What is a Three Lines of Defense Model

The Three Lines of Defense Model structures your organization's risk management activities into three independent layers, each with distinct responsibilities for identifying, managing, and auditing vendor risks. First adopted by financial services in the 1990s, this model now serves as the backbone for enterprise risk management across industries.

For GRC analysts managing third-party relationships, the model provides clear accountability boundaries. Your first line vendor managers own the risk. Your second line compliance team monitors and advises. Your third line auditors verify everything works as designed. This separation prevents conflicts of interest while ensuring multiple perspectives evaluate each vendor relationship.

Regulators expect this structure. The European Banking Authority mandates it explicitly. The Office of the Comptroller of the Currency references it throughout supervisory guidance. SOC 2 Type II auditors look for evidence of independent oversight functions. Without clearly delineated lines of defense, you're essentially self-grading your own homework—a red flag for any examiner.

Understanding Each Line of Defense

First Line: Operational Management

Business units and vendor managers form your first line. They own the vendor relationship and its associated risks. These teams execute controls daily: reviewing vendor SOC reports, monitoring SLA performance, conducting periodic business reviews, and escalating issues.

First line responsibilities in vendor management:

• Selecting vendors through formal RFP processes
• Conducting initial due diligence assessments
• Implementing contractual controls and service level agreements
• Monitoring vendor performance against KPIs
• Managing day-to-day vendor communications
• Identifying and escalating risk events

A procurement manager approving a new cloud vendor represents first line activity. They evaluate security questionnaires, negotiate contract terms, and ensure the vendor meets baseline requirements. But they need oversight—which brings us to the second line.

Second Line: Risk and Compliance Functions

Risk management, compliance, information security, and specialized control functions comprise your second line. These teams don't manage vendors directly. Instead, they establish policies, monitor adherence, and challenge first line decisions when necessary.

Second line responsibilities include:

• Developing vendor risk management policies and procedures
• Creating risk assessment methodologies and scoring models
• Providing tools and templates for vendor evaluation
• Monitoring aggregate third-party risk exposure
• Reporting risk metrics to senior management and the board
• Challenging first line risk decisions when thresholds are exceeded

Your Information Security team reviewing a vendor's security assessment represents second line activity. They don't select the vendor, but they establish security requirements and verify compliance. When a vendor's risk score exceeds acceptable thresholds, they escalate concerns and may require additional controls.

Third Line: Internal Audit

Internal audit provides independent assurance that both first and second lines function effectively. They report directly to the board or audit committee, maintaining independence from operational management.

Third line audit activities include:

• Testing vendor risk management control design and effectiveness
• Verifying compliance with policies and procedures
• Assessing the adequacy of first and second line activities
• Identifying control gaps and recommending improvements
• Providing assurance to the board and regulators

An internal auditor sampling vendor contracts to verify required clauses exemplifies third line activity. They're not managing vendors or setting policies—they're confirming that established processes work as intended.

Regulatory Requirements and Framework Alignment

Multiple regulatory frameworks either mandate or strongly recommend the Three Lines of Defense Model:

Basel Committee on Banking Supervision (BCBS 239) Principles for effective risk data aggregation explicitly require independent validation of risk management processes. Banks must demonstrate clear separation between risk-taking, risk control, and risk assurance functions.

European Banking Authority (EBA) Guidelines EBA/GL/2021/05 on internal governance requires credit institutions to establish three lines of defense for all material risks, including outsourcing and third-party arrangements.

COSO Enterprise Risk Management Framework While not mandating three lines specifically, COSO emphasizes independent oversight and segregation of duties—principles embodied in the three lines model.

ISO 31000:2018 Risk Management References multiple levels of control and oversight, aligning with three lines principles without using the specific terminology.

SOC 2 Trust Services Criteria CC1.2 requires independent oversight of the system of internal control. CC5.3 mandates segregation of incompatible duties. Auditors expect to see distinct lines of defense for critical vendor relationships.

Practical Implementation for Third-Party Risk

Consider a financial services firm onboarding a new payment processor:

First Line Actions:

• Treasury team identifies need for new payment rails
• Procurement runs competitive RFP process
• Business relationship manager conducts due diligence
• Legal negotiates master service agreement
• Operations implements technical integration

Second Line Oversight:

• Vendor risk team scores inherent risk as "Critical"
• Information security requires annual penetration testing
• Compliance verifies PCI-DSS certification
• Enterprise risk includes vendor in quarterly reporting
• Privacy team reviews data processing addendum

Third Line Assurance:

• Internal audit includes vendor in annual audit plan
• Tests sample of due diligence documentation
• Verifies security assessment completion
• Confirms board reporting accuracy
• Issues findings on incomplete business continuity testing

Common Implementation Challenges

Blurred Lines Between First and Second Small organizations often combine operational and oversight roles. A vendor manager might also develop risk policies. This creates inherent conflicts—you can't objectively oversee your own work. Document compensating controls like peer review or committee oversight when full segregation isn't feasible.

Second Line Overreach Risk and compliance teams sometimes drift into operational decisions, effectively becoming co-first line. Maintain clear boundaries: second line advises and monitors but doesn't approve vendors or manage relationships directly.

Under-resourced Third Line Many organizations maintain robust first and second lines but underinvest in internal audit. Without independent verification, you're trusting self-reported control effectiveness. Regulators increasingly expect third line coverage of material vendor relationships.

Industry-Specific Considerations

Financial Services Banks face explicit three lines requirements from multiple regulators. The Federal Reserve's SR 13-19 guidance expects clear delineation of responsibilities. Focus on demonstrating independence between trading desks (first line) and market risk (second line).

Healthcare HIPAA doesn't mandate three lines explicitly, but covered entities must demonstrate oversight of business associates. Structure your three lines around PHI access: clinical operations (first), privacy/security office (second), and compliance audit (third).

Technology Software companies often struggle with three lines implementation due to flat organizational structures and rapid scaling. Start by separating engineering (first line) from security/GRC (second line). Engage external auditors for third line coverage if internal audit isn't mature.

Frequently Asked Questions

Do all three lines need to be separate departments?

Not necessarily. Smaller organizations can achieve three lines through committees, dotted-line reporting, or outsourcing. The key is maintaining independence and avoiding conflicts of interest.

How does the Three Lines Model differ from the new Three Lines Model 2020?

The Institute of Internal Auditors updated the model in 2020, replacing "lines of defense" with simply "three lines." The update emphasizes collaboration and clarifies that all three lines work toward common objectives, not just defense.

Can we outsource any of the three lines?

Yes. Organizations commonly outsource internal audit (third line) or specialized second line functions like penetration testing. First line activities can include outsourced operations, but accountability remains with the organization.

What's the minimum documentation needed to evidence three lines?

Document role definitions, reporting structures, and key control activities for each line. Maintain RACI matrices showing who's responsible, accountable, consulted, and informed for major risk decisions.

How do we handle vendors that span multiple business units?

Designate a primary first line owner while establishing a governance committee with representatives from all affected units. Second and third line oversight should cover the vendor holistically, not piecemeal by business unit.