Marshall Toburen

It Takes a Village: The Three Lines of Defense Model

Blog Post created by Marshall Toburen Employee on Jun 30, 2015

The most efficient and effective risk management program “takes a village.” I’m not talking about Hilary Clinton’s book; I’m talking about the need for organizations to robustly embrace the “Three Lines of Defense” model. The Three Lines of Defense (LoD) model characterizes the “people component” of an organization into the three primary functions of an optimized risk management program:


• 1st LoD - Management control withfunctions that own and manage risk (such as business unit managers, operating managers)

• 2nd LoD – Risk management and compliance oversight functions (such as…ERM, ORM, and Corporate Compliance)

• 3rd LoD – Independent assurance functions (such as internal and external auditors)



Regardless of industry or risk type, operational line managers, risk management oversight functions, and internal audit serve important roles in day-to-day management of an organization’s risk. The most effective risk management requires collaboration between these roles.


The LoD model reinforces two important elements of risk management: defined roles and accountability.

• Operating management is responsible for understanding and managing their risks and internal controls.

• Risk management and compliance oversight is responsible for risk management frameworks, training, and challenging 1st LoD risk assessments.

• Internal Audit (typically) is responsible for independently evaluating and reporting on the design and effectiveness of the organization’s overall risk management program.


The origin of the three LoD model is not altogether clear, but it is likely an outgrowth of The 1992 COSO Internal Control – Integrated Framework.  In 2014, the 1992 Framework was updated to include a list of clarifying Principles relevant to the model. Principle 3 states that “management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. ”Principle 5 states that “the organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”


Adoption of the three LoD model is becoming more and more widespread:


• Based on a review of annual filings, Protiviti reported in March 2015 that 80% of companies had adopted the updated COSO Internal Control – Integrated Framework and that 75% of those that had not adopted the new framework were using the original 1992 Framework.


• In January 2013, the Institute of Internal Auditors published a position paper, effectively endorsing the three LoD model as a best practice in Risk Management and Control.


• Financial services organizations have long been exposed to the 3 LoD model via the Principles for the Sound Management of Operational Risk.


Although I’ve met a number of customers and prospects that are unfamiliar with the 3 LoD model, I believe that may be due to a lack of communication within their organization. It’s possible that the people responsible for stating that their organizations follow COSO have not articulated what that means to the different LoD personas, or the internal auditors have not seen the IIA’s position paper. Without exception, financial institutions seem to have heard of, and embrace, the model.


In the next few blogs, I will explore the role of each of the three Lines of Defense and how each contributes to the effectiveness of an organization’s risk and compliance management program.  Stay tuned.