Three Lines Model

See more information on the Three Lines Model. 

The IIA’s Three Lines Model has replaced the earlier Three Lines of Defense, clarifying and strengthening the underpinning principles, broadening the scope, and explaining how key organisational roles work together to facilitate strong governance and risk management.

The model can be applied to all organisations and is optimised by:

• Adopting a principles-based approach and adapting the model to suit organisational objectives and circumstances.
• Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of "defense" and protecting value.
• Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
• Implementing measures to ensure activities and objectives are aligned with the prioritised interests of stakeholders.

When audit committees/management have difficulty understanding different roles and responsibilities, this framework can help clarify the conversation. This framework can help oversight functions explain why an issue occurred and, if steps had not been taken, why they weren't.

Page last updated: 10 December 2021