The new Three Lines Model: What’s changed from the old model and how can it provide value?

By: Brad Smith | Principal Consultant

Reading Time: 4 Mins


The year 2020 could be characterized by comments like “We didn’t see that coming” or “Well, that escalated quickly”.

Being unprepared for threats that were either not seen as a possibility or were underestimated in terms of impact, is not a position any organization wants to be in. Organizations will continue to face a multitude of risks into the future. A number of these will be outside the organisation’s control with potentially high financial and operational impacts, that can in turn significantly affect the organization’s various stakeholders.

Major events such as the GFC in 2008 or COVID-19 in 2020, highlight the need to have a fully effective GRC approach. This involves boards and management being clear on their roles and responsibilities for governance, risk management and control. This is where the Three Lines Model comes in.

The model, originally called the Three Lines of Defense, has been in existence since the early 2000’s but came into prominence with financial institutions following the GFC in 2008. Since then it has been more widely adopted by larger organizations in the private and public sectors.

In 2020 the Institute of Internal Auditors (IIA) updated the model to make it more flexible and easier to implement for small to medium size organizations. It also changed the name to the Three Lines Model in recognition that risk management is not just about defense and protection of value, but also about opportunity and creation of value.

What is the Three Lines Model?

Graph of the model

The Three Lines Model helps organizations identify structures, processes, roles and responsibilities that best assist the achievement of objectives and facilitate strong governance and risk management. In this respect, it is a useful addition to an organization’s governance and risk management policies.

The First Line 

The First Line undertakes the following roles:

  • managing risks, actions and resources to achieve organizational objectives
  • communicating with the governing body on the outcomes related to risk management
  • establishing and maintaining structures and processes for the management of operations and risk (including internal control).
  • ensuring compliance with legal, regulatory, and ethical expectations

The Second Line

The Second Line provides support, monitoring and challenge the First Line management, including:

  • development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level
  • achievement of risk management and compliance objectives
  • analysis and reporting on the adequacy and effectiveness of risk management (including internal control)

The Third Line

The Third Line are independent assurance roles undertaken by Internal Audit:

  • maintaining primary accountability to the governing body and independence from management’s responsibilities
  • communicating independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control)
  • reporting impairments to independence and objectivity to the governing body and implementing safeguards

Implementing the three lines model

The Three Lines Model can only work when it is well understood, well coordinated and supported from the top of the organization. Every organization can benefit from this approach, no matter their size or complexity.

While the above is a concise overview of the IIA’s Three Lines Model you can view the original paper  for a more detailed explanation.

To find out how our Camms.Risk software solution can help you successfully implement a Three Lines Modelbook a demo with us today!


Brad Smith
Principal Consultant