Article
Three Lines Model offers a logical risk management framework
Aug. 27, 2025 · Authored by Mark J. Boettcher, Lisa Ahrens
While the framework has been around for years, the Three Lines Model is an approach to risk management that is gaining popularity among organizations in many industries.
Challenges still remain with adopting the Three Lines Model, from lack of common risk taxonomy, inconsistent risk-rating methods and duplication of assurance efforts, indicating many organizations continue to confront inefficiencies and room for improvement across the three lines.
Three Lines 101: Understanding the basics
The Three Lines Model, in short, is a method of setting roles and creating accountability in governance across an organization. It was previously known as the Three Lines Model of Defense but was shortened to emphasize the forward-thinking, value-added mindset of internal audit.
As you can see in the graphic from the Institute of Internal Auditors (IIA), the Three Lines Model begins with the governing body, which sets the tone at the top. As depicted by the up arrows, management and internal audit are accountable to (and report up to) the governing body. The down arrows, meanwhile, indicate that the governing body delegates and provides resources and guidance to management and to internal audit. The horizontal arrows represent the collaboration between management and internal audit throughout the IIA Three Lines Model process.
What are the three lines?
The first line is the actual business, where senior management and others are executing their work on a day-to-day basis with the help of supportive functions like administrative departments and human resources. The first line needs to own the risk and take ultimate responsibility for the organization’s policies, processes and controls before any expansion of lines can even begin to take place.
The second line forms once an organization is large enough (and sophisticated enough) to have an enterprise risk management (ERM) function, a quality assurance group or a regulatory compliance team focusing on identifying and addressing business risks. Basically, the second line is a team of professionals that provides assistance with detecting and managing risk.
