Three lines of defense in risk management: A framework for enterprise governance
The three lines of defense model remains one of the most widely adopted frameworks for structuring enterprise risk management programs.
For large organizations managing complex regulatory requirements across multiple jurisdictions, this framework provides the clarity boards and executive teams need to assign accountability, coordinate risk activities and ensure nothing falls through the cracks.
Yet the framework has evolved significantly since its original adoption. The Institute of Internal Auditors (IIA) released a major update in July 2020, renaming it the "Three Lines Model" to emphasize value creation alongside protection.
This shift reflects a fundamental change in how leading organizations approach risk: moving from purely defensive postures to integrated programs that enable strategic decision-making.
For chief risk officers, chief audit executives and board members navigating this complexity, understanding how the three lines of defense in risk management works — and how to implement it effectively — is essential for building programs that protect and create value.
This guide covers:
- What the three lines of defense model is and how the IIA's 2020 update changed its focus
- How each line functions and interrelates with the others
- Common implementation challenges and how to address them
- How AI technology supports the three lines of defense
What is the three lines of defense model?
The three lines of defense (often abbreviated as 3LOD or 3LoD) is a risk management framework that structures accountability across three distinct organizational functions. It establishes clear ownership for managing, overseeing and independently assuring risks throughout an enterprise.
The framework was formally defined by the IIA in 2013, though it had been used informally in financial services for nearly a decade prior. Industry associations, including the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA), helped promote its adoption across sectors.
Today, it serves as a foundational model for governance, risk and compliance (GRC) programs in organizations worldwide.
At its core, the model divides risk responsibilities into:
- First line (management): Business units and operational managers who own and manage risks daily. They implement controls, execute processes and make risk-informed decisions as part of their operational responsibilities.
- Second line (risk and compliance functions): Specialized teams including risk management, compliance, financial controls and IT security that oversee the first line's activities. They establish policies, set risk standards and monitor adherence without owning the risks themselves.
- Third line (internal audit): An independent function that provides objective assurance over the effectiveness of governance, risk management and internal controls. Internal audit reports directly to the board or audit committee rather than management.
The board and executive leadership sit above these three lines, setting the organization's risk appetite, defining strategic objectives and holding all three lines accountable for their respective responsibilities.
How the IIA's Three Lines Model differs from the original 3LOD
In July 2020, the IIA released a significant update that renamed the framework as the "Three Lines Model" and introduced several conceptual shifts. The word "defense" was intentionally removed to signal that the model's purpose extends beyond protective measures.
Key differences include:
- Value creation emphasis: The updated model explicitly focuses on achieving objectives and creating value, not just protecting against downside risks. This positions risk management as a strategic enabler rather than a compliance burden.
- Clearer governing body role: The 2020 update better articulates how the governing body (board) integrates with the three lines rather than simply sitting above them. Boards are accountable for organizational oversight while delegating responsibility for achieving objectives to management.
- Flexible role definitions: The updated model acknowledges that first and second line roles can be blended in some organizations, particularly smaller ones where dedicated risk teams may not exist. This principles-based approach allows organizations to adapt the model to their structure.
- Collaboration over silos: Perhaps most importantly, the new model emphasizes alignment, collaboration and communication across all lines. Independence doesn't mean isolation. Internal audit, while maintaining objectivity, should actively engage with management and contribute to organizational improvement.
As the IIA noted when releasing the update, risk-based decision-making is as much about seizing opportunities as defensive moves.
This philosophical shift makes the framework more relevant for organizations navigating today's dynamic risk landscape.
Benefits of the three lines of defense model
Organizations that implement the three lines framework effectively realize significant advantages over those relying on ad hoc risk management approaches. These benefits extend beyond compliance to create genuine business value.
Clear accountability and reduced gaps
The framework eliminates ambiguity about who owns what. When responsibilities are clearly assigned across three lines, risks are less likely to fall through the cracks. Each function understands its role, reducing both duplication of effort and dangerous blind spots.
This clarity proves especially valuable during crises. When incidents occur, organizations with established three lines of defense structures respond faster because escalation paths and decision rights are already defined.
Improved board and stakeholder confidence
Boards and external stakeholders gain confidence when they see a structured risk governance framework. The model provides a common language for discussing risk management maturity with investors, regulators and auditors.
The What Directors Think 2025 report found that while 71% of directors report regular CISO meetings with boards, only 51% have reviewed processes for incident disclosure and response. Organizations with mature three lines of defense frameworks close this gap by ensuring consistent risk communication reaches the board.
Regulatory alignment and compliance efficiency
Regulators across industries expect organizations to demonstrate structured risk governance. The three lines model aligns with regulatory expectations in financial services, healthcare and other highly regulated sectors.
Rather than building bespoke frameworks for each regulatory requirement, organizations can demonstrate how their 3LOD structure addresses multiple compliance obligations simultaneously.
Enhanced risk visibility and proactive management
When all three lines operate on integrated platforms, organizations gain comprehensive visibility into their risk posture. First line data flows to second line oversight, which informs third line assurance priorities. This integration enables proactive risk management rather than reactive firefighting.
Common challenges in implementing the three lines of defense model
Despite its widespread adoption, organizations frequently struggle to realize the model's full potential. Understanding common pitfalls helps organizations avoid implementation failures.
Unclear roles and responsibilities
The most common failure occurs when the model's principles don't translate into defined accountabilities. Organizations may adopt 3LOD terminology without clearly specifying who owns what. This creates coordination challenges, broken processes and inaccurate reporting.
"One of the biggest challenges people have is communicating what they're doing in their risk management program," says Tom Faraday, Senior Director of Product Management at Diligent. Successful implementation requires documented role definitions, RACI matrices and regular reviews to ensure accountability remains clear as organizations evolve.
First line passivity
When the first line views risk management as "someone else's job," the entire model breaks down. This typically happens when risk and compliance functions become so dominant that operational managers defer to them rather than owning their risks.
The first line must take accountability for managing risks, not merely implementing controls that the second line dictates. This requires investment in first line training, clear incentive alignment and leadership that reinforces ownership expectations.
First and second line conflicts
Inherent tension exists between these lines. The first line naturally wants flexibility to take risks that generate returns. The second line errs toward keeping risks below tolerance thresholds. Without effective resolution mechanisms, this conflict can paralyze decision-making or create adversarial relationships.
Successful organizations address this through clear escalation paths, collaborative risk assessment processes and executive leadership that balances risk-taking with prudent oversight.
Isolated third line
Some organizations treat internal audit as a periodic compliance exercise rather than an integrated governance function. When the audit team operates in isolation, it cannot provide the real-time insights and advisory value the model envisions.
The IIA's 2020 update explicitly addresses this, noting that independence doesn't mean isolation. Internal audit should maintain regular interactions with management and ensure its work remains strategically relevant.
Best practices for 3LOD effectiveness
Organizations that extract maximum value from the three lines model share common characteristics. These practices distinguish high-performing risk management programs from those that merely check compliance boxes.
Establish integrated reporting
Fragmented reporting from separate risk, compliance and audit functions creates confusion rather than clarity. Boards receive conflicting narratives, making strategic decisions difficult.
"Keep it practical. Keep the ERM program practically designed and not overly complex, through the entire lifecycle of the ERM process. High, medium, low are good enough. Keep your presentations to the board simple. Demonstrate practicality throughout the entire process," advises Maurice L. Crescenzi Jr., Industry Practice Leader at Moody's.
Integrated reporting consolidates information from all three lines into unified views. This requires common risk taxonomies, consistent rating scales and technology platforms that aggregate data across functions.
Enable real-time risk visibility
Traditional quarterly risk reporting creates dangerous lag times between risk emergence and board awareness. Organizations face threats that materialize within days — cyber incidents, supply chain disruptions, regulatory actions — yet boards often receive updates months later.
Data-driven GRC platforms enable continuous monitoring that identifies emerging threats as they develop. Real-time dashboards surface issues requiring immediate attention while providing trend analysis for strategic planning.
Apply the framework to cybersecurity
Cyber risk illustrates how the three lines should collaborate on emerging threats. According to the 2025 GC Risk Index by Diligent Institute and Corporate Board Member, business risk has surged to 7.9 out of 10 — a 36% increase since Q1 — with legal and compliance leaders citing information security (32%) and data privacy (28%) as top organizational concerns.
In a properly structured cyber governance program:
- First line (IT operations): Owns day-to-day security operations, including patch management, access controls and incident response.
- Second line (information security): Establishes security policies, conducts vulnerability assessments and monitors compliance with standards like NIST or ISO 27001.
- Third line (IT audit): Independently assesses whether security controls are designed effectively and operating as intended.
This structure ensures comprehensive coverage while maintaining clear accountability. The board receives integrated reporting that translates technical security metrics into business risk terms.
Extend governance to AI and emerging technology
Artificial intelligence presents risk categories that traditional frameworks weren't designed to address — algorithmic bias, data privacy, intellectual property exposure and rapidly evolving regulations across jurisdictions.
"Put AI in your risk register. No one's going to argue with that. Get an AI policy. The board should be asking management for a policy," says Richard Barber, CEO of MindTech Group.
Applying the three lines to AI governance requires clarity about who owns what:
- First line: Product and data teams own responsible AI practices, including model development, testing and deployment. They document training data sources, validate model outputs and maintain records of AI-driven decisions that may face regulatory scrutiny.
- Second line: Compliance and ethics functions establish AI use policies, monitor for algorithmic bias and track regulatory developments. They review high-risk AI applications before deployment and ensure third-party AI tools meet organizational standards.
- Third line: Internal audit assesses whether AI governance structures actually work. This includes testing data quality controls, evaluating model documentation and verifying that AI risk disclosures align with actual practices.
The key is treating AI like any other enterprise risk — with defined ownership, consistent oversight and independent assurance — rather than allowing it to exist outside established governance structures.
Conduct regular maturity assessments
Organizations should periodically assess their 3LOD maturity against industry benchmarks. Annual assessments comparing current capabilities against frameworks like COSO ERM or the IIA's standards reveal gaps and inform resource allocation decisions.
Effective assessments evaluate each line separately and collectively:
- For the first line: Do operational managers understand their risk ownership?
- For the second line: Are oversight functions coordinated or siloed?
- For the third line: Does the internal audit team have sufficient independence and resources?
- And critically: How well do the three lines communicate and collaborate?
Document assessment findings, track year-over-year progress and tie improvement initiatives to specific maturity gaps. This creates accountability and demonstrates governance sophistication to boards, regulators and external stakeholders.
Strengthen your ERM coordination
Discover how unified GRC platforms eliminate silos between risk, compliance and audit functions while delivering board-ready reporting.
See Diligent in actionHow AI technology supports the three lines of defense
Managing the coordination challenges documented above requires more than spreadsheets and siloed systems. When first, second and third line functions operate on disconnected platforms, the visibility gaps and communication breakdowns that undermine the model become inevitable.
That's why AI-powered governance technology has become essential infrastructure for organizations operationalizing the three lines framework.
The Diligent One Platform provides unified governance, risk and compliance management that connects all three lines on shared data and workflows. Rather than maintaining separate risk registers, compliance tracking systems and audit workpapers, organizations access consolidated views of their risk posture.
Diligent ERM strengthens second line oversight through AI-powered risk identification that benchmarks against 180,000+ real-world risks from SEC 10K reports. Moody's credit sentiment scores and external risk intelligence surface emerging threats before they escalate.
Real-time dashboards and heat maps translate complex risk data into board-ready reporting, addressing the communication challenges that plague traditional ERM programs.
"We just won a Best in Class award for our ERM program. Diligent helped us bring structure and visibility to our risk reporting — especially for our performance and accountability report," says Curtis McNeil of the Architect of the Capitol.
For third line assurance, Diligent Audit provides comprehensive solutions for planning, executing and reporting internal audits:
- AI-powered analytics examine 100% of transactions rather than statistical samples
- Continuous monitoring identifies control failures as they occur rather than months later
- Risk-based audit planning focuses resources on the highest-impact areas
- Centralized workpapers create comprehensive audit trails for regulators and stakeholders
"We feel that with [Diligent], we've evolved as an audit team. It's not that we do more audits, but that we can provide better information," says Vincent Verlinde, National Risk and Assurance Manager at Daikin Australia.
Together, these capabilities create the integrated infrastructure that the three lines of defense model requires. First line risk owners see their control responsibilities clearly, second line functions monitor in real time rather than quarterly and third line auditors provide continuous assurance rather than point-in-time assessments.
Ready to operationalize your 3LOD framework with integrated technology? Schedule a demo to see how Diligent connects risk, compliance and audit functions on a unified platform.
FAQs about the three lines of defense in risk management
What is the difference between the three lines of defense and the IIA's Three Lines Model?
The Three Lines Model is the IIA's 2020 update to the original three lines of defense framework. While both establish first line (operational management), second line (oversight functions) and third line (internal audit) accountability, the updated model broadens focus beyond "defense" to include value creation and achieving objectives.
It also clarifies the governing body's role, emphasizes collaboration between lines and adopts principles-based guidance that allows organizations to adapt the model to their specific structures.
How can smaller organizations apply the three lines model without dedicated risk and audit teams?
The IIA's updated model explicitly acknowledges that first and second line roles can be blended in smaller organizations. A CFO might handle both financial management (first line) and financial risk oversight (second line).
The key is maintaining conceptual separation between managing risks and overseeing risk management, even when the same individuals perform both functions.
What technology do organizations use to operationalize the three lines model?
Effective implementation requires integrated GRC platforms that connect all three lines on shared data and workflows.
Key capabilities include:
- Centralized risk registers accessible to all lines
- Automated control monitoring exception reporting
- Workflow automation for risk assessments and remediation
These capabilities eliminate silos, enable real-time oversight and provide the visibility boards need for effective governance.
Ready to transform your enterprise risk management with AI-powered technology? Request a demo to get started.
