New Three Lines Model a Big Improvement


Post By: Gerry Zack

On July 20, The Institute of Internal Auditors published an update to its 2013 Three Lines of Defense model for managing risk. The new version, simply called the Three Lines Model, is a significant upgrade over the 2013 one in many ways. For starters, it acknowledges the distinction between the three lines can be a bit blurry, recognizing there can be effective variations on the model.

More importantly, the new model better describes how responsibilities for compliance and ethics are distributed within an organization.

The 2013 model described the three lines of defense as follows:

  • First line – Operational management (functions that own and manage risks)
  • Second line – Risk management and compliance functions (functions that oversee risks)
  • Third line – Internal audit (providing independent assurance)

Each of the three lines were graphically depicted as reporting to senior management which in turn reports to the board of directors. Internal audit is accurately reflected as also reporting directly to the board of directors.

In the discussion of the second line of defense, the model stated that the compliance function “reports directly to senior management.”

The main issue with the 2013 model was that it failed to recognize the senior management level role of the compliance officer, as described in the U.S. Sentencing Guidelines and in the Department of Justice guidelines for evaluating compliance programs. It put all of the compliance function down at the second line of defense. This was the primary point of my comment letter that we submitted when the IIA asked for public comments on the model in 2019.

The 2020 version corrects this and, along the way, makes several valuable revisions. Regarding compliance and ethics, the new model starts at the top, the governing body, and works its way down from there. It notes that one of the responsibilities of the governing body, which sits above all three lines, is to “delegate authority and provide resources aimed at achieving organizational objectives while ensuring legal, regulatory, and ethical expectations are met.” Consistent with what we promote and what DOJ states, this requires a board (or committee of the board) that provides oversight of, and sufficient resources for, the compliance and ethics program.

Next, compliance responsibilities are described at both the first and second lines of management. The model doesn’t delineate a “senior management” group from other levels of management, likely another nod to the many variations that could work effectively. But the first line of management, where the CCO would be expected to be, is described as having responsibility for establishing structures and processes, including those aimed at ensuring “compliance with legal, regulatory, and ethical expectations.”

The next level of management, the second line, is responsible for providing expertise, support and monitoring to achieve compliance and ethics expectations. This is where you’d expect much of the compliance department, but also the compliance counterparts in the various operating units across the organization, to play a variety of roles in connection with the seven elements of an effective compliance and ethics program.

The new model can be found at:

Kudos to the IIA for their work in drafting an updated version of the Three Lines Model in a manner that is practical and that also very accurately reflects the distribution of compliance and ethics responsibilities across an organization.


  1. The new version is just blurring the lines and going around in circles, even more useless than the old one

Comments are closed.