The Three Lines of Defense: the model everyone knows but few organisations apply well

The three lines of defense: the model everyone knows but few organisations apply well

The three lines of defense is one of the most widely cited frameworks in risk management. Ask any risk professional and they can describe it in thirty seconds. Ask them whether their organisation has implemented it well, and the conversation gets noticeably quieter.

That gap between knowing the model and applying it is where most risk governance problems live. This article diagnoses what goes wrong at each line, explains why the Institute of Internal Auditors (IIA) updated the model in 2020, and offers a practical view of what good actually looks like in a mid-sized organisation.

What the model says (and what it actually means)

The three lines of defense model divides risk governance into three distinct functions.

The first line is operational management. These are the people who own and manage risk as part of their day-to-day work. A warehouse manager ensuring safe loading procedures. A software team following change management controls. A sales director approving contracts within delegated limits. The first line does the work and, in doing so, either creates or manages risk.

The second line provides oversight and challenge. This typically includes risk management functions, compliance teams, and health and safety functions. Their job is to set the framework, monitor whether the first line is managing risks effectively, and escalate where it is not.

The third line is internal audit. It provides independent assurance to the board and senior leadership that the first and second lines are functioning as intended. Internal audit does not manage risk. It checks whether risk is being managed.

The logic is clean. The execution, almost universally, is not.

Why the IIA updated the model in 2020 (and why that matters)

In July 2020, the IIA published an update to the framework, renaming it the "Three Lines Model." The reasoning behind the change reveals something important about how most organisations have been getting governance wrong.

The original framing positioned risk as something to be defended against, a series of barriers between the organisation and bad outcomes. The updated model reframes risk governance around the creation of value, not just the prevention of loss. In practice, that means the governing body and senior management are now explicitly included as participants in the framework, not just recipients of assurance reports — a meaningful shift that the original model largely glossed over.

Why does the framing change matter in practice? Because organisations that still think in terms of "defense" tend to design the second and third lines as gatekeepers. That produces adversarial relationships, defensive reporting, and a culture where risk management is something done to the first line rather than with it.

First line failure: owning the label, not the risk

Here is the most common failure mode at the first line. An operational team has risks assigned to them in a register somewhere. They know the risks exist. They even know they are listed as the owner. But in practice, they treat risk management as an administrative task that sits with the risk or compliance function. They fill in the fields when asked and return to their actual job.

This is not laziness. It is a structural problem.

When the first line sees risk management as something imposed on them by the second line, ownership becomes nominal. The risk register gets updated during audit season and ignored the rest of the year. Measures exist on paper but are not embedded in how work actually gets done. And when something goes wrong, everyone is surprised, despite the fact that the risk was logged and the measure was listed as "in place."

Consider a logistics company where the operations manager dutifully logs "supplier failure" as a medium-risk item every quarter. The measure listed is "approved supplier list." What the register does not capture is that the approved supplier list has not been reviewed in 18 months and three of the approved suppliers have since changed ownership. The measure exists on paper. The risk is not managed.

Real first-line ownership means the people doing the work understand what they are managing, why it matters, and what they are actually doing about it. Not just that their name appears in a column.

The fix is not more training. It is making risk management part of how work is reviewed and reported, not a separate administrative process. When operational team leads discuss risks as part of their regular reporting cycle, with named measures and visible due dates, ownership becomes real.

Second line failure: the risk police problem

The second line has an image problem. In many organisations, the risk or compliance function is experienced by operational teams as an inspectorate: an internal regulator that turns up, finds problems, and writes reports. The relationship is adversarial.

This happens when the second line spends most of its time checking whether measures exist rather than helping the first line make better risk decisions. There is a difference between auditing a measure and helping a team understand whether that measure is fit for purpose. The second line's real job is the latter.

The risk function in a healthcare organisation we heard about had developed 47-page risk policies, a 12-step risk assessment process, and a quarterly reporting template that took operational managers four hours to complete. Unsurprisingly, those managers avoided engaging with the risk function wherever possible. The second line had built a compliance machine that served its own reporting needs and created no value for the people managing actual risks.

The second line adds value when it brings expertise to the first line: helping teams identify risks they have not considered, and stress-testing assumptions in risk assessments. It should also be providing data about what is going wrong elsewhere in the organisation or the industry. That is a fundamentally different posture than checking boxes.

A question worth asking: when was the last time someone in your first line said "we brought in the risk team because they helped us think through something difficult"? If the honest answer is never, the second line has a positioning problem.

Third line failure: findings without consequences

Internal audit produces findings. Those findings go into reports. Those reports go to the audit committee. And then, in a remarkable number of organisations, not very much happens.

The third line's independence is its defining characteristic and its structural weakness. Because internal audit does not own the risks or the remediation measures, it cannot compel the first line to act. It can report. It can escalate. It can flag that a finding from 18 months ago is still open. But if the board and executive team do not treat unactioned findings as a governance failure, internal audit becomes an expensive production of documents that nobody prioritises.

The counterintuitive insight here is that a high volume of audit findings is not necessarily a sign that the third line is doing good work. It may be a sign that findings are being raised, filed, and forgotten. A better measure of third-line effectiveness is the remediation rate: what percentage of agreed measures are actually implemented on time?

Boards that only review the findings list at each audit committee meeting are looking at the wrong metric. The question is not "what did audit find?" It is "what did management do about the last thing audit found?"

Where the lines blur: the ownership vacuum

The most dangerous territory in three-lines governance is the space between the lines. When a risk does not clearly belong to one function, it tends to belong to none of them.

Cybersecurity is the classic example. The first line (IT operations) manages the technical measures. The second line (risk or compliance) maintains the risk register entry and monitors policy compliance. The third line (internal audit) assesses whether the framework is operating effectively. In a well-functioning organisation, these roles complement each other. In practice, each function assumes the others are covering a given area and nobody is.

The same dynamic plays out in financial services with conduct risk, in healthcare with infection control, and in construction with subcontractor safety. The risk sits at the boundary between functions, and boundaries are where things fall through.

The answer is not to add more lines or create more oversight functions. It is to make the boundaries explicit. Which risks require coordination between lines? Who has the final accountability? Who escalates if the coordination is not working? These are questions that governance frameworks rarely answer at a granular level.

For a practical look at how to distinguish real accountability from the appearance of it, our article on risk administration versus risk management covers this in detail.

What good actually looks like

A well-functioning three lines model has a few characteristics that are easy to state and harder to achieve.

The first line manages risks as part of normal operational rhythm. Risk reviews happen alongside performance reviews. Every significant risk has a named owner who understands what they are accountable for and what their current measures are. When new risks emerge, they are captured immediately rather than waiting for the next quarterly cycle.

The second line is consulted rather than avoided. Operational teams bring risks to the risk function because doing so makes their jobs easier, not because they are required to. The risk function has credibility because it brings insight, not just oversight.

The third line has teeth, not because internal audit has enforcement power, but because the board takes remediation seriously. Audit findings are tracked publicly at executive level. Overdue measures are escalated. The CEO is accountable for the remediation rate, not just for receiving the report.

And across all three lines, there is a shared view of the risk landscape. Not three separate registers, three separate reporting templates, and three separate conversations with the board. A single source of truth that each function can see and contribute to from their own perspective.

Visibility is the infrastructure of good governance

The three lines model fails most often not because organisations misunderstand the theory but because they lack the infrastructure to make it work. Accountability requires visibility. If the first line cannot see which risks are overdue for review, they cannot act. If the second line is working from a spreadsheet that the first line stopped updating, their oversight is based on fiction. If the third line is relying on samples and interviews rather than live data, their assurance is necessarily backward-looking.

Risk Companion's risk register gives every risk an owner, a score, and a next measure to act on. The dashboard shows overdue items across all risks in real time. The second line can see where the first line has risks with no active measures or no named owner. That visibility does not replace good governance, but it removes the excuse that nobody knew.

For teams that want to go further, Risk Companion's risk visualizations give the second line a clear picture of where risks cluster by probability and impact, making it easier to challenge first-line assessments rather than relying on static reports that are out of date the moment they are produced.

When three lines governance has a shared operational layer, a register that all three functions can see, with live ownership and status, the model stops being an org chart exercise and starts doing what it was designed to do.

The model is not the problem

It is easy to criticise the three lines model. The lines blur. Ownership is contested. The framework can become bureaucratic. The 2020 update acknowledged these tensions without fully resolving them.

But the model is not the problem. The problem is treating governance as a structural exercise rather than a behavioural one. You can draw the three lines on an org chart, assign functions to each, and produce a governance framework document that satisfies an external auditor. None of that means risk is actually being managed.

The organisations that make the three lines model work are the ones where it reflects how decisions are actually made, not just how they are supposed to be made. That requires clarity about who owns what, tools that make ownership visible, and leadership that treats unactioned risks as something that matters beyond audit season.

That is a harder problem than the model suggests. But it is the right problem to solve.

For a deeper look at how risk management thinking has evolved, our article on the risk management cycle covers why a linear approach to risk governance misses how risk actually behaves in practice.