Defending from the front: adopting the Three Lines of Defence

"Without the ball, we are a disastrous team, a horrible team. So we need the ball."


So said Pep Guardiola after guiding his Barcelona team to their second Champions League trophy in 2009.

And it was a telling observation. Despite managing one of the world's greatest football teams, Guardiola could still see a weakness – that it was vulnerable when under attack.

His solution? To implement a high-pressing style of play that emphasised defending from the front.

Messi and his fellow forwards were expected not only to create and score goals but to win back the ball as far up the pitch as possible. Ensuring all 11 players understood the need to defend meant the team as a unit could be much, much stronger.

In business, the Three Lines of Defence model works on similar principles, allowing your organisation to identify, control and manage risk in line with a clear and robust process.

In this article, we explain the Three Lines of Defence and how your organisation can adopt it as a model of best practice.


The three lines of defence


The Three Lines of Defence model explained


3 lines defence


The Three Lines of Defence model originates from an EU Directive which makes audit committees responsible for monitoring how effectively their organisations control and manage risk.

It looks to create an environment in which the overall direction for managing risk is set by the board and senior managers, then put into action and monitored by various mid-level managers and internal auditors. The model also aims to foster a culture of collaboration, communication and information-sharing.

Organisations that implement the model successfully find they can:

  1. better recognise risks as they arise
  2. respond to those risks more intelligently, consistently and flexibly
  3. protect their reputation
  4. avoid variations in performance and so increase share-price multiples and credit-rating scores, and
  5. deploy and use their risk and assurance resources much more efficiently.

While a Forrester Research report found that 63% of the organisations surveyed were either implementing – or had already implemented – the model, many others were struggling to get to grips with the idea. One of the biggest areas of confusion was how the various roles at each stage should be assigned, and who should be doing what.

With this in mind, let's take a look at each of the Three Lines of Defence more closely.


First line of defence: operational management (board, CEO, senior managers)


Operational management naturally serve as the first line of defence because controls are designed into systems and processes under their guidance. They direct how internal policies and procedures are developed and implemented and ensure these policies and procedures remain consistent with the company's goals. Part of their role is delegating responsibility to second-line managers within the organisation.



The board will:

  • work with senior management to set the organisation's risk appetite (the amount of risk it is willing to accept to meet its strategic objectives), and
  • receive reports on the most significant risks the organisation faces, and assess whether senior management are responding appropriately.

CEO and senior management

The CEO and their senior management team have ultimate responsibility for how the organisation manage and control risk, and will:

  • set the tone by promoting a positive risk culture within the organisation
  • assign responsibilities to second-line managers in specific areas or departments, and
  • monitor how the organisation is managing risk in relation to its risk appetite, and take any measures needed to correct any issues.

Governance, risk and compliance management - chris owen and mike pound


How technology can help

Governance, risk and compliance (GRC) technology allows the first line to more effectively keep its risk policies and procedures up to date. Risk registers can help to better manage threats and vulnerabilities, monitor the effectiveness of controls, and ensure the organisation is assessing and controlling risks as consistently as possible.

GRC technology also helps the first line of defence to communicate with the second and third lines, using real-time dashboards that document Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).


Second line of defence: risk management and compliance


The second line of defence is where many of the people associated with risk (quality, legal, compliance) are found, and it's there essentially to ensure the first line is properly designed and working as it should. They have some independence, and are responsible for making sure the business is complying with the law and for reporting directly to first-line managers.


Risk management

  • Make sure that operational management are putting effective risk-management practices in place.
  • Help assess risk in line with the organisation's risk appetite.
  • Help report risk-related information throughout the organisation.


  • Monitor risks of the organisation failing to comply with whatever laws and regulations apply.
  • Giving the first line of defence the help and information it needs to comply with those laws.
  • Reporting on compliance to management and the board.


Governance risk and compliance training sheffield Kate Armitage compressed


How technology can help

GRC technology helps the different second line of defence groups to collaborate and share information transparently and efficiently. Implemented here, it can be used to monitor all risk-management activities across the business, to generate reports for the first-line managers, and to identify laws and regulations that put the organisation at greatest risk of failing to comply.


Third line of defence: internal auditors


Internal audit forms the third line of defence. It works independently to provide assurance to the board and senior management (the first line) that the organisation is assessing and managing risks effectively, while also ensuring that the first and second lines of defence are operating properly.

As best practice, every organisation should have an internal audit function that:

  • acts in accordance with recognised international standards
  • reports to a sufficiently high level in the organisation to be able to perform its duties independently, and
  • can report effectively to the relevant governing body.

Qualsys Resideo mobile training


How technology can help

GRC technology can provide dedicated software that standardises the auditing process and helps auditors co-ordinate their risk assessments and collaborate between themselves. Perhaps more importantly, it can also allow auditors to access the information they need to monitor the effectiveness of the first and second lines of defence, then recommend any changes.


Why you should adopt the model

According to the Forrester Research report, 90% of the organisations surveyed will have adopted the Three Lines of Defence model by 2020. Some industries and businesses might catch on more quickly than others, but overall the model looks to be gaining traction.

And for good reason. Organisations that have a strong three lines of defence can more quickly identify and react to risk, more efficiently deploy resources to manage risk, and work more transparently and collaboratively to lessen the impact of risk.

GRC technology is vital in adopting the Three Lines of Defence model. Risk-management software helps each line of defence to work more efficiently and effectively, giving the organisation the confidence of knowing that the proper controls are in place to manage whatever risks may emerge.


 What you should do now


Want to brush up on your risk expertise? Try our free ISO 31000 risk management toolkit.


New Call-to-action





Topics: Quality Culture

Share your thoughts on this article