The Three Lines of Defense Model: Roles, Responsibilities, and Where It Breaks

Most risk frameworks are abstract enough that nobody argues with them. The Three Lines of Defense model is different — people argue with it constantly, because it directly touches who owns responsibility for things going wrong, and that argument is usually happening because something already went wrong.

When a regulator sends an MRA citing “inadequate risk management program,” or when an internal audit finding reveals a control that’s been broken for 18 months while the compliance team assumed the business had it covered — that’s a Three Lines failure. And those failures aren’t random. They follow predictable patterns.

Here’s what the model actually requires, where it breaks, and how to build a version that survives contact with a real organization.

TL;DR

• The Three Lines Model divides risk responsibility into three distinct roles: first line owns and manages risk, second line provides oversight and frameworks, third line (internal audit) provides independent assurance
• The IIA updated the model in 2020, renaming it from “Three Lines of Defense” and explicitly adding the governing body (board) as an accountability anchor above all three lines
• The most dangerous failure modes: first line that doesn’t know it owns risk, second line that does first-line work, and internal audit that’s not genuinely independent
• Wells Fargo is the definitive case study — all three lines failed simultaneously over a multi-year period while 1.5 million unauthorized accounts accumulated

The Model: What Each Line Actually Does

The Governing Body

The 2020 IIA update added something the original 2013 model underemphasized: an explicit role for the governing body — the board (or equivalent oversight structure) — that sits above all three lines.

The board is accountable to stakeholders for oversight. It sets the risk appetite, approves the overall ERM framework, receives independent assurance from internal audit (third line), and holds senior management accountable for the risk management program the first and second lines execute. The board’s governance failures — passive oversight, failure to challenge management, treating audit committee meetings as check-the-box exercises — cascade down into every layer below it.

This matters because in most Three Lines failures, the first place to look is whether the board was actually engaged or just receiving reports. A board that doesn’t read audit findings closely enough to ask uncomfortable questions creates a culture where second-line escalations stop reaching the people who have the authority to act on them.

First Line: The Business Units

The first line is every business unit, team, and employee that executes operations and owns the risks in those operations. They are not a wall — they are the process. Loan officers, software engineers, customer service representatives, product managers — everyone who takes an action that creates risk is part of the first line.

First-line responsibilities:

• Own the risk. When a process creates credit risk, compliance risk, or operational risk, the first line is responsible for managing it — not waiting for the second line to catch it.
• Execute controls. First-line managers implement the controls the second line has designed. Checklists, approvals, access restrictions, data handling procedures — these live in the first line.
• Escalate. When something is outside normal operating parameters, the first line escalates — to the second line if it’s a framework question, or up the management chain if it’s a judgment call.

The critical misconception the IIA has consistently tried to correct: the first line is not simply the “business” that generates revenue while the second line “manages risk” on its behalf. Risk management is a first-line function. The second line provides frameworks, expertise, and oversight — it does not absorb first-line risk ownership.

Second Line: Risk Management and Compliance

The second line is where risk management, compliance, legal, information security, and similar functions sit. In larger organizations this may also include ERM, model risk management, privacy, and third-party risk functions.

Second-line responsibilities:

• Set frameworks and standards. The second line designs the risk management policies, procedures, and tools the first line uses. The risk appetite statement, the RCSA methodology, the vendor risk assessment process — these originate in the second line.
• Monitor and challenge. The second line reviews first-line risk data, monitors KRIs and KPIs, and actively challenges first-line assessments when something looks wrong. This is the “oversight” function.
• Provide expertise. When the first line encounters a regulatory question, a complex risk scenario, or a novel product feature with compliance implications, the second line provides subject-matter expertise.
• Aggregate and report. The second line aggregates risk data across business units and reports to senior management and the board.

What the second line does not do: take operational ownership of risks. When compliance officers are signing off on transactions, when the risk team is approving customer applications, when information security is directly managing user access — the second line has slid into first-line territory, and accountability has collapsed.

Third Line: Internal Audit

Internal audit is the only function in this model whose entire purpose is assurance — not risk management, not control execution, not compliance monitoring. The third line exists to independently assess whether the first and second lines are doing their jobs.

Third-line responsibilities:

• Independent assurance. Internal audit provides an objective opinion on the adequacy and effectiveness of governance, risk management, and internal controls across the organization — including the second line.
• Audit the second line. This is a point organizations frequently miss: internal audit audits the risk management and compliance functions, not just front-line operations. If the second line is setting frameworks poorly or monitoring ineffectively, that’s a third-line finding.
• Report to the board. The third line’s primary accountability relationship is with the audit committee, not with management. This independence is what makes its assurance credible. Internal audit that reports exclusively to the CEO has lost its independence.

The 2020 IIA Update: What Actually Changed

The IIA renamed the framework from “Three Lines of Defense” to “Three Lines Model” in July 2020. The language shift was intentional — “defense” had created an adversarial framing where lines were walls against each other rather than collaborative roles. But the substantive changes went beyond naming:

Explicit governing body role. The original 2013 model was largely silent on board-level governance. The 2020 update makes the governing body an explicit accountability anchor with its own defined responsibilities.

Clarified second-line independence. The 2020 model emphasizes that second-line functions are management functions — they are not independent of management. Only the third line (internal audit) provides independence. This distinction matters because some organizations had started treating their risk and compliance teams as quasi-audit functions, which creates confusion about escalation paths and independence standards.

Emphasis on collaboration. The model now explicitly addresses how the three lines coordinate and share information — not as bureaucratic handoffs, but as an integrated system. Internal audit can provide advisory services to the first and second lines without compromising its independence on assurance engagements.

Alignment with COSO ERM 2017. The update aligned terminology and concepts with the COSO Enterprise Risk Management framework, making the Two frameworks more complementary than they had been.

Where It Breaks: The Four Failure Modes

Failure Mode 1: First Line Doesn’t Own Risk

The most pervasive failure. Front-line employees and managers treat risk management as something the compliance or risk department does on their behalf. When something goes wrong, the first response is “why didn’t compliance catch this?”

Signs this is happening:

• Business units routinely escalate routine compliance questions to the second line rather than handling them
• Risk management frameworks designed by the second line are implemented inconsistently in the first line because nobody there is responsible for it
• Performance incentives are entirely output-focused with no risk dimension — salespeople are rewarded for volume, not quality

The root cause is usually cultural: risk ownership was never embedded as a first-line responsibility, and second-line teams filled the gap by doing the work themselves. Once that dynamic sets, it’s hard to reverse.

Failure Mode 2: Second Line Does First-Line Work

When the second line absorbs first-line responsibilities, accountability disappears. The compliance team signs off on transactions. The risk team approves new products. The information security team manages user access directly. It looks like good risk management in the short term — the second line is engaged, things are getting done — but it creates a structural problem: who is overseeing the second line’s work?

The OCC’s Heightened Standards (2014), which formalized the three lines model for large banks, specifically called out the need to keep first- and second-line roles distinct. When they blur, the second line’s oversight function is compromised — you can’t independently monitor something you’re also executing.

In the current cost-cutting environment, regulators have specifically flagged cases where compliance departments are being given operational responsibilities that dilute their oversight function. This is a red flag in examinations.

Failure Mode 3: Internal Audit Lacks True Independence

Third-line independence is structural, not just procedural. Internal audit teams that report to the CFO or CEO rather than the board’s audit committee are structurally compromised — their findings have to travel through management before reaching the people with the authority to act on them, and management has an obvious interest in which findings get elevated and how they’re framed.

Independence also erodes when internal audit is pulled into “collaborative” arrangements with management — co-developing policies, participating in project teams, signing off on implementations. The IIA explicitly allows advisory services but requires clear distinction between advisory and assurance engagements. When the line blurs, audit’s ability to later provide independent assurance on that work is compromised.

Failure Mode 4: The Board Is Passive

Governance failures at the board level enable every failure below them. A board that receives risk reports without challenging management’s self-assessments, treats audit committee meetings as information sessions rather than accountability forums, or relies entirely on management-curated risk information — creates the environment in which first and second-line failures persist undetected.

The 2020 Three Lines Model update puts explicit responsibility on the governing body to “ensure appropriate structures and processes are in place for effective governance.” That’s not just receiving reports. It’s asking whether the risk function has the independence, resources, and access it needs to do its job.

The Wells Fargo Lesson

Wells Fargo’s unauthorized account scandal is the canonical Three Lines failure. Between 2011 and 2016, employees opened more than 1.5 million unauthorized deposit accounts and approximately 500,000 bogus credit card accounts — without customer knowledge, sometimes forging signatures.

All three lines failed:

First line: Enormous pressure from management to hit cross-selling metrics created an environment where employees opened fake accounts to hit targets. The first line’s risk ownership was overridden by performance incentives that made fraud profitable. When employees flagged problems internally, some were terminated.

Second line: Risk management and compliance functioned but failed to surface what was happening at the scale it was occurring. Second-line oversight of first-line sales practices was inadequate — the monitoring wasn’t designed to catch what actually happened, and when it did surface signals, escalation was insufficient.

Third line: Internal audit had reviewed retail banking practices and missed the scale of the problem. Audit coverage wasn’t adequate to detect a fraud pattern that was diffuse across thousands of branch employees over multiple years.

The board’s role in allowing the incentive structure to persist — and in receiving management’s assurances about the program — is the governance failure that enabled everything else.

The lesson isn’t that the Three Lines model is wrong. It’s that the model only works when each line actually performs its defined function, and when the board provides real accountability rather than ceremonial oversight.

Building a Three Lines Program That Actually Works

Embed risk ownership in the first line through incentives and accountability

Risk management doesn’t stick in the first line through training alone. The performance management structure has to reflect it. Managers should have explicit accountability for the quality of risk management in their functions — not just output metrics. RCSAs (Risk and Control Self-Assessments) should be completed by business units, not by the risk team on their behalf. When audit findings hit, the business unit head should be the one answering for them.

Keep second-line functions clearly out of first-line operations

Audit every six months: is the compliance team approving things, or advising on them? Is information security managing access, or setting standards for first-line management of access? The moment the second line starts doing the work instead of overseeing it, fix it — even if it slows things down in the short term.

Give internal audit real board access

The audit committee should meet with the Chief Audit Executive without management present at least once a year. Internal audit should have unrestricted access to any information, personnel, or system it determines it needs. Findings should go to the board directly, not filtered through the CFO or CEO. If those conditions don’t exist, the third line isn’t actually independent.

Use the risk appetite statement to set the accountability framework

The board’s risk appetite statement is what connects governance to the three lines. When it’s specific — quantified tolerances, explicit escalation thresholds, named risk categories — it gives the second line concrete standards to monitor against and gives the board a benchmark for evaluating management’s risk reports. When it’s vague, everything downstream is vague too.

Monitor with real key risk indicators

The three lines model is only as good as the information flowing through it. First-line KRIs should be monitored by the second line and escalated when thresholds breach. Second-line KRIs (compliance findings aging, exception rates, control failures by business unit) should inform internal audit’s risk-based audit plan. The board should see aggregated risk metrics that reflect what the three lines are actually finding — not management-curated summaries.

So What?

The Three Lines Model isn’t broken as a concept — it’s broken as implemented in most organizations, and the failure points are predictable. First lines that don’t own risk, second lines that do first-line work, third lines that lack independence, and boards that rubber-stamp management’s self-assessments.

Regulators know this. The OCC, Federal Reserve, and FDIC all reference the three lines model in examination frameworks. When examiners see risk management failures, they trace them back to which line failed first — and whether the structure in place would have caught it earlier. If your answer to “where does risk ownership sit?” is “the compliance department,” you’re describing a two-line model at best, and that’s a conversation you don’t want to have in an exam.

Build the structure first. The cultural piece — first-line risk ownership, genuine second-line independence from operations, real board accountability — follows from getting the structural roles clear.

Running RCSAs is the first-line responsibility that most organizations do wrong — either the business units don’t do them at all, or the risk team does them for everyone and calls it a day. The RCSA Template gives business units the structured framework to assess their own risks and controls, with facilitation guidance for risk teams to keep it from becoming a box-checking exercise.