The Three Lines of Defense Model, Explained for Risk Professionals

April 26, 2026 · 4 views

The Three Lines of Defense model is one of the highest-leverage concepts in governance. On the CRISC and CISM exams, correctly identifying which line an actor belongs to answers a surprising number of questions. In practice, it is the structure that keeps risk oversight honest.

Why the model exists

The model exists to preserve independence. Its logic is simple: if the team that designs a control also tests it, the test cannot be trusted. If the team that manages risk also formally accepts it, the acceptance cannot be trusted. If internal audit reports to the executive whose function it audits, the audit cannot be trusted. Each of those conflicts has produced corporate scandals. The model prevents them structurally rather than relying on individual integrity.

The three lines

• First line — owns and manages risk. The business itself: operational management and the people doing the work. In IT that means infrastructure teams, developers, security operations, and the control owners who design and operate day-to-day controls. They take risk and they own the controls.
• Second line — oversees risk. Risk management and compliance functions that set policy, provide frameworks, monitor, and challenge the first line. They do not own the controls; they make sure the first line is managing risk properly and consistently.
• Third line — provides independent assurance. Internal audit, reporting to the board (typically the audit committee), independent of both other lines. They give objective assurance that the whole risk-management system is working.

The independence rule

The defining constraint is that the third line must be independent of the first two, and the second line must be distinct from the first. When an exam scenario describes internal audit also operating controls, or a risk function signing off on risks it helped create, it is describing a governance failure — a breakdown of line separation — even if no specific incident has occurred yet.

The 2020 update

In 2020 the Institute of Internal Auditors refreshed the model and renamed it the "Three Lines Model," dropping "of Defense" to emphasise value creation alongside risk control. The substance is largely unchanged; the language softened, and external assurance providers (regulators, external auditors) are acknowledged outside the three internal lines. Exam materials still predominantly use "Three Lines of Defense."

Using it on exam day

When a question names an actor and asks what they should do, place them on a line first. A first-line control owner escalates and treats; a second-line risk function advises and monitors; a third-line auditor reports findings but does not fix or own controls. Half the work of the question is done the moment you identify the line.