Three Lines Model for risk management gets major update

By Ken Tysiac

A new model for governance and risk management issued Monday by the Institute of Internal Auditors (IIA) makes major updates to the Three Lines of Defense model that has been popular for years.

Called “The Three Lines Model,” the new approach is designed to help organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

In the previous model, the three lines of defense were represented by management control as the first line, risk and control monitoring as the second, and independent assurance through the internal audit function as the third.

The new model is designed to better identify and structure interactions and responsibilities of management, internal audit, and those charged with governance to achieve more effective alignment, collaboration, accountability, and objectives.

Roles are clearly defined in the new model for various leaders within an organization, including oversight by the board or governing body; management and operational leaders including risk and compliance (first- and second-line roles); and independent assurance through internal audit (third-line role).

The position of external assurance providers also is addressed. The new model emphasizes six principles related to governance, governing body roles, management and first- and second-line roles, third-line roles, third-line independence, and creating and protecting value.

The new model applies to all organizations, which can optimize the new approach by:

  • Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
  • Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
  • Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
  • Implementing measures to ensure that activities and objectives are aligned with the prioritized interests of stakeholders.

“The Three Lines Model has largely been viewed as the basis for sound risk management,” IIA President and CEO Richard Chambers said in a news release. “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”

The IIA created a graphical illustration of the new model, which is included below.

Three Lines of Defense model

Ken Tysiac ( is the JofA’s editorial director.

Where to find April’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.