Context

In regulated industries — particularly financial services, energy, and critical infrastructure — the Three Lines model is the standard vocabulary for governance. It is the primary mechanism organisations use to segregate duties and prevent conflicts of interest. For the professional, understanding this framework is a practical necessity: it clarifies the boundary between operational management and independent oversight.

The Three Lines of Defence (3LOD) is a framework used to structure risk management within an organisation. It separates those who own the risk from those who oversee it, and those who provide independent assurance.

While it originated in the military and sports, it was adopted heavily by the banking sector in the late 1990s and is now a regulatory expectation in many fields.

The Three Lines explained

The model distinguishes between three groups involved in effective risk management:

  • First Line of Defence: The Business. This comprises the operational management and business units (sales, trading, operations, engineering). They own and manage the risks. They are responsible for implementing corrective actions to address process and control deficiencies. In short: if you generate the revenue or build the product, you are the First Line.

  • Second Line of Defence: Oversight. These are the functions that oversee risk and compliance. They do not hold the P&L (Profit and Loss) responsibility but are responsible for defining policy, monitoring the First Line, and reporting on risk levels. This includes Risk Management, Compliance, Legal, and Quality Assurance teams.

  • Third Line of Defence: Independent Assurance. This is exclusively the Internal Audit function. They provide an objective, independent evaluation of the effectiveness of the governance, risk management, and internal controls. They report not to the CEO, but to the Board (usually via the Audit Committee) to maintain independence.

Evolution of the model

The concept has been the industry standard in the UK and globally for over twenty years. It was formally codified by the Institute of Internal Auditors (IIA) in 2013.

In July 2020, the IIA published a significant update, rebranding it as the Three Lines Model. This revision was an attempt to soften the rigid, siloed nature of the original “defence” terminology, encouraging better collaboration between management and the risk function. However, most professionals in the City and industry still refer to it colloquially as “3LOD”.

For the practitioner, the value of the model is clarity. It prevents the common governance failure where management assumes the risk team is fixing the problem, while the risk team assumes they are merely reporting on it.

Further reading