Executive summary
The three lines of defence model is one of the most widely cited frameworks in UK corporate governance — and one of the most frequently misapplied. Used well, it gives boards confidence that risks are owned, controlled and independently assured. Used poorly, it becomes a diagram that obscures rather than clarifies accountability. This guide sets out how chairs, audit committees and executives should interpret the model in a UK context.
What the three lines of defence model actually is
The three lines of defence model is a way of structuring how an organisation manages risk. The first line — operational management — owns and controls the risks it creates day to day. The second line — risk and compliance functions — sets standards, monitors exposure and challenges the first line. The third line — internal audit — provides independent assurance to the board and audit committee that the first two lines are working as intended.
The model was popularised by the Institute of Internal Auditors and is referenced across UK regulatory expectations, including the FCA Handbook, PRA supervisory statements and the UK Corporate Governance Code's treatment of risk management and internal control.
Where the model is commonly misapplied
The most frequent failure is treating the three lines as three departments rather than three accountabilities. When second-line risk teams are drawn into doing first-line work — designing controls, owning issues, signing off operational decisions — independence and challenge erode. The board then receives assurance from people who are partly assuring their own work.
A second common failure is allowing internal audit to lose distance from management. When audit plans are negotiated down, scope is narrowed at executive request, or findings are softened before reaching the audit committee, the third line stops functioning as an independent line at all.
The 2020 IIA update to the model — now called the Three Lines Model — explicitly addressed these issues by reframing the lines as roles rather than rigid functions. Most UK boards still refer to the original three lines language, but the underlying point is the same: accountability, not org charts.
What good looks like in the first line
A healthy first line owns its risks explicitly. Business unit leaders can articulate the material risks they run, the controls that mitigate them, and the residual exposure the board has accepted. Issues are raised early rather than discovered by assurance.
First-line risk and control self-assessments are most useful when they are honest rather than green. Boards should be more concerned about a first line that reports everything as comfortable than one that surfaces genuine challenges.
What good looks like in the second line
Effective second-line functions set clear policy, monitor against it, and challenge the first line without taking over. They have direct access to the audit committee or risk committee and are willing to escalate when the first line is not addressing material exposure.
Second-line independence is structural as much as cultural. Reporting lines, budget control and the ability to influence performance assessment for senior first-line leaders all shape whether challenge is meaningful or theatrical.
What good looks like in the third line
Internal audit's value depends on independence, competence and a risk-based plan that reaches the areas the board most needs assured. The audit committee — not management — should approve the plan, approve material changes to it, and confirm that internal audit has had the access and resources needed to deliver it.
Findings should reach the audit committee unfiltered. A pattern of late, soft or heavily caveated findings is itself a finding the audit committee should act on.
How boards and audit committees should hold the model to account
Boards do not need to redesign the three lines themselves. They need to ask whether the model is working: are risks owned in the first line, challenged in the second, and independently assured in the third? Where the answer is unclear, an external review is usually faster and more credible than another internal restructure.
Audit committees in particular should test the model at the boundaries — where first and second line responsibilities blur, and where third-line independence is most likely to be quietly compromised. These are the points where assurance failures originate.
How DisInnova supports boards on this
DisInnova advises boards, audit committees and executives on the design and operation of the three lines, including external internal audit quality assessments, governance and controls reviews, and targeted advisory work where the model is not delivering the assurance the board needs.
Key takeaways
- The three lines are accountabilities, not departments — the failure mode is blurring them
- Second-line independence erodes quietly when risk teams take on first-line work
- Internal audit must report to the audit committee unfiltered; softened findings are a finding in themselves
- Boards should test the model at the boundaries between the lines — that is where assurance fails