Blogpost

The Three Lines Model – when the second line becomes operational

The Three Lines Model is a framework for governance and risk management. However, its implementation in practice often leads to role conflicts. Compliance and internal audit can resolve these typical conflicts and make the Three Lines Model effective.

Sandra Leicht
Thorsten Tewes
25
Compliance
Risk Management
4 minutes reading time
Three Lines Model

When the second line becomes operational – where the three lines model breaks down in practice

Typical role conflicts and how compliance and audit resolve them.

What is the Three Lines Model? The Three Lines Model – 3LM – is a framework for governance and risk management.

Who developed the model? Originally known as the Three Lines of Defence, the model was developed by the Institute of Internal Auditors (IIA). Since 2020, it has been known as the Three Lines Model.

What is it about? The model describes structures and processes within organisations that are designed to help achieve set goals while supporting strong governance and risk management.

Three Lines – without any defence mode

How compliance and internal audit can make the three lines model effective.

Many institutions have introduced the three lines model into their organisational structure, described it in guidelines and presented it clearly in presentations. And yet audits repeatedly reveal the same weaknesses: unclear responsibilities, operational activities in the second line, duplication of work between compliance and audit, or controls that are documented but not effective.

But the problem is not the model. The problem is its implementation in everyday practice.

From Three Lines of Defence to Three Lines Model

Until 2020, the term Three Lines of Defence Model was used. The term Defence was deliberately chosen to emphasise a protective function. In practice, however, this way of thinking often led to a defensive attitude between the functions.

The result was silo thinking, discussions about boundaries and an overemphasised control mentality.

The Institute of Internal Auditors therefore removed the term “defence”. Since 2020, the Three Lines Model has stood for an understanding of governance rather than a defensive logic. The focus is on

  • clear responsibilities,
  • transparent cooperation and
  • a clear separation between operational responsibility, monitoring and independent auditing.

The core of the model is not defence, but the assignment of responsibility.

This change in perspective is crucial, particularly from the point of view of compliance and internal auditing. It is not about protecting each other, but about ensuring a functioning management and control system.

Where the real problems lie in practice

In day-to-day work, it is clear that the theory behind the model is rarely the problem. The challenges arise in project business, with new regulatory requirements or under time pressure.

Typical observations from audits and compliance reviews are

  • The first line carries out controls formally, but without critical assessment or proper documentation.
  • The second line effectively takes over operational activities because specialist departments are uncertain or regulatory requirements are perceived as too complex.
  • Internal audit reviews structures in which roles are not clearly separated and must identify self-assessment risks.
  • Automated controls are assumed to be reliable without regularly questioning data quality or parameterisation.

Especially in phases of transformation, roles become blurred more quickly than expected.

Specific practical example of ESG reporting

A medium-sized institution implemented new ESG indicators for regulatory reporting. Initially, compliance was responsible for interpreting the requirements. Due to uncertainty in the specialist departments, compliance not only developed guidelines, but also defined specific audit steps and checked individual data sets before reporting.

The first line increasingly relied on these approvals.

When the internal audit department planned a project-accompanying audit, the following picture emerged

  • The second line had taken over operational control activities.
  • The first line no longer saw itself as fully responsible for data quality.
  • There was effectively no longer a clear separation between implementation, monitoring and auditing.

In a joint workshop, the distribution of roles was redefined

  • The specialist departments are responsible for data collection and initial controls.
  • Compliance defines standards, carries out risk-oriented spot checks and reports on deficits.
  • Internal Audit audits the design and effectiveness of the overall system at a later stage.

It was only through this clarification that the Three Lines Model was actually put into practice and not just described.

What does this mean for compliance in practice?

Compliance is a monitoring and challenge function, not an operational implementation body. Its central task is to create transparency about regulatory risks and the quality of controls in the first instance.

In concrete terms, this means

  • Documenting clear demarcation in projects and consistently leaving operational responsibility in the first instance.
  • Establish a structured overview of key first-line controls.
  • Carry out risk-oriented spot checks instead of complete operational follow-up checks.
  • Address deficits and report them to management without getting involved in operational implementation yourself.
  • Regularly review the qualifications of employees with key control responsibilities.

Particularly when it comes to complex issues such as ESG, money laundering prevention or IT compliance, there is a great temptation to get involved in operational implementation. In the long term, however, this weakens the governance structure.

What does this mean for internal auditing?

Internal auditing should not only examine individual controls, but also evaluate the interaction between the lines.

In audit practice, this means:

  • actively questioning the understanding of roles and not just checking organisational charts,
  • analysing the interfaces between the first and second lines,
  • identifying potential self-audit risks in advisory activities at an early stage,
  • understanding automated controls, including data sources and parameterisation, and
  • defining the three-line interaction as an independent audit focus.

A clear distinction is particularly important when it comes to advisory services. Advisory services are permissible as long as no operational responsibility arises and there is no threat of subsequent self-assessment.

Takeaways for practice

For compliance

  • Responsibility for performing controls always remains primary
  • Monitoring requires transparency, not detailed operational control
  • Clearly separate advisory support from operational activities
  • Identify key controls and monitor them specifically
  • Document roles in projects in writing at an early stage

For internal audit

  • Don’t just check controls, evaluate governance structures
  • Consider role mixing as an independent risk
  • Critically question automation and don’t assume it reduces risk
  • Clearly define and document consulting assignments
  • Include interfaces between lines in audit programmes in a targeted manner

The Three Lines Model is not a defence system or a mere organisational chart. It is a governance tool. Its effectiveness is not determined by guidelines, but in project meetings, control evidence and audit reports. These show whether responsibility is clearly assigned, monitoring is effectively exercised and audits are conducted independently.

Share: LinkedIn Xing X Facebook
Sandra Leicht

Sandra Leicht

is Head of Regulatory Compliance at msg for banking and has extensive compliance experience and expertise in the financial services sector. She herself has been working as an officer for many years and also advises and trains on all aspects of compliance functions. She also has extensive expertise in the successful management of companies and in advising financial institutions on topics such as WpHG compliance, MaRisk compliance, money laundering prevention and data protection.

linkedin
Write a comment

You must login to post a comment.

Related articles

Discover even more interesting articles on this topic.

Blogpost
5 minutes reading time

Resilience eats away at efficiency – and thus competitive advantage?

Blogpost
3 minutes reading time

AI governance and risk management from the perspective of banking and financial supervision

Blogpost
7 minutes reading time

2025: The first year of AI regulation in Europe – taking stock and looking ahead