The Three Lines Model for Governance and Risk Management

Nathan Pickard, CIA, CISA

What’s in a name? For ThirdLine, it is a simple yet meaningful nod to the Three Lines Model developed by the Institute of Internal Auditors (IIA). 

The Three Lines Model, previously known as the Three Lines of Defense, helps organizations identify structures and processes in order to achieve their objectives and facilitate strong governance and risk management. 

No surprise here: the Three Lines Model has first, second, and third line roles. Management is responsible for the first and second line roles, while internal audit takes on third line roles—hence our name! The governing body is accountable to stakeholders for organizational oversight, which involves the actions by management and assurance by internal audit.

External assurance providers satisfy requests by management and the governing body to complement internal audit’s work. External assurance providers also serve to protect the interests of the organization’s stakeholders. Credit: Institute of Internal Auditors

While the language may imply that the first line comes before the second and so on, all roles are working together and at the same time. The collaboration among the key roles “ensures the reliability, coherence, and transparency of information needed for risk-based decision-making” according to the IIA.

Risk-based decision-making: A considered process that includes analysis, planning, action, monitoring, and review, and takes account of potential impacts of uncertainty on objectives.

Summary of Three Lines Roles

The IIA says the Three Lines Model is “most effective when it is adapted to align with the objectives and circumstances of the organization,” meaning the structure and assignment of roles may look different from one organization to the next. 

First line roles most directly align with the delivery of products and services to the organization’s clients. Management establishes and maintains  structures and processes for managing operations and risk, including internal control. 

Second line roles provide assistance with managing risk. First and second line roles may be separated or combined. Second line roles may include “monitoring, advice, guidance, testing, analyzing, and reporting on matters related to the management of risk.” The scope of risk management can include enterprise risk management as well, according to the IIA.

Last but not least, third line roles provide independent and objective assurance and advice on governance and risk management. 

To maintain credibility and authority, internal audit’s independence from the responsibilities of management is "critical" in fulfilling third line roles. The IIA says independence is established through:

  • Accountability to the governing body 
  • Unfettered access to people, resources, and data needed to complete its work 
  • Freedom from bias or interference in the planning and delivery of audit services 

Third line independence is the fifth principle of six in the Three Lines Model. However “independence does not imply isolation.” Internal audit reports its findings to management and the governing body to promote and facilitate continuous improvement across the organization.

Three Lines Model Principles

  • Principle 1: Governance
  • Principle 2: Governing body roles
  • Principle 3: Management and first and second line roles
  • Principle 4: Third line roles
  • Principle 5: Third line independence
  • Principle 6: Creating and protecting value

Resources for Applying the Three Lines Model

The IIA formally adopted the Three Lines of Defense model in a Position Paper: “The Three Lines of Defense in Effective Risk Management and Control,” published in 2013. 

The IIA has since promoted it as a valuable tool for governance. Read the 2019 Exposure Document: Three Lines of Defense.

Amid “rapid change, unprecedented new risks, and the growing complexity of organizations,” the IIA published a major update to the Three Lines Model in 2020. 

The Three Lines Model for Governance and Risk Management

Download the PDF version →

The Three Lines Model for Governance and Risk Management

To download this document, please fill out the form below.

Access your file here:

Download File
Oops! Something went wrong while submitting the form.