Three lines of defence

Category: Risk management frameworks · Reviewed by Al Jabbar, Broker · Specialist Risks · Last reviewed

Three lines of defence

The three lines of defence (3LoD) model is the dominant governance architecture for risk and control in regulated financial-services firms. It allocates risk responsibility across three independent layers and is referenced by the PRA, FCA, Basel Committee, EIOPA and the Institute of Internal Auditors (IIA).

The three lines

First line — operational management. The business functions that own and manage risk day-to-day. In an insurer this includes underwriting, claims, distribution and IT. The first line designs and operates the controls that mitigate risk.

Second line — risk and compliance functions. Independent oversight that sets policy, monitors first-line activity, challenges risk decisions and reports to the board. In insurers under Solvency II this includes the risk management function, compliance function and actuarial function.

Third line — internal audit. An independent assurance function reporting to the board audit committee. Internal audit tests the design and operation of first- and second-line controls.

2020 IIA update — “Three Lines Model”

The IIA refreshed the model in 2020, dropping the word “defence” in favour of the Three Lines Model to emphasise value creation (not just protection) and clarify the governing body’s role above the three lines. Most regulators still use “three lines of defence” in practice.

Solvency II key functions

Solvency II Article 44 and the PRA Insurance Rulebook (Conditions Governing Business) require four key functions in insurers, mapped to the three lines:

• Risk management function (2nd line)
• Compliance function (2nd line)
• Actuarial function (2nd line)
• Internal audit function (3rd line)

Each has named senior responsibility under the Senior Managers and Certification Regime (SM&CR).

Common pitfalls

The model fails when the second line becomes embedded in first-line decisions (losing independence), when internal audit reviews policy rather than the operation of controls, or when “everyone is responsible” leaves nobody accountable.

References

• Institute of Internal Auditors (2020). The IIA’s Three Lines Model — An Update of the Three Lines of Defense.
• PRA Insurance Rulebook, Conditions Governing Business (Chapter 3, System of governance).
• Solvency II Directive 2009/138/EC, Articles 41–49.
• Basel Committee on Banking Supervision (2015). Corporate governance principles for banks.

Cross-references

• Enterprise risk management
• Risk appetite
• ORSA

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.