ReeskReesk.io
HomeGet started
Framework
10 min readMarch 15, 2026

The Three Lines of Defense Model: A Practical Guide

Understand the Three Lines of Defense model — how it works, the role of each line, common mistakes, and how to implement it effectively in your organization.

The Three Lines of Defense Model: A Practical Guide

What is the Three Lines of Defense model?

The Three Lines of Defense (3LoD) is a governance framework that defines how risk management, compliance, and assurance responsibilities are distributed within an organization. It was formalized by the Institute of Internal Auditors (IIA) and has become the dominant model for organizing risk governance in financial services, healthcare, and beyond.

In 2020, the IIA updated the model — renaming it simply the "Three Lines Model" and shifting focus from defense to contribution, emphasizing that all three lines add value rather than just protecting against threats. The core structure remains the same.

The three lines explained

First Line: Operational management

The first line consists of the business units and operational functions that own and manage risks as part of their day-to-day activities. They are closest to the risks and have the primary responsibility for implementing controls.

Examples: a bank's loan officers managing credit risk, a software company's engineering team managing application security controls, or a logistics firm's warehouse managers controlling operational safety risks.

Responsibilities:

  • Identify and assess risks within their area of ownership
  • Design and operate controls
  • Report risk information to the second line
  • Implement corrective actions when controls fail

Second Line: Risk and compliance oversight

The second line provides oversight, challenge, and support to the first line. It sets the risk framework, monitors risk levels across the organization, and ensures the first line is managing risks effectively.

Examples: the Chief Risk Officer function, the compliance department, the information security team, and the legal function.

Responsibilities:

  • Design the risk management framework and methodology
  • Set risk appetite and tolerances
  • Monitor and report on risk exposures across the organization
  • Conduct independent testing and validation of first-line controls
  • Report to senior management and the board

Third Line: Internal audit

The third line — internal audit — provides independent, objective assurance to the board and senior management that the first two lines are operating effectively. It has no management responsibility for risk, which is what makes its assurance credible.

Responsibilities:

  • Assess the effectiveness of governance, risk management, and control processes
  • Provide assurance over the design and operation of both the first and second lines
  • Report findings directly to the audit committee or board
  • Follow up on remediation of audit findings

The role of the board and senior management

The IIA's updated model explicitly adds a fourth element: the governing body (board or equivalent) and senior management. They sit above the three lines, setting strategy, objectives, and risk appetite — and receiving assurance from all three lines.

Common implementation mistakes

Blurring the lines

The most common mistake is allowing the second line to take on first-line responsibilities. When the risk function starts owning controls directly rather than overseeing them, independence is lost and accountability becomes unclear.

An underpowered second line

Many organizations have a strong first line (operational business) and a strong third line (well-resourced internal audit) but a weak second line — a small risk team with no real authority to challenge the business. This creates a false sense of security.

Siloed reporting

When each line reports up through its own channel with no integration, senior management and the board get three different pictures of risk with no way to reconcile them.

Treating 3LoD as a box-ticking exercise

The Three Lines Model is a governance principle, not a compliance requirement in itself. Organizations that implement it mechanically — assigning labels to functions without real accountability — get the cost without the benefit.

How to implement 3LoD effectively

  1. Define clear ownership. For every risk in your risk inventory, assign a first-line owner. No unowned risks.
  2. Give the second line real teeth. The CRO or risk function should have the authority to escalate, challenge business decisions, and require remediation — with board-level backing.
  3. Keep internal audit independent. The CAE (Chief Audit Executive) should report functionally to the audit committee, not to the CFO or CEO.
  4. Coordinate, don't duplicate. The three lines should share risk information and coordinate their coverage — but each should maintain its own independent view.
  5. Use technology to integrate. A risk platform that supports all three lines — risk recording (1st), control testing (2nd), and audit workflow (3rd) — eliminates the information gaps between functions.

3LoD in Reesk

Reesk is built around the Three Lines of Defense model. Risk spaces capture first-line risk ownership. Control testing workflows support second-line validation. Reporting and snapshot features give internal audit the evidence trail they need. Role-based access ensures each line sees what it needs without compromising independence.

Ready to put this into practice?

Reesk gives you the tools to manage risks, controls and compliance — all in one platform. Start free.

Get started free — no credit card required

Previous

How to Build a Risk Register: Step-by-Step Guide

Next

What is Enterprise Risk Management? A Complete Guide (2026)