Three Lines Model for risk management gets major update

By Ken Tysiac

A new model for governance and risk management issued Monday by the Institute of Internal Auditors (IIA) makes major updates to the Three Lines of Defense model that has been popular for years.

Called “The Three Lines Model,” the new approach is designed to help organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

In the previous model, the three lines of defense were represented by management control as the first line, risk and control monitoring as the second, and independent assurance through the internal audit function as the third.

The new model is designed to better identify and structure interactions and responsibilities of management, internal audit, and those charged with governance to achieve more effective alignment, collaboration, accountability, and objectives.

Roles are clearly defined in the new model for various leaders within an organization, including oversight by the board or governing body; management and operational leaders including risk and compliance (first- and second-line roles); and independent assurance through internal audit (third-line role).

The position of external assurance providers also is addressed. The new model emphasizes six principles related to governance, governing body roles, management and first- and second-line roles, third-line roles, third-line independence, and creating and protecting value.

The new model applies to all organizations, which can optimize the new approach by:

  • Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
  • Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
  • Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
  • Implementing measures to ensure that activities and objectives are aligned with the prioritized interests of stakeholders.

“The Three Lines Model has largely been viewed as the basis for sound risk management,” IIA President and CEO Richard Chambers said in a news release. “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”

The IIA created a graphical illustration of the new model, which is included below.

Three Lines of Defense model

Ken Tysiac ( is the JofA’s editorial director.


Preparing the statement of cash flows

This instructive white paper outlines common pitfalls in the preparation of the statement of cash flows, resources to minimize these risks, and four critical skills your staff will need as you approach necessary changes to the process.


Keeping you informed and prepared amid the COVID-19 crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.