top of page

The Three Lines Model

The Institute of Internal Auditors (IIA) has just updated (on 20 July 2020) the Three Lines of Defense model which has been around for years and used as one underlying in risk management practices. The update was to keep pace with rapid change, unprecedented new risks, and the growing complexity of organizations.

Quick Snapshot


There are many changes in the new guidance, however some key points (list is not exhaustive) that we can easily spot from the model picturing are:

  • It’s a governance model – not merely a risk management model

  • Reducing the red tape by simplifying the upliner reporting to governing body, without fussing with the names that might constitute a governing body in different jurisdiction.

  • Clarifying that 'first line' and 'second line' are actually part of management that are involves in the day-to-day operations.

  • Clearly depicting that internal audit is to be independent from management, but with collaboration within appropriate context to reduce silo and make the risk management practice more effective.

  • Lines are not to denote structural elements, but to make clear on segregation of roles, and roles operates concurrently.


Extract from the New Guideline

The Three Lines Model helps organizations identify structures and processes to assist the achievement of objectives and facilitate strong governance and risk management. The model applies to all organizations and is optimized by:

  • Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.

  • Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.

  • Clearly understanding the roles and responsibilities represented in the model and the relationships among them.

  • Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.

  • The new model's principles-based approach is designed to provide users greater flexibility.


The IIA Three Lines of Model also came with principles. Although the principles does not seem like a standardised principles seen in other guidelines, i.e. governance code, etc., it provides some sort of clarity on what makes the three lines of model work, and it includes:

  1. Governance. Governance of an organization requires appropriate structures and processes that enable accountability, actions, assurance and advice.

  2. Governing body roles. That is to ensure structures and processes are in place for effective governance as well as to ensure that organizational objectives and activities are aligned with the prioritized interests of stakeholders.

  3. Management and first & second lines role. Management’s responsibility to achieve organizational objectives comprises both first and second line roles, and that first and second line roles may be blended or separated.

  4. Third line roles. Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management

  5. Third line independence. Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility.

  6. Creating and protecting value. All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders


There are high-level/key roles to amplify the Principles within the Three Lines Model:

  1. The governing body. Those individuals who are accountable to stakeholders for the success of the organization.

  2. Management. Those individuals, teams, and support functions assigned to provide products and/or services to the organization’s clients.

  3. Internal Audit. Those individuals operating independently from management to provide assurance and insight on the adequacy and effectiveness of governance and the management of risk (including internal control).

  4. External assurance providers. Those individuals outside the organization that satisfy legislative and regulatory expectations, and those individuals that satisfy requests by management and the governing body to complement internal sources of assurance.

The governing body, management, and internal audit have their distinct responsibilities, but all activities need to be aligned with the objectives of the organization. The basis for successful coherence is regular and effective coordination, collaboration, and communication.

Relationships between the governing body and management

The governing body typically sets the direction of the organization. It then delegates responsibility for the achievement of the organization’s objectives to management. The governing body receives reports from management on planned, actual, and expected outcomes, as well as reports on risk and the management of risk.

Relationships between the governing body and internal audit

Internal audit is accountable to the governing body, and the governing body is responsible for oversight of internal audit and ensuring that it functioning appropriately.

Relationships between the management and internal audit

Internal audit’s independence from management does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization. There is a need for collaboration and communication to ensure there is no unnecessary duplication, overlap, or gaps.


Structure, roles and responsibilities

The Three Lines Model is most effective when it is adapted to align with the objectives and circumstances of the organization. How an organization is structured and how roles are assigned are matters for management and the governing body to determine.

  • Functions, teams, and even individuals may have responsibilities that include both first and second line roles. However, direction and oversight of second line roles may be designed to secure a degree of independence from those with first line roles by establishing primary accountability and reporting lines to the governing body.

  • The Three Lines Model allows for as many reporting lines between management and the governing body as required.

  • First line roles remain responsible for managing risk.

  • Second line roles support are integral to management decisions and actions, part of management’s responsibilities and are never fully independent from management, regardless of reporting lines and accountabilities.

  • Internal audit’s independence is safeguarded by not making decisions or taking actions that are part of management’s responsibilities (including risk management) and by declining to provide assurance on activities for which internal audit has current, or has had recent, responsibility.

Oversight and assurance

The governing body relies on reports from management, internal audit, and external assurance providers to exercise oversight and achievement of its objectives, for which it is accountable to stakeholders.

Management provides assurance/attestations on planned, actual, and forecast outcomes, on risk, and on risk management.

Coordination and alignment

Effective governance requires appropriate assignment of responsibilities as well as strong alignment of activities through cooperation, collaboration, and communication. The governing body seeks confirmation through internal audit that governance structures and processes are appropriately designed and operating as intended.

How Should Organization Respond?

We all agree that more collaboration and communication as well as less silos and duplication, supported with clear roles and its segregation will be positive for any organization, regardless of size and sectors.

This new update can initiate the enhancement in risk management practices through some of these following activities:

  • Understand the principles and adapt the model to suit organizational objectives and circumstances including prevailing legal structure.

  • Mapping the existing functions and its roles, and re-aligning it for betterment.

  • Reducing or eliminating unnecessary reporting lines.

  • Enhancing the quality of reporting so that it will be more valuable to the governing body.

  • Never stop to remind that risk management is management's responsibility and predominantly the first line is responsible to manage risk in their day-to-day operations.

  • Encouraging and promoting the needs and practice of effective communication between key roles.


bottom of page