From the “Three Lines of Defence” model to the “Three Lines Model”

The “Three Lines Model” has been developed to support companies with risk management and with achieving their company objectives. While all three levels of the Three Line Model are critical for setting up a consistent risk management process, the framework is now more flexible.

The “Three Lines Model” from the Institute of Internal Auditors is similar to the well-known “Three Lines of Defence” (3LoD) model, but, by contrast, aims to set out the basic principles more clearly. At the same time, it provides an explanation of the roles and responsibilities of the most important organisational positions. The “Three Lines Model” serves as a guideline for the implementation and execution of measures to bring the company objectives into line with the main interests of the different stakeholders.


“3LoD” model versus “Three Lines Model” – what is new

The most important change in the “Three Lines Model” compared to the “3LoD” model is the transition to a principle-based approach. The principles put the emphasis on the role of the individual and not on the operative line. There are other major changes emphasising the following:

  • The importance of good coordination and communication between the different lines of defence.
  • The necessity for a direct relationship between the governing body and the first and second line managers.
  • Reinforcement of the direct relationship between the governing body and the internal audit in the third line.

The reworked model is based on the following six principles:

  • Principle 1 – Governance:
    Governance of an organisation requires appropriate structures and processes that enable accountability, actions to achieve the organisation’s objectives and assurance.
  • Principle 2 – Governing body roles:
    The governing body ensures appropriate structures are in place for effective governance. These include appropriate oversight and alignment with the requirements of the stakeholders.
  • Principle 3 – Management and first and second line roles:
    The management’s responsibility for achieving the company objectives comprises both first and second line management roles. The first line roles are aligned with the delivery of products or services to the clients of the organisation and also include support functions. Second line roles provide assistance with managing risk.
  • Principle 4 – Third line roles:
    Internal audit provides assurance and independent and objective advice on the adequacy and effectiveness of governance and risk management. In doing so, it may consider other internal and external providers.
  • Principle 5 – Third line independence:
    Internal audit’s independence from management is critical to its objectivity, authority and credibility.
  • Principle 6 – Creating and protecting value:
    All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and the prioritised interests of the stakeholders. Communication, cooperation and collaboration are key here.

In summary, the aim of these principles is to improve personal responsibility and shift the emphasis to the role of the individual within the three lines. 

Further development to the “Three Lines Model”

The “Three Lines Model“ is not a fundamental change to the existing three lines in the “3LoD“ model, it is more a series of improvements in order to reinforce it. While the key processes may not need to be updated, there may be changes to the reporting lines as soon as the roles, responsibilities and accountabilities are clarified. The following are among the most important considerations:

  • Clarification of all roles, responsibilities and accountabilities for all roles, including potential conflicts.
  • Updating of responsibility plans. If the responsibility for a senior management function is split, the specific responsibilities of each individual must be clearly defined and understandable.
  • Integration and shift to the 1st and 2nd line of risk management by clarifying and increasing awareness, thus improving security, coverage and transparency.
  • As in the “3LoD” model, the risk takers cannot also offer assurance, so independent assessment may be necessary. A fundamental assessment of the responsibilities, potential obstacles and any incompatibilities with existing structures helps ensure a seamless transition to the updated “Three Lines Model”. 

“Three Lines Model” as an opportunity for improvement

The reworked “Three Lines Model” provides a variety of opportunities for improvement:

  • Exchange and orientation, increased active and collaborative exchange, giving and receiving feedback and developing based on the feedback received.
  • Cooperation, with all roles involved working closely together.
  • “Compliance by design” and lasting focus on the implementation of business objectives, search for the best way to achieve them.
  • Innovation: Tackling problems creatively and using new techniques.
  • (Partial) automation of typical 2nd line activities and some 1st line compliance activities.
  • Coordination and design of processes to ensure good perception of responsibility for design of the risk management processes.

As an interdisciplinary area, risk management covers all the roles of the “Three Lines Model”. The 1st and 2nd line identify, assess, handle and monitor risks, the 3rd line keeps an attentive, independent eye on the 1st and 2nd line activities. At the same time, remedial measures and the associated roles are disconnected in order to guarantee better traceability and facilitate cooperation across the whole organisation.

Practical implementation? Our InfoGuard experts can help

The “Three Lines Model” is rapidly being implemented in practice. InfoGuard can support you in applying the “Three Lines Model” at different levels.

Thanks to our extensive experience and expertise in a range of different industries, we are the perfect partner to ensure the successful implementation of the “Three Lines Model”. We look forward to hearing from you!

Contact us now!

<< >>

Cyber Security

About the author / InfoGuard

InfoGuard AG

More articles from InfoGuard

Related articles
ISO/IEC 27002:2022 – what you should know about the new changes
ISO/IEC 27002:2022 – what you should know about the new changes

After a wait of over nine years, the revised ISO/IEC 27002:2022 standard has finally been published. Of [...]
Are you ready for the new FINMA circular 2023/1 “Operational risks and resilience – Banks”?
Are you ready for the new FINMA circular 2023/1 “Operational risks and resilience – Banks”?

The completely revised FINMA Circular 2023/1 on management of operational risks and ensuring resilience in [...]
Governance, Risk & Compliance (GRC) – how to manage cyber risk while ensuring compliance!
Governance, Risk & Compliance (GRC) – how to manage cyber risk while ensuring compliance!

Governance, risk & compliance (GRC) is the collective term for subjects and processes such as corporate [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media