menu
menu
The three lines of defense model remains one of the most widely adopted frameworks for structuring enterprise risk management programs.
For large organizations managing complex regulatory requirements across multiple jurisdictions, this framework provides the clarity boards and executive teams need to assign accountability, coordinate risk activities and ensure nothing falls through the cracks.
Yet the framework has evolved significantly since its original adoption. The Institute of Internal Auditors (IIA) released a major update in July 2020, renaming it the "Three Lines Model" to emphasize value creation alongside protection.
This shift reflects a fundamental change in how leading organizations approach risk: moving from purely defensive postures to integrated programs that enable strategic decision-making.
For chief risk officers, chief audit executives and board members navigating this complexity, understanding how the three lines of defense in risk management works — and how to implement it effectively — is essential for building programs that protect and create value.
This guide covers:
The three lines of defense (often abbreviated as 3LOD or 3LoD) is a risk management framework that structures accountability across three distinct organizational functions. It establishes clear ownership for managing, overseeing and independently assuring risks throughout an enterprise.
The framework was formally defined by the IIA in 2013, though it had been used informally in financial services for nearly a decade prior. Industry associations, including the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA), helped promote its adoption across sectors.
Today, it serves as a foundational model for governance, risk and compliance (GRC) programs in organizations worldwide.
At its core, the model divides risk responsibilities into:
The board and executive leadership sit above these three lines, setting the organization's risk appetite, defining strategic objectives and holding all three lines accountable for their respective responsibilities.
In July 2020, the IIA released a significant update that renamed the framework as the "Three Lines Model" and introduced several conceptual shifts. The word "defense" was intentionally removed to signal that the model's purpose extends beyond protective measures.
Key differences include:
As the IIA noted when releasing the update, risk-based decision-making is as much about seizing opportunities as defensive moves.
This philosophical shift makes the framework more relevant for organizations navigating today's dynamic risk landscape.
Organizations that implement the three lines framework effectively realize significant advantages over those relying on ad hoc risk management approaches. These benefits extend beyond compliance to create genuine business value.
The framework eliminates ambiguity about who owns what. When responsibilities are clearly assigned across three lines, risks are less likely to fall through the cracks. Each function understands its role, reducing both duplication of effort and dangerous blind spots.
This clarity proves especially valuable during crises. When incidents occur, organizations with established three lines of defense structures respond faster because escalation paths and decision rights are already defined.
Boards and external stakeholders gain confidence when they see a structured risk governance framework. The model provides a common language for discussing risk management maturity with investors, regulators and auditors.
The What Directors Think 2025 report found that while 71% of directors report regular CISO meetings with boards, only 51% have reviewed processes for incident disclosure and response. Organizations with mature three lines of defense frameworks close this gap by ensuring consistent risk communication reaches the board.
Regulators across industries expect organizations to demonstrate structured risk governance. The three lines model aligns with regulatory expectations in financial services, healthcare and other highly regulated sectors.
Rather than building bespoke frameworks for each regulatory requirement, organizations can demonstrate how their 3LOD structure addresses multiple compliance obligations simultaneously.
When all three lines operate on integrated platforms, organizations gain comprehensive visibility into their risk posture. First line data flows to second line oversight, which informs third line assurance priorities. This integration enables proactive risk management rather than reactive firefighting.
Despite its widespread adoption, organizations frequently struggle to realize the model's full potential. Understanding common pitfalls helps organizations avoid implementation failures.
The most common failure occurs when the model's principles don't translate into defined accountabilities. Organizations may adopt 3LOD terminology without clearly specifying who owns what. This creates coordination challenges, broken processes and inaccurate reporting.
"One of the biggest challenges people have is communicating what they're doing in their risk management program," says Tom Faraday, Senior Director of Product Management at Diligent. Successful implementation requires documented role definitions, RACI matrices and regular reviews to ensure accountability remains clear as organizations evolve.
When the first line views risk management as "someone else's job," the entire model breaks down. This typically happens when risk and compliance functions become so dominant that operational managers defer to them rather than owning their risks.
The first line must take accountability for managing risks, not merely implementing controls that the second line dictates. This requires investment in first line training, clear incentive alignment and leadership that reinforces ownership expectations.
Inherent tension exists between these lines. The first line naturally wants flexibility to take risks that generate returns. The second line errs toward keeping risks below tolerance thresholds. Without effective resolution mechanisms, this conflict can paralyze decision-making or create adversarial relationships.
Successful organizations address this through clear escalation paths, collaborative risk assessment processes and executive leadership that balances risk-taking with prudent oversight.
Some organizations treat internal audit as a periodic compliance exercise rather than an integrated governance function. When the audit team operates in isolation, it cannot provide the real-time insights and advisory value the model envisions.
The IIA's 2020 update explicitly addresses this, noting that independence doesn't mean isolation. Internal audit should maintain regular interactions with management and ensure its work remains strategically relevant.
Organizations that extract maximum value from the three lines model share common characteristics. These practices distinguish high-performing risk management programs from those that merely check compliance boxes.
Fragmented reporting from separate risk, compliance and audit functions creates confusion rather than clarity. Boards receive conflicting narratives, making strategic decisions difficult.
"Keep it practical. Keep the ERM program practically designed and not overly complex, through the entire lifecycle of the ERM process. High, medium, low are good enough. Keep your presentations to the board simple. Demonstrate practicality throughout the entire process," advises Maurice L. Crescenzi Jr., Industry Practice Leader at Moody's.
Integrated reporting consolidates information from all three lines into unified views. This requires common risk taxonomies, consistent rating scales and technology platforms that aggregate data across functions.
Traditional quarterly risk reporting creates dangerous lag times between risk emergence and board awareness. Organizations face threats that materialize within days — cyber incidents, supply chain disruptions, regulatory actions — yet boards often receive updates months later.
Data-driven GRC platforms enable continuous monitoring that identifies emerging threats as they develop. Real-time dashboards surface issues requiring immediate attention while providing trend analysis for strategic planning.
Cyber risk illustrates how the three lines should collaborate on emerging threats. According to the 2025 GC Risk Index by Diligent Institute and Corporate Board Member, business risk has surged to 7.9 out of 10 — a 36% increase since Q1 — with legal and compliance leaders citing information security (32%) and data privacy (28%) as top organizational concerns.
In a properly structured cyber governance program:
This structure ensures comprehensive coverage while maintaining clear accountability. The board receives integrated reporting that translates technical security metrics into business risk terms.
Artificial intelligence presents risk categories that traditional frameworks weren't designed to address — algorithmic bias, data privacy, intellectual property exposure and rapidly evolving regulations across jurisdictions.
"Put AI in your risk register. No one's going to argue with that. Get an AI policy. The board should be asking management for a policy," says Richard Barber, CEO of MindTech Group.
Applying the three lines to AI governance requires clarity about who owns what:
The key is treating AI like any other enterprise risk — with defined ownership, consistent oversight and independent assurance — rather than allowing it to exist outside established governance structures.
Organizations should periodically assess their 3LOD maturity against industry benchmarks. Annual assessments comparing current capabilities against frameworks like COSO ERM or the IIA's standards reveal gaps and inform resource allocation decisions.
Effective assessments evaluate each line separately and collectively:
Document assessment findings, track year-over-year progress and tie improvement initiatives to specific maturity gaps. This creates accountability and demonstrates governance sophistication to boards, regulators and external stakeholders.
Discover how unified GRC platforms eliminate silos between risk, compliance and audit functions while delivering board-ready reporting.
Managing the coordination challenges documented above requires more than spreadsheets and siloed systems. When first, second and third line functions operate on disconnected platforms, the visibility gaps and communication breakdowns that undermine the model become inevitable.
That's why AI-powered governance technology has become essential infrastructure for organizations operationalizing the three lines framework.
The Diligent One Platform provides unified governance, risk and compliance management that connects all three lines on shared data and workflows. Rather than maintaining separate risk registers, compliance tracking systems and audit workpapers, organizations access consolidated views of their risk posture.
Diligent ERM strengthens second line oversight through AI-powered risk identification that benchmarks against 180,000+ real-world risks from SEC 10K reports. Moody's credit sentiment scores and external risk intelligence surface emerging threats before they escalate.
Real-time dashboards and heat maps translate complex risk data into board-ready reporting, addressing the communication challenges that plague traditional ERM programs.
"We just won a Best in Class award for our ERM program. Diligent helped us bring structure and visibility to our risk reporting — especially for our performance and accountability report," says Curtis McNeil of the Architect of the Capitol.
For third line assurance, Diligent Audit provides comprehensive solutions for planning, executing and reporting internal audits:
"We feel that with [Diligent], we've evolved as an audit team. It's not that we do more audits, but that we can provide better information," says Vincent Verlinde, National Risk and Assurance Manager at Daikin Australia.
Together, these capabilities create the integrated infrastructure that the three lines of defense model requires. First line risk owners see their control responsibilities clearly, second line functions monitor in real time rather than quarterly and third line auditors provide continuous assurance rather than point-in-time assessments.
Ready to operationalize your 3LOD framework with integrated technology? Schedule a demo to see how Diligent connects risk, compliance and audit functions on a unified platform.
The Three Lines Model is the IIA's 2020 update to the original three lines of defense framework. While both establish first line (operational management), second line (oversight functions) and third line (internal audit) accountability, the updated model broadens focus beyond "defense" to include value creation and achieving objectives.
It also clarifies the governing body's role, emphasizes collaboration between lines and adopts principles-based guidance that allows organizations to adapt the model to their specific structures.
The IIA's updated model explicitly acknowledges that first and second line roles can be blended in smaller organizations. A CFO might handle both financial management (first line) and financial risk oversight (second line).
The key is maintaining conceptual separation between managing risks and overseeing risk management, even when the same individuals perform both functions.
Effective implementation requires integrated GRC platforms that connect all three lines on shared data and workflows.
Key capabilities include:
These capabilities eliminate silos, enable real-time oversight and provide the visibility boards need for effective governance.
Ready to transform your enterprise risk management with AI-powered technology? Request a demo to get started.
