuinely challenging audit culture find that their independence erodes gradually and invisibly.
How the Three Lines Work Together
The power of the Three Lines of Defence model lies not in the individual lines — each of which could exist independently — but in the system they create together. Understanding how the three lines interact, what each provides to the others, and how the overall system produces governance assurance that no single line could provide alone is essential for implementing the model effectively.
First line to second line: The first line provides the raw material of the second line’s oversight — the risk information, the compliance data, the control self-assessments, and the operational context that the second line needs to perform its oversight function. The quality of the second line’s work is directly dependent on the quality and honesty of the first line’s GRC practices. When first-line managers underreport risks, overstate control effectiveness, or manage compliance issues without escalating them, the second line’s oversight picture is distorted — and the assurance it provides to management is correspondingly unreliable.
Second line to first line: The second line provides the frameworks, expertise, and feedback that improve the first line’s GRC performance over time. The risk methodology that helps operational managers assess risks consistently, the training that builds first-line compliance capability, the regulatory interpretation that helps business managers understand their obligations — all of these are second-line contributions that make the first line more effective as a risk and compliance owner.
Third line to second line: The third line provides objective assessment of whether the second line’s frameworks and oversight are adequate and effective — an assurance that the second line cannot provide about itself. When internal audit concludes that the risk management framework is inadequate for the organisation’s risk profile, or that the compliance monitoring programme has significant coverage gaps, the board has information that neither the first nor the second line could reliably provide.
Third line to the board: The third line provides the independent assurance that the board needs to govern effectively. Without a well-functioning, genuinely independent third line, the board’s governance oversight depends entirely on information provided by the management structure — information that has an inherent interest in being presented favourably. The third line’s independence from management is what gives the board the confidence to trust the assurance it receives.
The Updated Three Lines Model (IIA 2020)
In 2020, the Institute of Internal Auditors published a significant update to its Three Lines of Defence guidance — renaming it the “Three Lines Model” and introducing several important conceptual developments that address limitations of the original framework.
The most significant conceptual change in the 2020 update is the explicit recognition that the board and governing body are not passive recipients of assurance but active participants in the governance system — with their own responsibilities for setting the tone from the top, defining the organisation’s risk appetite, and ensuring that the three lines are properly resourced and genuinely independent.
The update also places greater emphasis on the collaborative, dynamic nature of the relationships between the three lines — moving away from the potentially static “defence” framing toward a more integrated picture of how governance, risk management, and assurance functions should interact to support organisational objectives. This reflects a broader shift in GRC thinking toward the view that effective GRC is not primarily about defence — about preventing bad things from happening — but about enabling good things to happen with appropriate confidence and accountability.
The 2020 update also explicitly addresses the governance of the internal audit function itself — emphasising the board’s responsibility to ensure that internal audit has the independence, the resources, and the mandate to fulfil its third-line role effectively, and that its findings are acted upon rather than filed.
For GRC professionals working in governance, risk, compliance, or administrative functions, these updated frameworks are directly relevant — and developing deep, current knowledge of them is essential for practising at the leading edge of the field. The Governance and Compliance Training Courses at EuroMaTech provide a structured pathway to build this expertise. For professionals working in administrative and secretarial roles who support governance structures — including board secretaries and company secretaries whose work directly interfaces with the three lines — the Administration and Secretarial Training Courses develop the specific capabilities that effective governance support requires. And for senior leaders and strategists who want to understand how the Three Lines model connects to broader organisational strategy and planning, the Strategic Management and Planning Training Courses provide the strategic context within which effective GRC governance operates.
Common Implementation Failures and How to Avoid Them
The Three Lines of Defence model is one of the most commonly cited and least faithfully implemented governance frameworks in existence. Understanding the most frequent implementation failures is essential for building a model that works in practice rather than just on paper.
Failure 1: The Second Line Doing the First Line’s Job
When compliance teams implement compliance controls rather than overseeing their implementation, when risk functions own risk mitigation plans rather than monitoring the business’s ownership of them, the second line has crossed into the first line’s territory. The consequence is a first line that has no genuine ownership of its risk and compliance responsibilities, and a second line whose oversight is compromised by conflicts of interest.
Prevention: Establish clear, documented ownership of all risk and compliance responsibilities — specifying which activities are first-line (owned by the business) and which are second-line (oversight and support), and holding both lines accountable for staying within their defined roles.
Failure 2: Internal Audit Performing Management Functions
When internal audit is asked to implement remediation actions following an audit, to manage a GRC project, or to perform any activity that subsequently becomes the subject of audit review, its independence is compromised. This failure is particularly common when the organisation has a resource shortage and internal audit’s skills are deployed opportunistically rather than strategically.
Prevention: Maintain a strict policy that internal audit does not take on management responsibilities, regardless of resource pressure. If audit skills are needed in management roles, create a separate function for that purpose — not internal audit.
Failure 3: Weak Second-Line Independence
When the second-line functions report into the business functions they are supposed to oversee — when the risk function reports into the business unit it monitors, or the compliance function reports to a business leader who has a commercial interest in favourable compliance assessments — the second line’s independence is structurally compromised.
Prevention: Ensure that second-line functions report to the Chief Risk Officer, Chief Compliance Officer, or equivalent GRC leadership role — who in turn reports to the CEO with escalation rights to the board — rather than to the business functions whose GRC performance they are overseeing.
Failure 4: Treating the Three Lines as Separate Silos
In many organisations, the three lines operate in practice as three separate, poorly coordinated bureaucracies — each maintaining its own processes, its own risk information, and its own reporting cadence with minimal coordination. The result is duplication of effort, inconsistent information, and a board that receives three different pictures of the same risk and compliance reality.
Prevention: Build coordination mechanisms between the three lines — shared risk and control libraries, coordinated testing schedules, joint risk assessment processes, and integrated reporting that presents a coherent, consistent picture rather than three separate functional updates.
Failure 5: Insufficient Board Engagement
A Three Lines of Defence model without genuine board engagement in the third line is structurally incomplete. When the board rubber-stamps internal audit reports without substantive scrutiny, when the audit committee lacks sufficient expertise to assess the quality of internal audit’s work, or when management influences the internal audit agenda, the independence that makes the model work is hollowed out.
Prevention: Ensure that the board audit committee has sufficient GRC expertise to engage substantively with internal audit findings, that the Chief Audit Executive has direct and unrestricted access to the audit committee, and that the audit committee’s mandate explicitly includes oversight of the quality and independence of the internal audit function.
Applying the Three Lines Model in Different Organisational Contexts
The Three Lines of Defence framework is most familiar in financial services and heavily regulated industries, but its logic applies across organisational types and sectors. Understanding how the model adapts to different contexts is valuable for practitioners working outside the traditional GRC heartland of banking and insurance.
In government and public sector organisations, the three lines are typically mapped to: operational delivery units (first line), central governance, risk, and compliance functions (second line), and internal audit (third line) — with the National Audit Office or equivalent supreme audit institution sometimes serving a fourth-line function providing assurance to the legislature.
In healthcare, the first line comprises clinical departments and patient-facing services, the second line comprises clinical governance, risk management, and regulatory compliance functions, and the third line is internal audit. The complexity of clinical risk — where governance failures can directly harm patients — makes the integrity of the model particularly important in healthcare settings.
In technology companies, the framework is increasingly relevant as software-driven organisations face growing regulatory scrutiny and governance expectations. First-line ownership of security, data protection, and AI governance is a rapidly evolving frontier; the second line’s role in providing frameworks for technology risk management is expanding significantly; and internal audit’s capability to audit technology risks effectively is an increasingly critical third-line requirement.
In small organisations, the model requires proportionate adaptation — the full three-line structure of a large corporation is not appropriate for a fifty-person organisation. But the underlying logic still applies: the people who manage operational activities should own risk and compliance; someone independent of those activities should provide oversight; and the board should receive assurance that is not exclusively generated by the management functions it is overseeing.
The Three Lines Model and Culture
No governance model, however well-designed, can produce effective governance in the absence of the right culture. The Three Lines of Defence framework creates the structural conditions for effective governance — but it depends on a culture of genuine accountability, honest communication, and genuine commitment to the values the model is designed to support.
A first line that manages risk honestly, escalates concerns proactively, and maintains compliance genuinely rather than superficially is one that has internalised the responsibility the model assigns to it. A second line that challenges the first line’s risk assessments with genuine rigour, that escalates concerns to senior leadership when business pressure is pushing in the direction of non-compliance, and that maintains its independence under pressure is one that is living the oversight role the model requires. And a third line that reports its findings honestly to the board, that follows the evidence wherever it leads, and that maintains its independence even when findings are uncomfortable for management is one that is fulfilling the trust the board places in it.
Building this culture requires tone from the top — leadership that visibly and consistently models the values of accountability, transparency, and integrity that the Three Lines framework requires. It requires psychological safety — the organisational conditions in which people at every level feel genuinely safe to raise concerns, escalate issues, and report problems without fear of retribution. And it requires genuine follow-through — demonstrated, repeatedly, that the governance structures the model creates are used to make real decisions, take real action, and hold real people accountable for real outcomes.
Final Thoughts
The Three Lines of Defence model is not a compliance exercise. It is a governance philosophy — a principled approach to distributing the responsibilities of governance, risk management, and compliance in a way that creates genuine accountability, genuine oversight, and genuine independence at every level of the organisation.
When it is implemented well — with clear role boundaries, genuine independence at each line, genuine board engagement, and the cultural conditions that make honest governance possible — it produces something genuinely valuable: an organisation that knows its risks, manages them responsibly, maintains compliance genuinely, and can demonstrate all of these things to the stakeholders whose trust it depends on.
That is not a compliance achievement. It is a strategic one — the foundation of the organisational trustworthiness that sustains long-term success.
Frequently Asked Questions (FAQs)
1. Is the Three Lines of Defence model mandatory, or is it a best practice framework?
In most industries and jurisdictions, the Three Lines of Defence model is not legally mandated by name — it is a best practice framework that has been widely adopted and is referenced in regulatory guidance, governance codes, and audit standards across many sectors. However, in financial services — particularly in banking and insurance — many regulators explicitly reference or require elements of the model in their supervisory expectations. The UK Financial Conduct Authority and Prudential Regulation Authority, the European Banking Authority, and equivalent bodies in other major jurisdictions all expect supervised firms to have governance structures consistent with the Three Lines model. In other sectors, the model is not regulatory required but is increasingly expected by institutional investors, credit rating agencies, and governance rating bodies as a marker of governance maturity.
2. How does the Three Lines model apply when risk and compliance functions are combined into a single GRC function?
Combining risk management and compliance into a single GRC function is increasingly common and is entirely consistent with the Three Lines model — provided that the combined function maintains the second-line characteristics of specialised oversight, independence from the first line, and escalation rights to senior leadership. The model does not require separate risk management and compliance functions; it requires that the oversight and specialist functions that support the first line and report to management operate with the independence and rigour the second-line role requires. The governance requirement for the combined function is ensuring that its scope — covering both risk oversight and compliance monitoring — is adequately resourced and that the combination does not compromise either dimension’s independence.
3. Where does external audit fit in the Three Lines model?
External audit — the independent audit of financial statements by an external auditor — is sometimes described as a “fourth line” in extended versions of the model, though this framing is not universal. External audit provides assurance to shareholders and other external stakeholders on the accuracy and reliability of financial reporting — a function that is distinct from the internal governance assurance provided by the three lines. In the IIA’s 2020 Three Lines Model, external audit is recognised as a separate assurance provider whose work complements and overlaps with internal audit, and the model encourages coordination between internal and external audit to avoid duplication and leverage each party’s comparative advantages. External audit is not, however, a substitute for internal audit — the two provide different types of assurance to different audiences, and both are necessary in a well-governed organisation.
4. How should the second line respond when the first line pushes back on risk and compliance assessments?
Constructive tension between the first and second lines is a feature of the model, not a bug. The second line exists precisely to provide oversight that the first line might not welcome when it creates constraints on operational freedom or commercial flexibility. When the first line pushes back on second-line assessments, the second line’s response should be substantive engagement with the specific concern — examining whether the challenge reflects information or perspective that should change the assessment, or whether it reflects the first line’s preference for a more favourable assessment rather than a genuine substantive disagreement. Where the disagreement cannot be resolved, the second line’s obligation is to escalate to senior leadership — maintaining its oversight findings rather than accommodating first-line pressure to soften them.
5. Can one person serve as both second-line and third-line functions in a small organisation?
No — the independence of the third line from the management structure, including the second line, is a non-negotiable feature of the model. A person who performs second-line oversight functions cannot provide objective independent assurance on the adequacy of those same functions. In small organisations where full three-line staffing is not practical, the most common solution is to source third-line internal audit externally — through a co-sourced or outsourced arrangement with an external audit firm or specialist internal audit provider — while maintaining the management-level GRC oversight in a combined first/second-line model. This preserves the independence of the third line while acknowledging the resource constraints of smaller organisations.
6. How does the Three Lines model address emerging risks such as AI, cyber, and climate?
The Three Lines model is a structural framework that applies to all categories of risk, including emerging ones. For AI risk, cyber risk, and climate risk — all of which are characterised by rapid evolution, cross-functional complexity, and the need for specialist expertise — the model’s logic applies directly: first-line business functions must own these risks as they arise from their operations, second-line functions must develop the specialist frameworks and oversight capability to support and monitor first-line management of these risks, and internal audit must develop the technical capability to provide meaningful third-line assurance on how these emerging risks are being managed across all lines. The practical challenge for most organisations is that the specialist expertise required to implement the model effectively for these emerging risk categories is still developing — both in the organisations themselves and in the external talent market.
