Group of young business people in trendy casual wear working together in creative office.
Risk Management

The Three Lines of Defence – A Key Foundation for Your Business Resilience

Published: March 08, 2024
Group of young business people in trendy casual wear working together in creative office.
Risk Management

The Three Lines of Defence (3LoD) model is a commonly used structure to manage risk and internal controls within an organisation. Endorsed by the Institute of Internal Auditors, the model describes having three layers of protection within an organisation against various threats and risks.

In this article, we explore the 3LoD model in simple terms, and why it is so often used as a key foundation for building organisational resilience.

What is the 3LoD model?

The 3LoD model provides a principles-based approach to support organisations in facilitating strong governance. It gives  confidence to key stakeholders  that risks are being effectively managed and that an avenue exists for monitoring, escalation, challenge, and reporting.

The 3LoD model is underpinned by 6 principles:

  • Governance, enabling accountability, actions, and assurance and advice;
  • Governing body roles, to ensure appropriate structures and processes are in place and effective, and that organisational objectives and activities are aligned;
  • Management and first and second line roles, where management’s responsibility to achieve organisational objectives comprises both first and second line roles;
  • Third line roles, internal audit providing independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management;
  • Third line independence, internal audit’s independence from the responsibilities of management enables its objectivity, authority, and credibility; and
  • Creating and protecting value, all roles working together collectively contribute to the creation and protection of value.

The role of the Governing Body

What it is: The Governing Body is made up of those people within an organisation who are accountable to stakeholders for the success of the organisation. Often this is the Board of the organisation, though the role can also be filled by Directors or Executive Management, depending on the structure, size, and context of the organisation.

The governing body has a key role in the implementation of the 3LoD model, as it ultimately accepts accountability to stakeholders for the oversight of the organisation. This can include establishing processes for governance (e.g. Board committees), maintaining oversight of compliance performance, determining and defining organisational risk appetite (the amount and type of risk an organisation is willing to take in pursuit of its objectives) and overseeing risk management, as well as promoting an organisational culture that champions ethical behaviour and accountability. In addition, the governing body should delegate responsibility and provide resources to management for the achievement of organisational objectives, and establish and oversee an independent, objective and competent internal audit function.

Alignment with ISO 31000: Many aspects of leadership and commitment (clause 5.2), and design of the risk management framework (e.g. 5.4.1 – Understanding the organisational context , 5.4.2 – Articulating risk management commitment, and 5.4.4 Allocating resources) will be provided for by the Governing Body, however they may further delegate this responsibility (though not accountability) to management.

The First Line of Defence: Frontline Operations

What it is: This is the front line of your organisation, where daily activities and processes occur. It includes all the people directly involved in running day to day operations of the business, and can often have direct contact with your customers, products, or services. The first line is responsible for establishing and maintaining structures and processes for the management of its operations and risks, and the controls that are implemented to address these. This also often includes responsibility for ensuring compliance with legal and regulatory requirements. The first line should provide information to the Governing Body on the performance of its operations in achieving organisational objectives.

Illustration of application: Say, you are heading the human resource department in your organisation. You have your departmental or functional objectives and targets for each cycle, and there could be a list of risks or potential obstacles that could stop you from achieving these identified objectives and targets. When you own your departmental or functional risks by identifying, assessing, managing, and monitoring these risks with controls and mitigating actions, you are playing an effective role as the First Line of Defence. As the person positioned closest to detect or encounter the risks in your accountability area first-hand, you are like the hands, ears, and eyes of your organisation to defend and safeguard the organisational interests on anything HR-related. Now, imagine everyone else in other departments and functions play their roles well in defending and safeguarding the organisational interests in their respective accountability areas. This works together to set up a really effective and strong First Line of Defence holistically for your organisation.

Alignment with ISO 31000: Whilst the first line doesn’t typically have responsibility for the design of its organisation’s risk management framework, it is responsible for its implementation including the controls within its area of operation. As such, many elements included within clauses 5.5 and 6 of ISO 31000, Implementation and Process respectively, are the responsibility of the first line, with insight provided by the second line of defence (outlined below).

The Second Line of Defence: Risk Management and Top Management

What it is: The Second Line of Defence is responsible for overseeing and managing risks more strategically, and for providing support, expertise, and challenge to the first line in relation to how risks are identified, evaluated, managed, and reported. Often, the second line team/s will provide monitoring and reporting to the governing body, relating to the effectiveness of risk management processes and controls across the whole organisation. This role is often filled by an organisation’s risk function, who partner with the first line to advise on effective risk management, and may help facilitate the processes of risk management (risk identification, evaluation, and treatment, as well as communication and engagement, and monitoring and reporting). It is important to note that the second line does not own the risks; the first line owns risks related to their areas of operation, and the governing body owns strategic risks that apply across the organisation.

Illustration of application: While the heads of departments and team leaders are managing risks as the organisation’s First Line of Defence, the management team want to know how effectively the organisation is operating and performing towards achieving its strategic objectives and targets. And so, together with the risk management team, they monitor the operational risk management updates which are being managed by the First Line of Defence, and provide strategic direction or challenge the risk performance and mitigating actions to ensure effective business value protection as well as to capitalise on any opportunities of business value creation. Playing this role effectively establishes a strong Second Line of Defence, defending and safeguarding the business interests at the holistic operational and strategic levels, and empowering the first line to make risk-informed decisions

Alignment with ISO 31000: Being as the second line of defence owns the framework for managing risks across the organisation, many aspects of clause 5 of ISO 31000, Framework, are undertaken by the second line, under the authority of the governing body. This can include designing appropriate risk assessment methodologies and control standards to apply across the organisation and guiding the first line on how to best adopt the risk management framework and processes.

The Third Line of Defence: Internal Audit and External Regulators

What it is: The Third Line of Defence involves the internal audit function, and can also include external assurance providers and regulators. These auditors are independent of the processes being audited and therefore should be able to provide an objective view of performance to the governing body. They assess the effectiveness of risk management and controls in place.

Illustration of application: With the First Line of Defence addressing and managing risks from their respective areas of accountability, and the Second Line of Defence overseeing the organisation-wide risk management and how that supports the overall business strategic direction and objectives, the Third Line of Defence provides an independent risk management assurance with a  fresh pair of eyes. They assess the organisation’s business and operations performance periodically (assurance, or analogised to a periodic medical check-up), and they check if everything was done correctly and according to the governing policies, standards, procedures, and regulatory compliance. All Three Lines of Defence work together to effectively and systematically protect the business objectives.

Alignment with ISO 31000: ISO 31000 includes clauses relating to the evaluation (clause 5.6) and improvement (clause 5.7) of the risk management framework, and the monitoring and review of the processes related to risk management (clause 6.6). Whilst the Standard doesn’t specifically require that these activities are undertaken by the third line, organisations will often design their performance evaluation processes to consider the roles of each line of defence and seek a level of independent assurance over their risk treatments and controls by the third line team. Other ISO management system standards, such as those for quality management (ISO 9001) and occupational health and safety management (ISO 45001) do include specific clauses relating to the role and process of internal audit.

Now that we have a clear understanding of what the 3LoD model is, let’s connect this to another ISO standard that specifically relates to organisational resilience:

ISO 22301 – Business Continuity Management:

The First Line also plays a crucial role in ensuring business continuity during disruptive events, and should provide input into understanding the criticality of different business activities, processes, infrastructure and systems through undertaking an effective Business Impact Analysis (BIA) to inform business continuity planning and response. 

The Second Line helps establish and maintain a business continuity management system (BCMS) in alignment with organisational requirements and the Standard, and can assist the first line in determining priorities and the impact of disruptive events. Often, the second line team/s will facilitate the process of the BIA and establish business continuity plans, with input from the first line and governing body. They may also test the effectiveness of business continuity planning through simulations and exercises to review business continuity plans and the organisation’s planned responses for different disruptive events. 

The Third Line may audit the BCMS to ensure it is effective and provide a level of comfort to the governing body that the BCMS’s processes are effective

An effectively operationalised Three Lines of Defence (3LoD) model lays the foundation to build strong organisational resilience in the following ways:

  • Risk Management and Resilience: The 3LoD model is primarily focused on risk management and control. By having clear lines of responsibility for risk identification, mitigation, and oversight, organisations can proactively address risks that could disrupt their operations. This proactive risk management is a fundamental aspect of building resilience.
  • Identification and Mitigation of Risks: The First and Second Lines of Defence in the model are responsible for identifying and mitigating risks, including those that could threaten business continuity. By effectively managing risks, organisations become better prepared to withstand and recover from disruptive events.
  • Compliance and Standards: The Second Line of Defence ensures that the organisation complies with relevant standards and regulations, including those related to resilience and business continuity. Compliance with these standards can be keykey to enhancing an organisation’s resilience.
  • Audit and Improvement: The Third Line of Defence conducts audits to assess the effectiveness of risk management and control measures. Through these audits, organisations can identify areas for improvement in their resilience strategies and make necessary adjustments.

In an era of increasing risks and uncertainties, the alignment of the Three Lines of Defence Model to ISO standards is a strategic imperative for organisations seeking resilience and continuity. This integration not only enhances risk management but also strengthens an organisation’s ability to adapt and thrive in the face of adversity.

Our Business Continuity course empowers you with the knowledge and tools you need to effectively safeguard your organisations’ future. If you are interested in learning more about strengthening your business resilience and how to do it right find out more and enrol here


    Back to Insights

    “Excellent trainers with high level expertise, varied content to keep us engaged and quality resources leave me with confidence that I could implement what I’ve learned.”

    “The presenters really helped to link the course material to real life situations. They were very professional and helped make the course very enjoyable.”

    “Thoroughly enjoyable learning experience, facilitated to an excellent standard – Well adapted to the diversity of skill within the group.”

    Fantastic course professionally run by a ‘real’ auditor working in the field which allowed for a fantastic bridge between theory and practical examples.

    “It is rare to find a trainer with extensive practical and current industry knowledge of the topic. This is a real world training course for real world application. 100% recommend Pat to conduct any training in future.”

    Need help finding a course?

    Speak directly with a member of the RTP team to decide which course is right for you.