The Three Lines of Defence model - or 3LOD - is a widely recognised framework in enterprise risk management (ERM), designed to clarify roles and responsibilities in managing risk across an organisation. 3LOD is widely used in regulated industries such as financial services, where a structured governance process is needed.
- First Line of Defence: Operations and business units are responsible for managing risk as part of their daily activities, through a well-defined collection of control procedures.
- Second Line of Defence: Risk management and compliance functions provide oversight, as well as defining policies and guidance to First Line to ensure risks are properly identified and mitigated.
- Third Line of Defence: Internal audit provide independent assurance on the effectiveness of governance, risk management, controls.
The concept of the Three Lines of Defence has been widely used in the financial sector for over two decades. It gained recognition when the Institute of Internal Auditors (IIA) published its position paper, The Three Lines of Defence in Effective Risk Management and Control, first in 2013, with an update in 2024. The model is intended to provide investors with confidence in the organisation’s ability to identify, manage and mitigate enterprise risk.
Further reading
- The IIA’s Three Lines Model: An Update of the Three Lines of Defense - IIA (PDF)
- Three lines of defence (risk.net)
- The Three Lines of Defence Model has been updated- what does this mean for Internal Audit? (BDO UK)
- Modernizing the three lines of defense model (Deloitte)
- Enhancing the Three Lines of Defense in Risk Management with FAIR Risk Analysis (Part 1: First & Second Lines) - FAIR Institute blog
- Pros and Cons of Factor Analysis of Information Risk - RSI Security