What is three lines of defence?

In this blog article we explore the meaning behind the phrase “three lines of defence.” For those organisation’s utilising this approach, the definition and meaning is obvious, but for others the definition is cloudy to say the least.

In its most simplest of terms, three lines of defence defines an approach to ensuring risk assurance. Risk assurance provides confidence, based on sufficient evidence, that internal controls are in place and are operating effectively, ensuring that risks are being managed and mitigated, and objectives are achieved. 

Risk assurance: three lines of defence

The three lines of defence approach is an effective model for achieving assurance. 

The first line of defence is delivered by business operations managers providing assurance through identifying risks, implementing controls, and reporting on progress within their functional areas. 

The second line of defence is provided by the functions that oversee, or specialise in, risk management and compliance who therefore provide an overview and oversight of business processes and risks. 

The third line of defence is provided by functions that offer an independent approach to audit and assurance in order to monitor compliance and provide independent challenge and objectivity.


The 3 lines of defence

As your organisation applies the three lines of defence assurance model, you may find it helpful to capture both your assurances and their associated effectiveness. This can be achieved through using traffic light reporting to rate the effectiveness of the assurances for a particular risk and its associated controls. 

Benefits of this approach 

The benefits of the three lines of defence approach is that it provides a clear picture of the activities that have been undertaken and the types of assurance currently obtained. The approach indicates whether assurance is effective and efficient, and eases the identification of gaps in assurance, or where assurance is duplicated, or disproportionate to the risk.  It helps to identify areas where existing controls are failing, ultimately informing decision making, and leading to more effective risk management across your organisation. 

Critical success factors

In undertaking the three lines of defence approach there are a number of critical success factors. Firstly, there must be active support and guidance from your organisation’s senior management and governing body. Without this buy-in and accountability any assurance framework will fail. Your assurance framework must have clear objectives as to what you want the assurance framework to achieve, and these objectives must be realistic in order to avoid assurance fatigue. You may for example want to focus your assurance framework on high level strategic risks in the early days. Keeping it simple and avoiding jargon is another success factor as is coordinating the three lines of defence for the most impact. This assurance framework should run alongside regular risk reporting, action identification and delivery, as well as proactive risk identification and an embedded risk management culture.


The use of the three lines of defence to understand your system of internal control and risk management is a great starting point to help ensure effective risk management and control. It should however, not be regarded as an automatic guarantee of success. All three lines need to work effectively with each other in order to create the right conditions for an effective assurance framework and embedded risk management culture.

ISO 27001 2013 - no border.PNGISO 9001 2015 - no border.PNGMS silver partner logo PNG.png