HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Risk Management
Risk Management

The Three Lines Model: How It Works and Why It Often Doesn't

Kamran Iqbal, CIA, CISA, CFE, CRMA January 2026 8 min read
The IIA's Three Lines Model provides a conceptually elegant framework for organising governance, risk management, and assurance across an organisation. In practice, it is one of the most widely cited and most inconsistently implemented governance concepts in corporate risk management. Understanding both the model and its implementation pitfalls is essential for anyone working in internal audit, risk, or compliance.

The Model: What It Describes

The Three Lines Model — updated by the IIA in 2020 from the earlier Three Lines of Defence framework — describes three categories of roles that contribute to governance and risk management, each with distinct responsibilities and relationships to organisational leadership and the governing body.

First line: Operational management and staff who own and manage risks as part of their day-to-day activities. The first line creates risk, manages risk, and is responsible for the design and operation of internal controls. This includes everyone from the CFO to the accounts payable clerk, in proportion to their role in the organisation's processes.

Second line: Functions that provide expertise, oversight, and challenge to the first line's risk management activities. Risk management, compliance, information security, legal, and similar specialist functions sit in the second line. They do not own the risks or the controls — that remains with the first line — but they set standards, monitor compliance, and provide assurance to senior management that the first line is managing risk appropriately.

Third line: Internal audit, which provides independent assurance to the governing body and senior management that governance, risk management, and internal control processes are operating effectively. The third line operates independently of the first and second lines and reports directly to the audit committee and board.

The 2020 Update: Key Changes

The 2020 revision of the model made several important changes to the original Three Lines of Defence concept. Most significantly, it reframed the model around the governing body rather than management — emphasising that the ultimate purpose of all three lines is to support effective board oversight, not just to satisfy management's risk management needs. It also clarified that the three lines are not sequential — they operate simultaneously, each with distinct contributions to governance. And it dropped the "defence" language, which had inadvertently framed the model around preventing failure rather than enabling good decision-making.

Where the Model Breaks Down in Practice

Blurring of roles: The most common implementation failure is inadequate role clarity between the first and second lines. When a risk function takes ownership of risk registers, designs controls, and monitors their own effectiveness, it has moved into first-line territory — and the second line's independence and objectivity are compromised. Similarly, when compliance functions become so embedded in operational decision-making that they are effectively managing the processes they are supposed to oversee, the model's structural logic breaks down.

Second line captured by the first: Risk and compliance functions that report to the CFO, COO, or business unit leaders rather than directly to the CEO or board face structural independence challenges. When the function's performance evaluation, resources, and career progression are controlled by the managers it is supposed to oversee, its ability to provide genuine independent challenge is limited.

Third line assurance not used: Internal audit reports that are presented to the audit committee but not integrated into the board's ongoing oversight processes represent a lost governance opportunity. When the governing body does not systematically connect audit findings to strategic and risk decision-making, the third line's contribution is severed from the governance function it is designed to support.

The Three Lines Model works when each line is genuinely independent of the others within its own domain, and when the governing body actively uses the information produced by all three lines to exercise informed oversight. When either condition is absent, the model provides governance theatre rather than governance substance.

Making the Model Work

Implementation of the Three Lines Model that actually delivers its governance promise requires deliberate design: clear role definitions documented in charters and job descriptions, reporting lines that protect functional independence, governance processes that integrate input from all three lines, and periodic assessment of whether the model is functioning as intended. Internal audit can play a valuable role in assessing the quality of the overall three-lines architecture — not just its own line, but the extent to which first and second line activities are providing the governance infrastructure on which effective third-line assurance depends.

Share

Request Training

CTC Global delivers expert-led training on Risk Management topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Risk Assessment in Internal AuditA structured guide to incorporating risk assessment into the audit process.
Book
Internal Audit Quality Assurance in PracticeCovers risk management principles and audit quality in practice.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Risk Management and related topics.

← Back to All Articles & Insights