Key Takeaways
- The three lines model assigns risk ownership to the first line, but in most organisations the risk manager ends up carrying the programme alone because operational teams treat risk tasks as administrative interruptions rather than part of their actual work.
- Passive first-line ownership follows a recognisable pattern: records updated once a quarter, measures listed in the register but not happening in practice, and registers rebuilt before every audit rather than maintained continuously.
- The failure is structural rather than personal. When risk management is designed as a separate reporting obligation rather than embedded in how teams operate day-to-day, even motivated operational managers will deprioritise it under normal workload pressure.
- Three conditions make first-line accountability real: every risk has a named individual owner, every measure has a due date that creates a visible commitment, and the register is useful enough that the first line opens it by choice rather than obligation.
- The second line cannot compensate for a passive first line. Oversight only works when there is genuine operational activity to oversee. If the first line is not managing risks, the second line is monitoring an empty register rather than providing meaningful challenge.
What first line of defense risk management actually looks like in most organisations
The model is clear enough. The first line owns and manages risk day-to-day, the second line provides oversight, frameworks, and challenge, and the third line gives independent assurance to the board, with defined roles, clean separation, and accountability at every level.
The reality in most organisations looks quite different.
In most organisations we speak to, first line of defense risk management operates like this: the operations manager receives a request from the risk manager to review their risks. They open the register, confirm that nothing has changed (or update a few fields quickly to indicate progress), and then return to the work that was already waiting for them before the risk task arrived. The register reflects the conversation that happened, not the reality on the ground. The measures are listed, but whether anyone is actually doing them is a different question entirely.
This is not a description of a failed organisation but rather the default state of most risk programmes. And it is the single most damaging failure mode in the three lines model. The risk manager ends up running the whole programme alone, chasing owners, updating records on behalf of teams, preparing the board reports, and carrying the knowledge of what the risks actually are. The people closest to the operational risks, the ones who see them daily, remain passive.
If that describes your situation, the problem is not the people in the first line but how risk management has been structured around them.
What passive first-line ownership looks like in practice
There are a few specific patterns that signal the first line is nominal rather than real.
The quarterly update is the most common. The risk register gets reviewed four times a year, loosely aligned with reporting cycles. In between those reviews, the register sits untouched. Measures that were listed as "in progress" in March are still listed as "in progress" in June, because nobody has looked. The register captures a point-in-time snapshot and then goes stale.
The audit-season register is a more extreme version. Take a logistics company with around 200 staff across three operational sites. In this scenario, the risk register gets effectively rebuilt every time an external audit is approaching. The risk manager spends two or three weeks before each audit gathering inputs from operational leads, populating records, and updating statuses, while the register sits untouched in between. The first line is not managing risks so much as cooperating with a documentation exercise.
Then there is the measure that exists on paper but not in practice. An operational team lists "weekly safety briefings" as a measure against a workplace incident risk. The measure is marked "completed." Nobody checks whether the briefings actually happen. When an incident eventually occurs, the investigation finds that the briefings stopped eight months ago. The register and the reality on the ground told completely different stories.
None of these situations happen because people are careless, but because risk management has been designed as a separate obligation. When you ask already-busy operational managers to maintain a parallel administrative system, it will always be deprioritised. When risk management is a parallel administrative burden, operational work will always take priority.
Why the second line cannot fix a passive first line
A lot of organisations respond to this problem by adding more second-line activity, more frequent check-ins, more challenge questions, more reporting requirements, and more structure pushed down from the oversight function. This approach does not solve the underlying problem.
The second line can provide frameworks, guidance, challenge, and good questions. What it cannot do is generate genuine first-line engagement from the outside. If the operations manager is completing risk fields because they have to, not because they find it useful, no amount of second-line pressure will change that behaviour. More second-line pressure on a disengaged first line produces compliance at best and resentment at worst.
The IIA's updated Three Lines Model (2020) makes this explicit. It reframes the governance structure around value creation rather than control, and it places clear responsibility for risk ownership with the first line as an active function, not a passive one. The oversight role of the second line is only meaningful when there is genuine activity to oversee. Oversight of a register that nobody is maintaining is just observation of a problem.
If your first line is passive, your second line is not providing oversight at all. It is doing risk administration on behalf of people who should be doing it themselves.
What genuine first-line risk ownership looks like
The organisations where three lines model accountability works well share a few characteristics that have nothing to do with how sophisticated their risk frameworks are.
Risk is discussed in the regular rhythm of the team. This happens in the regular team meeting, not in a separate risk session or only when the risk manager requests an update. The operations manager brings a risk update to the weekly team meeting the same way they bring a budget update or a project status. It takes five minutes and requires nothing out of the ordinary. But it means the risk conversation happens 50 times a year instead of four.
Every risk has a named owner, not the team, not the department, not a vague reference to management. A specific person who is accountable for the measures attached to that risk and for updating the status when something changes. When a risk has a named owner, it is easier to have a direct conversation about it. When the owner is diffuse, the responsibility disappears.
Overdue measures are visible without anyone having to look for them. The moment a measure passes its due date, it becomes visible to both the owner and the risk manager. The system surfaces the gap automatically without anyone needing to send a chase email. The owner knows they are overdue before they are asked.
And measures are things people are actually doing, not things they agreed to do once and then forgot. The measure description in the register matches what is happening in the workplace. When that is true, a risk conversation is a genuinely useful conversation about the real state of the operation. When it is not, the conversation is theater.
We think the reason most organisations never reach this point is that they rely entirely on process and culture to carry the weight. Process and culture are necessary conditions, but they are not sufficient on their own. Without the infrastructure to make ownership visible and accountability automatic, even the best process degrades under workload pressure.
How to make first-line risk accountability structural
If you want the first line to genuinely own its risks, three things need to be true.
First, every risk needs a named owner at the individual level. This means a specific individual, not a role, a team, or a department. Risk Companion's risk register makes this straightforward by assigning ownership at the individual level, so the accountability question is answered by the structure rather than left to cultural expectation.
Second, measures need due dates that actually drive behaviour. An open measure with no due date is little more than a suggestion, while a measure with a specific date creates a real commitment. And when that date passes without the measure being completed, it becomes visible. In Risk Companion, overdue measures surface on the dashboard automatically, so the risk manager does not spend their week sending chase emails. They spend it having conversations about the things that are actually stuck.
Third, the register needs to be something the first line finds useful for their own purposes, not just for reporting to the second line. The moment an operations manager opens the register because they want to understand their risk exposure, rather than because they have been asked to update it, the culture shifts. A register that is clunky, unclear, or obviously designed for auditors will never become something the first line opens by choice
The health checks in Risk Companion flag incomplete records, missing owners, and overdue measures before an audit requires it. For a risk manager trying to move from passive first-line cooperation to genuine first-line engagement, this kind of automated visibility is the difference between managing the programme and chasing it.
None of this solves the cultural problem overnight. An operational team that has spent three years treating risk management as a compliance exercise will not change in a quarter. Structural change has to come first, because you cannot build a genuine first-line risk culture on a system that makes accountability invisible.
What the risk manager's role actually is in a working three lines model
When the first line is genuinely active, the risk manager's job changes. The work shifts away from doing the risk management toward enabling others to do it. You spend less time populating records and chasing updates, and more time asking useful questions and presenting a picture that already exists.
That is a better use of a risk manager's time and a more accurate picture of what the three lines model was designed to produce.
The organisations that get this right run no elaborate frameworks and no complex governance committees, just operational teams that discuss risks weekly, measures with named owners and due dates, and a risk manager who acts as a consultant to the first line rather than a substitute for it.
If your risk register would be empty without the risk manager's personal effort to fill it, that is not a register the first line owns but one the risk manager maintains on their behalf, and treating that as an acceptable default is exactly where most organisations quietly go wrong.
Risk Companion offers a 14-day free trial with full access to every feature, including the AI assistant, Monte Carlo simulation, and bow-tie diagrams. No feature limits and no credit card required to start. Start your trial now.
Ready to improve your risk management?
See how Risk Companion can help you implement these best practices with powerful, easy-to-use tools. Sign up and we'll prepare a demo project tailored to your company.