FROM THE ‘THREE LINES OF DEFENSE’ TO THE THREE LINES OF ASSURANCE – A REFRESHED PARADIGM

BY KLAUS MOOSMAYER

The ‘Three Lines of Defense’ model adopted by the Institute of Internal Auditors (IIA) has shaped corporate governance and accountability for decades, defining business and operational functions as the first line, compliance and risk management as the second, and internal audit as third line of ‘defense’.

In September 2024, the IIA published a position paper updating the original system to a ‘Three Lines Model’, dropping the term ‘Defense’. In its reasoning for the change, the IIA argues for a “principles-based approach that focuses on the contribution risk management makes to achieving objectives and creating value, as well as to matters of ‘defense’ and protecting value”.

In other words, the IIA strengthens the role of risk management as a proactive element within its model, moving beyond a more reactive ‘defense’ approach. Furthermore, the IIA clarifies that while maintaining the language of ‘Three Lines’, these are not intended to “denote structural elements” but rather all roles should “operate concurrently”.

The new approach is convincing and aligns with a more holistic understanding of modern governance in corporations. However, simply dropping the word ‘Defense’ does not answer the fundamental question: three lines of what? This is somewhat surprising, as the IIA itself provides a convincing lead in its description of ‘assurance’ in the new position paper.

According to the IIA, assurance increases the level of stakeholder confidence about an organisation’s governance, risk management and control processes. While the IIA narrowly applies the term ‘assurance’ as a statement regarding specific audit activities, we should understand ‘assurance’ more broadly: as the systematic theme which connects governance, risk management, compliance and internal controls into one integrated system.

In such a system, the roles and responsibilities of business (including operations), risk and compliance functions, and internal audit are allocated so that they jointly contribute to integrated assurance within the corporation, forming the ‘Three Lines of Assurance’.

Areas of integrated assurance

Before focusing on the roles and responsibilities of the various organisations forming the ‘Three Lines’, let us take a closer look at the four interconnected areas of integrated assurance.

First, governance establishes clear accountability within the organisation, ensuring that policies, controls, and technology are systematically structured and interconnected.

Second, risk management ensures that organisational risks are effectively identified, assessed and managed, and that both crisis and business continuity systems are in place.

Third, compliance provides assurance that the organisation is complying with relevant laws, regulations and policies through a comprehensive prevent-detect-response approach for all compliance risks.

Fourth, internal controls provide assurance that the organisation’s control framework is properly designed, implemented and executed within the risk and compliance system.

These four areas build on each other. Based on clear governance structures, enterprise risk management is the prerequisite for a risk-based compliance system and for determining the number and intensity of corresponding internal controls. The IIA’s 2024 position paper therefore rightly emphasises the crucial importance of risk management.

The regulatory landscape has evolved dramatically over the last decades. Beyond ‘compliance classics’ such as anti-bribery and antitrust, companies must now comply with national and international legislation on human rights, data privacy, cyber resilience, anti-money laundering, export controls and trade sanctions, fraud prevention, environmental, social and governance, and, most recently, artificial intelligence compliance – to name only some of the most relevant regulatory fields.

Without a clear view of the company’s risks landscape across the ‘Three Lines’, organisations risk either creating unnecessary burden and bureaucracy through an overly extensive compliance and control framework or, conversely, running the company wilfully blind by ignoring major risks without proper assessment.

The first scenario results in compliance fatigue in the organisation and loss of competitiveness, while the second leads to significant liability risks and threats to business continuity if neglected risks materialise. Instead of clinging to traditional siloed and fragmented approaches to manage crisis, risk and compliance management, boards and executives should work toward an integrated assurance model.

Roles and responsibilities in a three lines of assurance model

One of the deficiencies of the former ‘Three Lines of Defense’ model was its terminology. ‘Defense’ is not a concept that first-line business leaders – or modern risk, compliance and audit professionals – want to be associated with, nor does it reflect proactive risk management.

By contrast, ‘Assurance’ not only meets legal and regulatory expectations but also builds stakeholder trust that the corporation is managed in a risk-assessed, compliant and controlled manner – without losing its competitive edge. ‘Assurance’ should therefore serve as a unifying concept and operating model for the governing body to fulfil its oversight duties and for all actors in the first, second and third line.

As a business or operations leader in the first line, responsible for delivering products or services to customers, it is an organisation’s duty to assure adequate risk management. This becomes particularly clear in one persistent risk area: third party management.

Third parties are selected by the business, and ultimate performance responsibility lies with the business, including proper selection, due diligence, monitoring and controls. In an integrated assurance model, the second line – risk and compliance organisation – supports the first line by providing regulatory standards, processes, tools and training for the third-party risk management process, while also testing the effectiveness of the first-line controls.

Internal audit, as the third line, builds on the assurance already provided by the first and second lines by conducting independent audits of the process and under certain conditions of the third parties. Throughout the whole integrated assurance process, business remains the owner of the risk. The first line is supported by the second and third line within a clear governance framework which includes an escalation and ultimately a veto-right if the third party is not in compliance with laws and regulations or operates outside the agreed risk-appetite of the organisation.

In a well-functioning integrated assurance system, the three lines avoid duplication of assurance work and focus resources and budgets on higher-risk areas and unaddressed ‘white spots’. In our example of third party risk management, an effective integrated assurance provides a holistic approach to assessing third-party risks. Instead of evaluating various compliance risks – such as bribery, human rights, trade sanctions, health and safety or cyber attacks – in separate workstreams and tools, third parties should undergo a comprehensive assurance check, both for efficiency and to detect related risk patterns.

Conversely, a siloed and fragmented compliance and risk management set up often leads to unclear ownership, as the first line tends to shift responsibility for third parties to various involved risk and compliance functions, due to a lack of clear accountability and governance.

Governance prerequisites and organisational considerations

The decision to set up an integrated assurance model across the ‘Three Lines’, and its organisational design, is of strategic relevance. Therefore, the board as the governing body needs to take the initiative in alignment with management, which operationally oversees the first and second-line roles within the company, while internal audit reports directly to the board and its audit committee.

When establishing an integrated assurance model across the ‘Three Lines’, board and management should focus on certain key areas.

First line. Business and operations leaders must fully embrace their assurance responsibility. Issuing a policy paper is not enough; it requires ongoing ‘tone from the top’ and visible consequences if accountability is not taken seriously by first-line leaders. The board’s compensation committee should implement clear and measurable objectives in this regard.

Second line. Risk and compliance functions should be organisationally integrated to the extent possible in order to avoid assurance siloes and misaligned processes. This integrated function must be empowered and sufficiently resourced. Its leader should have a seat at the executive management table and direct access to the board for reporting purposes, just as other C-suite leaders do.

Third line. Internal audit also plays an important role in an integrated system. It must maintain its independence while operating a joint assurance methodology across the three lines. To give a practical example, the definition of a ‘control deficiency’ must be consistent to avoid misunderstandings and disruptions in the assurance system. Furthermore, internal audit should operate using the same data pool, have access to the control and monitoring results of the first and second line, and adjust its audit plan accordingly to avoid duplications.

Conclusion

Good governance requires a convincing methodology that proves its value in real corporate life. The model of the ‘Three Lines of Defense’ needed an overhaul after more than 20 years – but simply deleting the word ‘Defense’ is not sufficient.

The three lines must rest on a sound foundation in order to exercise their respective responsibilities effectively. ‘Assurance’ serves well as a concept that embraces accountability and builds trust within the company and with its external stakeholders.

To make this model work in practice, organisations need to break down assurance siloes and move toward an integrated approach in which the assurance functions in the three lines build on each other.

It is the responsibility of boards and management to determine how best to apply the model of the ‘Three Lines of Assurance’ in their corporations.

Apr-Jun 2026 Issue

Klaus Moosmayer