Print Article

The Three Lines of Defence model – revamped


A new model for governance and risk management issued Monday 21 July 2020 by the Institute of Internal Auditors (IIA) makes significant updates to the Three Lines of Defence model that has been popular for years.

Called “The Three Lines Model,” the new approach is designed to help organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

In the previous model, the three lines of defence were represented by

  • management control as the first line,
  • risk and control monitoring as the second, and
  • independent assurance through the internal audit function as the third.

The new model is designed to

  • better identify and structure interactions and responsibilities of management, internal audit, and those charged with governance to achieve more effective alignment, collaboration, accountability, and objectives.

Roles are clearly defined in the new model for various leaders within an organization, including

  • oversight by the board or governing body;
  • management and operational leaders including risk and compliance (first- and second-line roles); and
  • independent assurance through internal audit (third-line role).

The position of external assurance providers also is addressed. The new model emphasizes six principles related to

  • governance,
  • governing body roles,
  • management and
  • first- and second-line roles, third-line roles, third-line independence, and
  • creating and protecting value.

The new model applies to all organizations, which can optimize the new approach by:

  1. Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
  2. Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defence” and protecting value.
  3. Demonstrating [explaining] the roles and responsibilities represented in the model and the relationships among them.
  4. Implementing measures to ensure that activities and objectives are aligned with the prioritized interests of stakeholders.

IIA President and CEO Richard Chambers said in a news release.

  • “The Three Lines Model has largely been viewed as the basis for sound risk management,”
  • “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”

The IIA created a graphical illustration of the new model, which is included below.