On May 10, 2012, JPMorgan Chase disclosed $2 billion in trading losses from its Chief Investment Office. By year-end the loss had ballooned to $6.2 billion.
Bruno Iksil, the London Whale, had breached internal risk limits multiple times in early 2012, but the bank’s Value-at-Risk Excel model understated portfolio risk because a formula divided by the sum rather than the average of two hazard rates.
That sequence is the three lines of defense model collapsing in real time. The first line trader took the risk and ignored limit breaches; the second line risk function had a broken VaR model and missed the warnings; the third line internal audit did not catch either before the loss landed. JPMorgan paid roughly $920 million in US and UK regulator fines for the failure.
| Three Lines of Defense Model: The Practitioner Cheat Sheet |
| The Three Lines of Defense Model assigns risk and assurance roles across three layers: first line owns the risk, second line oversees the risk, third line provides independent assurance over both. The IIA published the framework in 2013 and updated it in July 2020. |
| The July 2020 IIA update renamed the framework from ‘Three Lines of Defense’ to ‘Three Lines Model’ to de-emphasize defensive posture and stress collaboration. Most US risk and audit professionals still use the older name in practice; both terms refer to the same role split. |
| JPMorgan’s 2012 London Whale loss of $6.2 billion is the textbook three lines of defense model failure. A first-line trader breached limits multiple times, a second-line VaR model contained an Excel formula error that understated exposure, and the third line did not catch either before the loss landed. |
| First line (business operations, front-line controls) owns the risk. Second line (risk function, compliance, ORM, CISO) oversees it. Third line (Internal Audit) provides independent assurance over both. Each line reports into senior management and the board on different cadences. |
| The Three Lines of Defense Model fails when the second line reports to the first line, when Internal Audit chair reports to the CFO rather than the Audit Committee, or when the lines share a single technology stack with no segregation. OCC and FRB examiners check these reporting lines in every US bank above $50 billion. |
| Anchor every Three Lines of Defense Model implementation to four references: the IIA’s 2020 model document, COSO ERM 2017 governance principles, Basel III operational risk standards, and the OCC’s Heightened Standards governance framework. Mapping each line to all four closes audit gaps in one pass. |
| The Three Lines of Defense Model is not a guarantee of catching every risk event; it is a structure that makes ownership unambiguous. The board still needs an integrated dashboard pulling from all three lines, not three separate reports. |
This guide gives risk and audit professionals a working explanation of the three lines of defense model for 2026, including the July 2020 IIA rename to ‘Three Lines Model’ and what it changed in practice. The framework draws on the IIA’s 2020 Three Lines Model document, COSO ERM 2017, the Basel III operational risk standard, and the OCC Heightened Standards.
Figure 1. The Three Lines of Defense Model as updated by the IIA in July 2020.
What the Three Lines of Defense Model Actually Says
The three lines of defense model is a structure for assigning risk and assurance responsibilities across an organization. Each line carries a defined role, reports to a defined committee, and is held accountable for a defined output.
The model is descriptive of how mature programs actually work, not a prescription dropped from above.
The Institute of Internal Auditors published the original framework in January 2013. In July 2020, the IIA released an updated version and dropped the word ‘defense’ from the title.
The new name is the Three Lines Model. In US risk and audit practice, both terms are used interchangeably, and the underlying role split is largely the same.
The Original IIA Three Lines of Defense Model (2013)
The 2013 version split risk and assurance responsibilities across three layers. First line: operational management owns and manages risk in the daily run of the business. Second line: risk management, compliance, and other oversight functions challenge the first line and report aggregated exposure to senior management.
Third line: Internal Audit provides independent assurance to the audit committee on the effectiveness of governance, risk management, and internal control.
The 2013 framework was widely adopted by US banks, insurers, healthcare systems, and Fortune 500 firms. The Federal Reserve’s SR 13-1 enhanced risk management standards for large bank holding companies referenced the same three-line concept.
The OCC’s 2014 Heightened Standards codified the same role split for US banks above $50 billion. The framework became the global default for risk governance.
The 2020 Update: Three Lines Model vs Three Lines of Defense
In July 2020, the IIA published The IIA’s Three Lines Model: An Update of the Three Lines of Defense after a working group review with an advisory panel of 30 industry experts. The headline change was the rename. The word ‘defense’ suggested a posture of risk reduction only, when modern ERM also requires taking risk to seize opportunity.
Six principles changed in the 2020 update. The model emphasized governance and shared accountability over rigid silos, added external assurance providers (regulators, external auditors) to the picture, and positioned the governing body more clearly above senior management.
It acknowledged that the lines collaborate and challenge each other continuously, not just at handoff points. US risk and audit professionals still call it the Three Lines of Defense Model in practice.
First Line of Defense Under the Three Lines of Defense Model
The first line of defense owns the risk. The line includes business operations, front-line managers, and the controls embedded in day-to-day processes.
The first line designs and operates the controls that prevent, detect, and correct loss events.
The operational risk management discipline sits primarily inside the first line, with first-line risk officers and control owners running the controls.
| First line role | Typical owner | Output to senior management |
| Process controls | Business unit manager, Operations Director, Branch Manager | Process exception report; SLA breach log; near-miss capture |
| Transaction monitoring | Operations team, AML analyst, fraud analyst | Daily exception list; investigation case file; SAR if applicable |
| Vendor management | Procurement, Vendor Relationship Manager | Vendor SLA scorecard; due diligence checklist; renewal tracker |
| Cybersecurity controls | CISO and IT operations (CISO often sits in first line for execution) | Patch compliance dashboard; access reviews; vulnerability remediation log |
| Compliance procedures | Line of business compliance officer | Mandatory training completion; policy attestation; deviation log |
The first line is the largest of the three lines by headcount and the closest to the risk event. It owns the loss. When a loss occurs, the first line absorbs the financial impact in its P&L and is accountable for fixing the underlying control.
The operational risk management framework specifies how the first line escalates exceptions up to the second line.
Figure 2. Three Lines of Defense Model failures: regulator penalties at named US firms.
Second Line of Defense in the Three Lines of Defense Model
The second line of defense oversees and challenges the first line. The line includes the risk management function, compliance, the Operational Risk Manager, the Chief Information Security Officer when distinct from IT operations, model risk management, and any other oversight team independent of the first-line business.
The second line designs the risk framework, sets the policies, monitors aggregated exposure, and challenges first-line judgments.
| Second line function | Typical owner | Reports to |
| Enterprise risk management | Chief Risk Officer | CEO + Board Risk Committee |
| Operational risk management | Director of Operational Risk | CRO + Operational Risk Committee |
| Compliance | Chief Compliance Officer | Audit Committee + General Counsel |
| Model risk management | Head of Model Risk (SR 11-7 function) | CRO + Model Risk Committee |
| Information security | Chief Information Security Officer | CIO with dotted line to CRO |
| Third-party risk | Vendor Risk Manager | CRO + Risk Committee |
The second line’s independence from the first line is the central design choice in the three lines of defense model. The CRO reports to the CEO, not the COO.
The Director of Operational Risk reports to the CRO, not the COO whose operations ORM challenges. The differences between strategic and operational risks are managed by the second line.
Third Line of Defense (Internal Audit) in the Three Lines of Defense Model
The third line of defense is Internal Audit. The IIA defines its role as providing independent and objective assurance and advice on the adequacy and effectiveness of governance, risk management, and internal control.
The third line tests both the first line (operations and controls) and the second line (risk and compliance functions) and reports findings directly to the Audit Committee of the Board.
Independence is the central requirement. The Chief Audit Executive reports administratively to the CEO but functionally to the Audit Committee Chair, and CAE compensation, hiring, and firing decisions involve the Audit Committee.
The CAE attends every Audit Committee meeting and meets privately with the Audit Committee at least annually. The IIA’s International Professional Practices Framework sets the global standard.
Internal Audit does not own the risk, does not design the controls, and does not implement the controls. The third line provides assurance over the work of the first two lines.
When Internal Audit becomes a control designer or a control operator, it has stepped into the second or first line and lost the independence required for assurance. Examiners check this boundary in every US bank exam.
Where the Three Lines of Defense Model Breaks Down
The three lines of defense model is a structure, not a guarantee. Five recurring failure modes appear across the US incidents charted above. Recognize them in your own program before the regulator does.
Failure mode one is line blurring. The CISO reports to the CIO and runs both controls (first line) and oversight (second line) with no separation; the Director of Operational Risk reports to the COO;
Internal Audit takes on consulting work that compromises future audit independence. JPMorgan’s London Whale had elements of all three. The IIA Three Lines Model requires explicit role separation.
Escalation gaps are the second failure mode. The first line spots a risk event but does not raise it to the second line; the second line aggregates events but does not raise them to the third line or the board; the third line audits cyclically but misses real-time signals. Wells Fargo’s sales conduct issue ran for years without aggregated escalation.
Shared technology and shared data without segregation rounds out the failure modes. When all three lines run off a single risk register with no version control, no change log, and no independent data feeds, the third line cannot test the second line’s work. Citigroup’s 2024 OCC fine specifically cited data governance failures of this type.
Frequently Asked Questions on the Three Lines of Defense Model
Six questions surface in every US risk-and-audit onboarding. The answers reflect IIA 2020, COSO ERM 2017, OCC Heightened Standards, and Basel III as of May 2026.
What is the difference between the Three Lines of Defense Model and the Three Lines Model?
The IIA renamed the framework in July 2020 from Three Lines of Defense Model to Three Lines Model. The role split across first, second, and third lines stayed largely the same.
The 2020 update added six principles emphasizing governance, shared accountability, and external assurance. Most US risk and audit professionals still use the older name in conversation, and both refer to the same structure.
Where do the CFO and the General Counsel sit in the Three Lines of Defense Model?
The CFO and the General Counsel sit at the senior management layer above the three lines, alongside the CEO and the CRO.
The Finance function inside the CFO’s organization operates as first line for its own processes (financial reporting, tax, treasury) and provides second-line oversight on financial reporting risk. Legal provides second-line oversight on legal and contractual risk. Neither function is itself one of the three lines.
How does the Three Lines of Defense Model apply outside banking?
The Three Lines of Defense Model applies across every sector that runs ERM. Healthcare, manufacturing, energy, aviation, and technology all use the same role split.
The named owners change (Director of Quality Assurance instead of Director of Operational Risk, for example), but the structure is identical.
The importance of enterprise risk management for non-banks now matches the bank standard, with regulators (SEC, FTC, FAA, FDA, OSHA) holding boards accountable.
How does Internal Audit stay independent in the Three Lines of Defense Model?
Five conditions protect Internal Audit independence: the CAE reports functionally to the Audit Committee Chair (not the CEO or CFO); the CAE budget is approved by the Audit Committee; the CAE hire and termination decisions involve the Audit Committee; Internal Audit does not design or operate controls; and the annual audit plan is approved by the Audit Committee, not management. The IIA Standard 1100 codifies all five.
What is the Three Lines of Defense Model’s relationship to COSO ERM and ISO 31000?
The Three Lines of Defense Model is a governance structure that sits underneath COSO ERM 2017 and ISO 31000:2018. COSO ERM provides the framework while ISO 31000 provides the principles and process; the three lines define who does what inside both.
The ISO 31000 vs COSO ERM comparison addresses the framework layer; the three lines model addresses the role layer underneath.
Can a small US firm use the Three Lines of Defense Model?
Yes. A firm under 100 staff may not have a dedicated CRO, compliance officer, or internal audit team.
The role split still applies: business operations is first line, oversight (often a finance leader wearing the second-line hat) is second line, and external auditors plus an audit committee chaired by an independent board member fulfill third-line assurance. As the firm grows past 500 staff, hire dedicated second-line and third-line resources.
Challenges in Implementing the Three Lines of Defense Model
Five pitfalls recur across US programs that try to stand up or refresh the Three Lines of Defense Model. Each one shows up in the JPMorgan, Wells Fargo, or Citigroup case studies above.
| Challenges | Root cause | Remedy |
| CISO reports to CIO with no CRO dotted line | Cyber treated as IT infrastructure rather than enterprise risk | Add CISO dotted line to CRO. Move cyber KRIs into the second-line risk dashboard. |
| Internal Audit accepts consulting engagements that compromise future audit independence | CAE under-resourced and looking for revenue | Adopt IIA Standard 1130 on independence impairment. Audit Committee approves any non-assurance work in writing. |
| Three lines run off one shared GRC platform with no segregation | Tool consolidation prioritized over independence | Segregate access, change logs, and reporting paths. Third line reads everything; second line writes its own data; first line writes its own. |
| No escalation triggers between lines | Lines treated as silos rather than collaborative | Document five escalation triggers in the ERM policy: dollar threshold, regulatory action, 8-K, appetite breach, pattern detection. |
| Director of Operational Risk reports to COO | Convenient reporting line that breaches IIA principle of second-line independence | Move reporting to CRO. Document in committee charter. OCC examiners check this in every CAMELS review. |
| The 2020 IIA update ignored | Treated as cosmetic rename | Adopt the six principles. Refresh committee charters to reference the 2020 model. Update Internal Audit standards manual. |
Looking Ahead: Three Lines of Defense Model in 2026-2028
Three forces will reshape the three lines of defense model over the next two years. The first is the rise of integrated GRC platforms that pull all three lines into a single technology stack.
Vendors like ServiceNow, Workiva, and MetricStream now offer unified risk and audit modules. The risk is that consolidation erodes the segregation that makes the three lines work.
Generative AI brings the second wave. AI agents are entering first-line control execution (transaction monitoring, fraud detection), second-line oversight (KRI threshold setting, policy gap analysis), and third-line assurance (automated test scripting, evidence collection).
The Federal Reserve SR 11-7 model risk management standard now applies to AI used in any of the three lines. Expect dedicated AI audit programs by end of 2026.
Climate and ESG round out the trio. The SEC climate disclosure rule finalized in March 2024 forces public companies to disclose climate-related risk.
First-line operations now produce the underlying metrics, second-line risk and compliance functions aggregate them, and third-line Internal Audit will need to test the data lineage end to end. Disclosure committees and Audit Committees will share this work.
Firms that maintain clean three lines of defense model separation through this transition will outpace those running merged or siloed programs.
The model is older than 2013 in spirit; the IIA’s 2020 update sharpened the language but did not change the underlying logic. Stronger separation, clearer reporting lines, and explicit escalation triggers remain the test of a credible governance structure.
Working with Risk Publishing on Three Lines of Defense Model Programs
Risk Publishing designs three lines of defense model structures that hold up to OCC, FRB, FDIC, and SEC examiner review. We map roles to lines, draft committee charters, set escalation triggers, and integrate the output with your operational risk management framework and enterprise risk management framework.
Continue reading the Risk Publishing operational risk and audit library: operational risk management complete guide, how to carry out operational risk management, best practices for a risk-based internal audit, guide to audit risk assessment, and guide to risk and control self assessment.
Adjacent reading: operational risk management process, differences between strategic and operational risks, RCSA risk management, role of an enterprise risk management system, and implement COSO enterprise risk management.
To start a conversation, visit the contact page or the about page. The risk management lifecycle and operational risks examples pages give the parent context for this three lines of defense model guide.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.