When it comes to risk management, frameworks matter. They provide clarity, structure, and a common language across the organisation. Without them, roles blur, accountability slips, and risks end up with weak ownership and accountability.
In short
The Three Lines of Defence model is a governance framework that separates risk management into three roles: the first line (operational management who own and manage risks), the second line (risk and compliance who set policy and provide oversight), and the third line (internal audit who provides independent assurance).
- First line - manages risk day-to-day in the business.
- Second line - frames, oversees and challenges.
- Third line - independently assures the framework works.
- Why it matters - boards and regulators expect to see the three roles defined and operating, not just named.
One of the most enduring and widely adopted frameworks is the Three Lines of Defence model (also written as the 3 Lines of Defence model, or Three Lines of Defense in US spelling). First formalised by the Institute of Internal Auditors (IIA), it has become a cornerstone of governance, risk, and compliance (GRC). Its appeal lies in its simplicity: by clearly defining who owns risks, who oversees them, and who provides independent assurance, the model prevents duplication, avoids confusion, and reinforces accountability.
Naming & spelling
Three Lines of Defence (UK / Commonwealth spelling) and Three Lines of Defense (US spelling) refer to the same model. 3 Lines of Defence is the same framework written numerically. The IIA's 2020 update simplified the name to The Three Lines Model - dropping "of defence/defense" - to better reflect that the lines are about complementary roles, not adversarial defence layers. All four labels are still in active use.
This article uses the UK spelling throughout, but everything below applies equally to the US "Three Lines of Defense" model and to the IIA's updated "Three Lines Model".
The 3 Lines of Defence Explained (With Examples)
The first line is operational management - the business units and teams that run day-to-day processes. They are closest to the risks and therefore responsible for identifying, managing, and mitigating them. For example, the IT team implementing access controls, or the operations manager ensuring procedures are followed. They don't just execute business activity; they own the risks that come with it.
The second line is risk and compliance functions. These teams don't run the business directly, but they set frameworks, provide guidance, and monitor adherence. Their role is to help define risk appetite, develop policies, and challenge the first line when risks are not being managed properly. If the first line are the drivers, the second line are the navigators - watching blind spots, warning about hazards, and making sure the route stays aligned to the plan.
Second Line in Action: Risk Management Team
The same financial services company has a dedicated Risk Management team (second line). They review the IT team's access controls quarterly, assess whether the controls meet regulatory requirements, and challenge the IT team when they find gaps. They develop the company's cybersecurity policy, set the risk appetite for data breaches, and provide training to the first line. When they notice the IT team hasn't updated access logs in three months, they escalate to management - that's their oversight role.
The third line is internal audit. Unlike the other two, internal audit is independent of management. Its role is to provide objective assurance to the board or governing body that risks are being managed effectively, controls are functioning, and policies are being followed. If the first line drives and the second line navigates, the third line is the impartial inspector making sure the vehicle is roadworthy.
Why It Works
The beauty of the model is its clarity:
- Line one manages risks directly.
- Line two provides oversight, guidance, and challenge.
- Line three delivers independent assurance.
When all three roles are clearly defined, blind spots shrink and accountability strengthens. Boards, regulators, and investors gain confidence because they can see risks are not only logged but actively owned, monitored, and tested.
Three Lines of Defence in Risk Management: Common Pitfalls in SMEs
Despite its simplicity, the model often breaks down in practice - especially in small and mid-sized organisations. Resource constraints mean the same person may wear multiple hats, acting as both risk owner and compliance officer. Internal audit may be non-existent or outsourced, reducing independence. And because roles are not formally documented, accountability is often assumed rather than assigned.
Typical pitfalls include:
- Blurred responsibilities: One person ends up covering two or even all three lines.
- No independent check: Without an audit function, assurance is weak.
- Lack of visibility: Risks are tracked, but ownership isn't obvious to the wider business.
The danger is that when something goes wrong, nobody feels truly responsible - exactly what the model is designed to prevent.
When Lines Blur: The Overworked Compliance Manager
A mid-sized manufacturing company has one person - let's call her Sarah - who is both the Head of Risk (second line) and the Head of Compliance (second line), and she also manages the operational risk register (first line). When a supplier compliance issue arises, Sarah is responsible for identifying it (first line), setting the policy to fix it (second line), and reporting on it to the board (second line). There's no third line audit function. When the issue escalates, Sarah is overwhelmed, accountability is unclear, and the board can't get independent assurance that risks are being managed. This is the Three Lines model breaking down in practice.
How Initia Puts the Model Into Practice
Technology can make or break governance frameworks. If roles are only described in policies, they are quickly forgotten. That's why Initia builds the Three Lines model directly into its platform.
- Role-based access ensures every risk, control, and action has a clear owner aligned to the right line.
- Linked frameworks connect risks to controls, policies, and assessments, so oversight is tangible for line two.
- Dashboards and reports show instantly whether risks are being managed, challenged, and assured.
- Audit trails log every change, giving the third line the transparency they need.
By embedding accountability into daily workflows, Initia turns the model from a classroom diagram into a living process.
If you're building out the ERM framework that sits beneath the Three Lines model, see our guide on how to build an ERM framework. And for the assessment process that makes first-line ownership tangible, read what an RCSA is and why most fail.
Takeaway: Clarity Drives Accountability
The Three Lines of Defence model remains relevant because it addresses a universal challenge: confusion over who owns what. When implemented properly, risks are managed by those closest to them, overseen by specialists, and assured independently.
For SMEs, the challenge is not understanding the model, but making it practical. That's where Initia adds value. By giving teams modern tools that enforce clear roles and responsibilities, it helps organisations reduce compliance risks, strengthen governance, and build a culture of real accountability.
When you are ready to evaluate platforms that enforce the model in practice, our buyer guide on how to choose a GRC tool covers what to look for in a GRC platform for a mid-sized company - including the alternatives to legacy enterprise suites that mid-market teams typically shortlist. For the platform shape that supports the Three Lines model end-to-end, see our overview of modern risk management software for UK mid-market firms.
For short definitions of the surrounding terminology - first/second/third line, internal audit, risk owner, RCSA, GRC - see our risk management and GRC glossary.