Print Article

The Three Lines of Defence model – revamped


A new model for governance and risk management issued Monday 21 July 2020 by the Institute of Internal Auditors (IIA) makes significant updates to the Three Lines of Defence model that has been popular for years.

Called “The Three Lines Model,” the new approach is designed to help organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

In the previous model, the three lines of defence were represented by

  • management control as the first line,
  • risk and control monitoring as the second, and
  • independent assurance through the internal audit function as the third.

The new model is designed to

  • better identify and structure interactions and responsibilities of management, internal audit, and those charged with governance to achieve more effective alignment, collaboration, accountability, and objectives.

Roles are clearly defined in the new model for various leaders within an organization, including

  • oversight by the board or governing body;
  • management and operational leaders including risk and compliance (first- and second-line roles); and
  • independent assurance through internal audit (third-line role).

The position of external assurance providers also is addressed. The new model emphasizes six principles related to

  • governance,
  • governing body roles,
  • management and
  • first- and second-line roles, third-line roles, third-line independence, and
  • creating and protecting value.

The new model applies to all organizations, which can optimize the new approach by:

  1. Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
  2. Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defence” and protecting value.
  3. Demonstrating [explaining] the roles and responsibilities represented in the model and the relationships among them.
  4. Implementing measures to ensure that activities and objectives are aligned with the prioritized interests of stakeholders.

IIA President and CEO Richard Chambers said in a news release.

  • “The Three Lines Model has largely been viewed as the basis for sound risk management,”
  • “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”

The IIA created a graphical illustration of the new model, which is included below.


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email