Three Lines of Defense

The Three Lines of Defense (often called Three Lines Model since the 2020 IIA update) is the dominant governance framework for risk management in European and international enterprises. It separates risk ownership, risk oversight, and independent assurance into three distinct organizational roles — preventing the structural conflict where the same team that takes risks also assesses them.

First Line: Operational management — the business units, functional leaders, and front-line staff who own and manage risks as part of daily operations. They identify, assess, mitigate, and monitor risks within their areas. Examples include engineering teams applying secure coding practices, finance teams running reconciliation controls, HR running background checks. First-line ownership of risk is foundational — without it, all other lines become theater.

Second Line: Risk management, compliance, and specialized oversight functions. This includes the Chief Risk Officer, Compliance Officer, Data Protection Officer, Information Security function (CISO office), legal counsel where applicable. The second line sets frameworks and policies, provides tools, trains the first line, challenges first-line risk assessments, and reports to executive management. Under DORA (Art. 6), financial entities must have a clearly separated second-line ICT Risk Management function. NIS2 Art. 21 implicitly expects the same separation.

Third Line: Internal Audit — independent assurance to the board and audit committee on the effectiveness of the first and second lines. Internal Audit evaluates control design, tests operating effectiveness, reports findings, and has unrestricted access to systems and personnel. Its independence is structurally protected by reporting line to the audit committee rather than executive management.

Beyond the three lines: (a) External Audit — statutory auditors, certification bodies (ISO 27001, SOC 2), regulatory inspectors — provide external assurance. The 2020 IIA update de-emphasized counting this as a 'line' to avoid confusion with true organizational accountability. (b) The Board and Audit Committee — ultimate governance accountability. They receive assurance from all three lines and the external auditor.

Common implementation failures: overlapping responsibilities between first and second lines (CISO doing actual security operations vs setting policy), under-resourced internal audit (especially in mid-market companies), second-line 'shadow first-line' where compliance ends up doing control work instead of oversight, and board-level blind spots where committee members lack technical literacy to challenge reports. DORA specifically requires financial entities to ensure the second-line ICT function has sufficient resources, independence from operational units, and direct reporting access to the board.

The Three Lines Model interacts with most European regulatory frameworks: DORA Art. 5-6 (ICT risk management framework with clear roles), NIS2 Art. 20-21 (governance and accountability), ISO 27001 Annex A 5.2 (information security roles), GDPR Art. 37-39 (DPO position and tasks). Matproof structures its user roles, approval workflows, and reporting around Three Lines — so the same platform serves risk owners, oversight functions, and internal auditors with role-appropriate views and separation-of-duties controls.