Three Lines Model: How to Divide Responsibility in Risk Management

When something goes wrong in a project, who was actually responsible? The project lead who did the work? The risk manager who should have raised the flag? Or the board that holds oversight? In a lot of organizations, that question stays open for too long, and it ends with everyone assuming somebody else had it covered. The Three Lines Model exists to prevent exactly that. It pins down who takes risks, who keeps an eye on them, and who independently verifies that the whole setup actually works.

In this blog you will read what the model is, what changed in the updated version, and how to make it work without it turning into another paperwork exercise.

What is the Three Lines Model?

The Three Lines Model is a principles-based framework that divides roles and responsibilities for governance and risk management. It was developed by the Institute of Internal Auditors (IIA) and is used worldwide to structure how organizations manage risk.

The idea behind it is simple. There are three types of roles, and each one has its own job in keeping risks under control. By naming those roles out loud, you avoid blind spots and double work. The model answers a question that comes up in every organization: who decides, who executes, and who checks that it all holds together?

A common misconception is that the model is only about defense, about fending off threats. That view is outdated. The current version puts equal weight on seizing opportunities and creating value.

From Three Lines of Defense to Three Lines Model

The framework was originally called the Three Lines of Defense and goes back to the early 2000s. In 2020, the IIA reworked it thoroughly and shortened the name to Three Lines Model. That was not a cosmetic change.

The word "defense" suggested that risk management is mostly a protective activity. That one-sided emphasis has been dropped. Risk-based decision making is just as much about chasing opportunities as it is about avoiding harm. At the same time, the board got a clearer place in the model, and there is more emphasis on collaboration and communication between everyone involved.

That shift fits how we at RiskChallenger think about risk management. To us it is not a lonely control task for one person, but a conversation that runs through the entire organization. In September 2024, an additional update brought the terminology in line with the current international auditing standards.

The three lines, one by one

The heart of the Three Lines Model is made up of three lines. Each one carries its own responsibility.

First line: the people doing the work and owning the risks

The first line is the management and the operational teams who actually do the daily work: project leads, site supervisors, team leaders. They deliver work to clients or to citizens, and they take risks in the process. That also makes them the first to spot risks coming and to act on them with concrete measures.

This is exactly the group that often stays out of sight in traditional risk management. Which is a shame, because this is where the real knowledge about what can go wrong sits.

Second line: the people who oversee and challenge

The second line supports and oversees the first. This is where you find the people who own risk management, compliance, and quality. They set the frameworks, push back on easy assumptions, and keep a view across how risks are handled throughout the organization. They do not do the work themselves, but they make sure it is done properly.

Third line: the people who provide independent assurance

The third line is internal audit. It gives the board and senior management an independent and objective view of whether governance, risk management, and internal control actually work. Independence is the key word here. In the updated version, though, that explicitly does not mean internal audit operates from an island. This line is expected to think along about improvements too.

The role of the board and governance

Above the three lines sits the board, or governing body. In the old setup, that body sat somewhat detached at the top. The updated model pulls the board in instead. It remains ultimately responsible for oversight, but it delegates the achievement of objectives to management.

External parties also get a spot in the picture, like auditors and regulators. They provide additional assurance. That gives a complete view of everyone, inside and outside the organization, who contributes to reliable risk management.

Why organizations use the Three Lines Model

The biggest payoff of the Three Lines Model is clarity. It gives a shared language for who decides, who does, who challenges, and who provides assurance. That prevents the situation where everyone assumes someone else is on it, and it turns out nobody was.

What the model delivers in practice:

• Clear responsibilities, which closes gaps and removes overlap.
• Faster decisions, because it is obvious who owns what and within which risk appetite.
• Room to adapt. The model is principles-based, so smaller organizations can blend the first and second line if they do not have a dedicated risk function.
• Alignment with established frameworks like ISO 31000 and COSO ERM.

The model is used everywhere, from financial services and healthcare to energy and the public sector. In the Netherlands you find it at water authorities, municipalities, and large infrastructure projects.

From model to practice: keep it communicative

A model on paper changes nothing on its own. The biggest trap with the Three Lines Model is that it stays a nice org chart that nobody actually uses. The value only kicks in once those three lines really start talking to each other.

And that is where it usually breaks down. The first line, the people who know the risks, checks out the moment risk management starts feeling like another box-ticking exercise in a spreadsheet. There is a reason the updated model puts so much weight on collaboration. Independence is not the same thing as isolation.

At RiskChallenger we start from the idea that risk management is a conversation, not a number. With interactive brainstorm sessions, where team members join through a QR code without needing an account, you bring the first line into naming and weighing risks. Visual dashboards and GIS maps then show the second and third lines what is going on, at strategic, tactical, and operational level. That way the Three Lines Model stops being a static diagram and becomes a conversation in which the whole organization gets risk-aware.

Wrapping up

The Three Lines Model is a proven way to organize governance and risk management. It splits responsibility across three lines, gives the board a clear oversight role, and since the 2020 update it is geared toward creating value, not just defending it. The key takeaway: it only works when the lines actually talk to each other and the people who know the risks get involved.

Curious how to turn the Three Lines Model into a conversation that runs through your whole organization? Start a free 30-day trial of RiskChallenger or book a demo. That way you can see for yourself what risk management looks like in practice.

RiskChallenger is a Dutch platform for communicative risk management. More accessible than complex enterprise tools, more effective than Excel.