How to Use the Three Lines of Defence Model for Risk Management

In difficult economic times and where there is geopolitical uncertainty, companies need to ensure they have sufficient risk management processes in place. Furthermore, these must be driven by a cohesive approach throughout the organisation so that all stakeholders understand their obligations and take ownership of their element of the strategy.  

Unfortunately, this is not always the case. PwC found that only 31% of risk executives were involved in defining their companies’ operational resilience strategy. With 65% of global CFOs stating that their organisations are increasing their spend on risk management, it is essential that businesses use this budget as efficiently as possible, engaging all stakeholders to create a unified risk management framework that successfully identifies, assesses and mitigates risks.   

One of the best-known risk strategies is the three lines of defence model (3LOD). This article explores how it works to assign responsibilities to a variety of parties, who work together to apply it to the organisation’s operational workflows.  

Key takeaways 

• Companies need a unified, organisation-wide risk framework to use resources effectively and this is usually the three lines of defence model. 
• First line takes risk ownership and operates controls, second line oversees and challenges and third line provides independent assurance. Clear role definition prevents gaps and duplication. 
• Work collaboratively to align actions and avoid duplicated efforts as well as to instill accountability across the lines of defence. 
• Train the first line on practical risk identification and control skills, equip the second line with data and authority to monitor and preserve the third line’s independence and access. 
• Start with a gap analysis, create a strong risk culture and ensure you implement ongoing testing in order to meet your company’s risk needs.  

The three lines of defence model explained 

The Institute of Internal Auditors (IIA) formally adopted the three lines of defence model in 2013, updating it in the 2020s to become known as the three lines model. The three lines involve:  

• First line: Operational management 

• Second line: Risk management and compliance 

• Third line: Auditing. 

This is how each of the tiers operates within the three lines of defence structure:  

How to apply the three lines of defence model  

1. Define roles clearly 

All parties involved in your risk management process have their own responsibilities, but it is essential that they carry them out correctly to create a robust strategy. This means that they must understand their roles implicitly.  

• First line owns and runs the risk controls in accordance with the policies that second line generates.  
• Second line oversees the implementation of its policies, guides first line towards appropriate controls that meet the company’s risk appetite and challenges first line to ensure the controls are sufficient for their purpose.  
• Third line offers independent assurance that the other two lines are working effectively to protect the company from risks. 

With everyone assigned a particular role, you should also be clear about reporting lines and expectations to ensure everyone understands what is expected of them and what dictates success for your risk management structure.  

2. Integrate into governance 

The three lines model should inform all levels of management and decision-making within your organisation. This means that it must exist as a template for all risk management activities and for reporting protocols, too. Set a schedule for reporting to ensure you work from real-time data when making decisions. This could look like this: 

• Monthly management information (MI) data from first line 
• Quarterly compliance reporting to the risk committee 
• Annual risk-based internal audit plan to the audit committee 

 Senior management must not only play their part but be seen to publicly endorse the three lines of defence process. This will give it credibility and provide a cohesive approach to a successful implementation of the model.  

3. Establish accountability 

Each element of the three lines model needs to understand for what it is accountable. At a very basic level, this includes:  

• First line: Operating within the company’s risk appetite, implementing risk and compliance controls effectively and implementing risk-based decision-making into daily duties. 
• Second line: Accountable for the adequacy and effectiveness of the risk management frameworks and policies. 
• Third line: Providing independent and unbiased assurance to the board and the company’s other stakeholders on the overall effectiveness of the company’s corporate governance and risk management. 

In terms of practical methods for holding the various stakeholders to account, here are some suggestions:  

• First line: Designate specific individuals to own the different controls, focusing them on that particular area of their work and providing a single point of contact for issues. Have them complete a Risk and Control Self-Assessment (RCSA) to improve visibility and alert stakeholders to deficiencies in their processes.   
• Second line: Develop a board-approved risk and compliance framework with an annual monitoring plan, reporting to the risk committee on its adequacy and effectiveness 
• Third line: The audit committee should develop and approve a risk-based plan with strict independence safeguards and deadlines for follow-up with actions, holding the internal audit function to the necessary standard. 

4. Promote collaboration 

The idea of the three lines model is that the various requirements are spread across the organisation, but it is also important that all parties work together to create a cohesive approach to risk management.  

All three lines must communicate and share their findings, theories and issues. This means you will need a shared workspace where you can publish: 

• Key risk indicators (KRI) and the status of each with regards to your company 
• A risk heat map to show which risks are most pressing and potentially most damaging 
• A responsibility assignment matrix (RACI) for each key risk and control, describing who owns them and what their deliverables are 
• Status of current risk mitigation strategies, who owns them and what actions are in place to mitigate them 
• Historical incident information, including details of how they were resolved and any learnings taken from them.

Put in place regular governance forums involving members of each line to discuss risks and controls and where second line can provide a challenge to first line’s operations. Providing comprehensive updates and setting clear boundaries for work helps to give context to the company’s risks management efforts and avoids duplication of processes.  

5. Strengthen capabilities 

Evaluate the performance of each line and look to strengthen their capabilities to improve your risk mitigation. For example:  

• For first line, provide managers with structured, role-based training on the essential elements of risk management, including how to identify them and use KRIs to design sufficient controls. Help them learn how to evidence their efforts and escalate incidents when required.  
• For second line, provide access to real-time data and monitoring information so they can gain accurate and timely oversight over first line. 
• For third line, ensure that your auditor has unrestricted access to people and data, including the board and audit committee, so that they can provide a full and comprehensive overview of the state of risk management inside the organisation. Ensure its independence by keeping the function separate from daily operations. 

Best practices for implementation 

Conduct a gap analysis of how you identify, assess and mitigate risks currently before you adopt the three lines model. This will inform your risk assessments and help steer you towards the key risks for your organisation. It will provide a practical basis for understanding what your priorities should be and how you will roll out the model in a practical manner.  

Training and awareness for all three lines ensures everybody knows their jobs and what is expected of them. First line runs the controls, second line oversees them and challenges them, while third line is responsible for assurance. Provide regular short refresher training to convey this message clearly throughout your organisation. 

Build a strong risk culture, making sure that leaders set the tone from the top. The message should be that an ethical and compliant approach embedded into the organisation will provide greater long-term value than mere short-term wins. Recognise positive behaviour and encourage good risk behaviour to become everyday practice.  

Ensure continuous monitoring and improvement in areas such as incident occurrence, action completion and control testing. Review these at regular intervals to spot trends and resolve issues before they lead to negative outcomes for the organisation.  

FAQ 

1. Is the model mandatory for all organisations? 

No, the three lines model not legally mandated in most jurisdictions, but it’s widely regarded as best practice and often expected by regulators, auditors and boards (especially in the financial services sector).  

2. What governance challenges arise when organisations operate across multiple jurisdictions with differing regulations? 

Divergent laws, definitions, reporting timelines and data-privacy rules create fragmentation and overlap, requiring a global baseline of policies with local additions and coordinated change management. 

3. How can leadership foster a culture that ensures collaboration and avoids duplication across the three lines? 

Set explicit roles and accountabilities for the three lines model, such as a RACI, use a real-time assurance map, align planning cycles and metrics and run regular cross-line forums supported by transparent collaboration.  

References and further reading

• Regulatory compliance across jurisdictions 

• How to develop a strong compliance strategy 

• How to choose compliance tools 

• Important compliance KPIs 

• How to manage compliance documents