Ask a roomful of managers who is responsible for managing risk and you will get one of two answers, both wrong: "the risk team" or "everyone." The three lines of defence exists to give a better answer, a clear map of who owns risk, who oversees it, and who independently checks that the first two are telling the truth. Used well, it stops risk from being either someone else's problem or no one's. Used badly, it does the opposite.

The quick version

  • First line, the people who own and run the business own the risk that comes with it. They make it, they manage it.
  • Second line, risk and compliance functions that set the rules, advise, and monitor, but do not run the operation themselves.
  • Third line, internal audit, independent of both, reporting to the board, checking that the first two actually work.
  • The board (the governing body) sits above all three and sets the risk appetite; external auditors and regulators sit outside the firm entirely.
  • The model's great failure mode is diffusing accountability, three "lines" can become three reasons each line assumes someone else has it covered.

The idea in depth

The model went mainstream after the 2007–08 financial crisis, when regulators looking at the wreckage concluded that risk had been everywhere and owned by no one. The Basel Committee on Banking Supervision built the three-lines idea into its 2011 Principles for the Sound Management of Operational Risk, and the model was codified for the wider world by the Institute of Internal Auditors in its 2013 position paper, "The Three Lines of Defense in Effective Risk Management and Control." Its central claim is plain: all three lines should exist in some form in every organisation, and risk management is strongest when the lines are separate and clearly identified.

Read each line by what it can and cannot do. The first line is the business, the sales team, the engineers, the operations staff who take risk as a by-product of doing their job. They own it because they create it; nobody understands a risk better than the person whose decision produced it. The second line, risk, compliance, legal, safety, sets the framework, gives expert advice, and watches the first line, but does not make the operational decisions. The third line is internal audit, deliberately walled off from the other two and reporting to the board's audit committee rather than to management, so it can say the uncomfortable thing without fear of the person it reports to.

The useful shift is to stop asking "does someone cover this risk?" and start asking "which specific line owns it, who oversees it, and who would independently catch it if both failed?" Write that answer down for your top handful of risks. The value of the model is less the diagram than the conversation it forces, the moment you try to name a single owner for a real risk, you find the gaps.

flowchart TD
  Board(["Governing body / board
sets risk appetite, holds the lines to account"])
  Board --> L1(["First line
owns & manages the risk it creates"])
  Board --> L2(["Second line
sets rules, advises, monitors"])
  Board --> L3(["Third line · internal audit
independent assurance to the board"])
  L2 -.oversees.-> L1
  L3 -.assures.-> L1
  L3 -.assures.-> L2
  Ext(["External audit & regulators
outside the organisation"]) -.-> Board
The three lines, the board above them, and the external check beyond the firm. Leaders Loop

From "defence" to a model, the 2020 rethink

The word "defence" did real damage. It framed risk as something purely to be guarded against, and it encouraged organisations to draw three rigid lines and treat them as walls. In 2020 the Institute of Internal Auditors rewrote its own framework, dropping "of defense" to call it simply the Three Lines Model (position paper, IIA, September 2020). The change is more than cosmetic. The updated model is principles-based rather than prescriptive: it stresses that the lines describe roles, not rigid org-chart boxes, that those roles must collaborate, and that risk management is about seizing opportunity and creating value, not only protecting against loss.

Read that way, the three lines are a description of responsibilities to be assigned, not departments to be staffed. A 30-person company has all three roles even if one head of operations carries the first and second, and the board acts as the third by commissioning an external review. What matters is that the roles exist and are consciously owned, not that you build three separate teams you cannot afford.

An honest limitation. The model's biggest critique comes from inside the field it was built for. In the peer-reviewed paper "Three Lines of Defence: A Robust Organising Framework, or Just Lines in the Sand?" (Davies & Zhivitskaya, Global Policy, 2018), the authors note that the model's origins are opaque and its effectiveness largely untested, and warn that dividing responsibility for risk across three lines can reduce accountability rather than raise it, each line quietly assuming another has the risk covered. The practical lesson is to use the lines to clarify single-point ownership, not to spread one risk thinly across three functions until no one truly holds it.

A worked example

Take a mid-sized fintech, call it Tbenbridge, that lets small businesses move money. (Illustrative scenario throughout; this is a teaching example, not a real firm.) A fraud pattern slips through: dozens of accounts opened with the same forged documents, and money out the door before anyone notices. In the post-mortem, the instinct is to blame the compliance team. The three lines turn that instinct into a sharper set of questions.

First line: the onboarding and payments teams own the fraud risk, because their process created the opening. Their failure was operational, the identity checks they ran were too weak for the product they were selling. Second line: the financial-crime function set the rules and was meant to monitor the alerts. Their failure was oversight, they had drifted into doing first-line work, manually clearing alerts, and so had no independent vantage point left to spot the pattern. Third line: internal audit had not reviewed onboarding controls in two years. Their failure was assurance, the board believed the controls worked because no one independent had checked.

flowchart TD
  E(["Fraud loss:
forged-document accounts"]) --> Q{"Which line
should have caught it?"}
  Q --> A(["First line
weak ID checks in onboarding"])
  Q --> B(["Second line
drifted into doing 1st-line work,
lost its oversight view"])
  Q --> C(["Third line
no audit of onboarding in 2 years"])
  A --> R(["Fix: each line owns its gap,
no single team to scapegoat"])
  B --> R
  C --> R
One incident, three distinct failures, the model turns a blame hunt into a map of gaps. Leaders Loop

Notice what the model does here. It refuses the easy story that "compliance failed," and instead shows three separate, fixable gaps, and one structural warning sign: the second line had been pulled into first-line work, the single most common way these lines collapse. The fix is not more people but clearer ownership: restore the second line to oversight, give onboarding controls a real owner, and put internal audit back on a cycle that reaches the things that can actually hurt the firm.

Frequently asked questions

Is this only for banks and big companies?

The structure was hardened in financial services, but the roles are universal. Any organisation has people who take risk (first line), people who should oversee it (second line), and a need for someone independent to check (third line). In a small company one person may wear two of the roles and the board supplies the third, what matters is that all three responsibilities are consciously owned, not that you build three departments.

What's the difference between the second and third line?

The second line is part of management, it advises, sets policy, and monitors, but it has a stake in the outcome and reports up through the executive. The third line, internal audit, is deliberately independent and reports to the board's audit committee, so it can give an unwelcome verdict on management's own controls. The moment the third line starts helping run things, it has lost the independence that is its entire purpose.

Why did the IIA drop the word "defence"?

Because "defence" framed risk as purely something to guard against, and encouraged rigid walls between functions. The 2020 Three Lines Model reframes the lines as collaborating roles that help an organisation both protect and create value, risk-taking, done deliberately, is how organisations grow, not just something to be minimised.

Doesn't splitting responsibility three ways just let everyone off the hook?

It can, that is the model's sharpest documented criticism. Three lines can become three reasons to assume someone else has it covered. The guard against this is to insist on a single named owner for each real risk in the first line, and to treat the second and third lines as oversight and assurance of that owner, not as co-owners who dilute the responsibility.

How does this connect to risk appetite and the board?

The board is not one of the three lines; it sits above them, setting the risk appetite, how much risk the organisation will accept in pursuit of its goals, and holding the lines accountable for staying inside it. The three lines are how that appetite is actually delivered and checked day to day. Without a clear appetite set at the top, the lines have nothing to measure themselves against.

Related in the Toolkit

The three lines are the operating structure for risk; what they actually manage is defined elsewhere, the appetite set at the top (enterprise risk management & risk appetite) and the catalogue of what could go wrong (risk identification & assessment) are the inputs every line works from.

Where to go next