How to Structure First, Second, and Third Line Responsibilities with RACI Clarity Across US Organizations
Executive Summary
The Three Lines Model is the governance architecture that tells everyone in your organization who owns risk, who oversees it, and who independently verifies it.
First published by the Institute of Internal Auditors (IIA) in 2013 and fundamentally updated in 2020, the model has become the de facto standard for risk governance in US financial services, healthcare, insurance, and regulated industries.
Yet most organizations still struggle with the same practical questions: Who exactly does what? How do we avoid duplication? How do we translate this into a working RACI?
This guide answers those questions with concrete tools, real-world examples, and a 90-day implementation roadmap you can act on today.
1. What Is the Three Lines Model and Why Did the IIA Revise It?
The original Three Lines of Defense framing treated risk management as a set of defensive walls. The 2020 IIA revision dropped the word ‘defense’ intentionally, recognizing that risk is not just something to be blocked but something to be navigated strategically.
The updated model emphasizes contribution to organizational objectives alongside protection from harm.
The IIA’s 2020 Position Paper Three Lines Model: An Update of the Three Lines of Defense describes six core principles: accountability, governance, independence, competence, objectivity, and communication.
These principles map directly onto ISO 31000:2018’s risk management framework requirements under Clause 5 and Clause 6.
For US organizations, these matters because regulators including the OCC, Federal Reserve, and SEC expect to see clearly documented accountability for risk. The Three Lines Model provides that documentation scaffold.
The Three Lines at a Glance
The table below summarizes the core distinctions. Reference it when designing charters, onboarding new risk owners, or preparing board presentations.
| Attribute | First Line | Second Line | Third Line |
| Who | Business operations & management | Risk, Compliance, Legal, Finance functions | Internal Audit (IA) and external review |
| Primary role | Own and manage risk daily | Oversee, challenge, and advise | Independent assurance and insight |
| Reports to | Business unit leaders / COO | CRO / CCO / CFO | Audit Committee / Board |
| Key output | Control execution, incident reports, control self-assessments | Risk registers, KRI dashboards, policy exceptions, compliance reports | Audit reports, findings, ratings, management letters |
| ISO 31000 link | Risk treatment & control (Clause 6.5) | Risk evaluation & monitoring (Clause 6.4, 6.6) | Review & continual improvement (Clause 6.7) |
Table 1: Three Lines Model — Key Attributes (aligned to IIA 2020 and ISO 31000)
2. First Line: Owning and Managing Risk in Daily Operations
The first line is every business unit, function, and individual that creates, accepts, or bears risk in the course of doing business. In a bank, that is the lending team approving loans. In a hospital, it is clinicians documenting patient care. In a technology firm, it is the software development team pushing code to production. Risk ownership is not optional for the first line — it is their primary accountability.
First Line Responsibilities
- Identify and log risks arising from operational activities in the enterprise risk register
- Design, execute, and monitor internal controls at the process level
- Complete control self-assessments (CSAs) on a defined cycle (typically quarterly or semi-annual)
- Escalate risk events, near-misses, and control failures to the second line within agreed timelines
- Respond to audit findings and remediate gaps within agreed due dates
- Embed risk appetite into business decisions (pricing, hiring, vendor selection, project go/no-go)
A practical way to test whether your first line is functioning is to ask any business manager: ‘What are your top three risks right now, and what controls do you have in place?’ If they cannot answer without calling the risk department, you have an ownership problem.
To build a strong first line, start with a structured risk identification framework that is embedded in operating procedures, not treated as a separate exercise. Pair this with a key risk indicator (KRI) dashboard that gives managers real-time visibility into their risk profile.
3. Second Line: Oversight, Challenge, and Risk Intelligence
The second line provides the expertise, frameworks, and oversight that the first line needs but cannot objectively supply itself. In most US organizations, the second line includes the Chief Risk Officer (CRO) and risk management function, the Chief Compliance Officer (CCO) and compliance team, the Chief Information Security Officer (CISO) for cyber and data risk, Legal and regulatory affairs, and Finance functions that monitor financial risk exposures.
The critical distinction is that the second line does not manage operational risk on behalf of the first line. It sets the rules, provides the tools, monitors adherence, and escalates breaches. When a compliance officer writes a policy, she is performing a second-line function. When she also approves individual transactions under that policy, she has crossed into the first line and compromised her own independence.
Second Line Responsibilities
- Develop and maintain the enterprise risk management framework aligned to ISO 31000 and COSO ERM
- Design the KRI library, set risk appetite thresholds, and report breaches to the board
- Challenge first-line risk assessments and control designs for completeness and rigor
- Monitor regulatory developments (SEC, OCC, FINRA, HIPAA, state-level) and assess organizational exposure
- Produce the enterprise risk register, risk dashboard, and board-level risk reports
- Manage policy exception requests and track remediation commitments
- Lead risk assessments for major projects, acquisitions, and strategic initiatives
For US financial institutions specifically, the OCC’s Heightened Standards for Large Banks (OCC 2014-001) explicitly requires a strong risk management function independent from business lines, reinforcing the second-line mandate.
The Federal Reserve’s SR 11-7 guidance on model risk management similarly designates an independent validation role for the second line.
See our detailed guide on building a KRI framework for boards for practical templates aligned to this second-line function.
4. Third Line: Independent Assurance and Board-Level Insight
Internal Audit (IA) is the third line. Its defining characteristic is independence from both the first and second lines, which means it reports directly to the Audit Committee of the Board of Directors, not to management.
This structural independence is what makes IA’s assurance credible. When the Audit Committee receives an IA report saying controls are effective, they can rely on it precisely because IA has no stake in the result.
External auditors, regulators, and other independent review functions also contribute to third-line assurance, but they operate under different mandates. IA is the only third-line function that can be fully directed and prioritized by the board to address emerging risks.
Third Line Responsibilities
- Develop a risk-based audit plan that covers the full audit universe including first- and second-line activities
- Conduct independent testing of controls, not relying solely on second-line risk assessments
- Issue audit reports with findings rated by risk severity (critical, high, medium, low)
- Track management remediation of audit findings and report overdue items to the Audit Committee
- Provide assurance on the adequacy of the ERM framework itself — not just individual controls
- Coordinate with external auditors (e.g., Big Four, PCAOB-registered firms) to avoid duplication and leverage each other’s work
The IIA’s International Standards for the Professional Practice of Internal Auditing (IPPF) provide the professional baseline for third-line work. Standard 2010 on planning and 2120 on risk management assurance are particularly relevant to the Three Lines Model.
For an in-depth look at how IA relates to operational risk management, including assurance mapping techniques, see our dedicated guide.
5. RACI Matrix: Who Does What Across the Three Lines
The RACI framework (Responsible, Accountable, Consulted, Informed) is the most practical tool for operationalizing the Three Lines Model. Without a RACI, governance documents stay aspirational. With a RACI, every meeting, every risk report, and every audit has a clear owner.
The matrix below covers 15 core risk governance activities. Use it as a starting template and customize it for your organization’s structure. Key: R = Responsible (does the work), A = Accountable (owns the outcome), C = Consulted (provides input), I = Informed (receives updates).
| Activity / Decision | 1st Line | 2nd Line | 3rd Line |
| Risk identification (operational) | R/A | C | I |
| Risk register maintenance | R | A | I |
| KRI design and threshold setting | C | R/A | I |
| KRI monitoring and escalation | C | R/A | I |
| Policy drafting | C | R/A | I |
| Policy sign-off / approval | I | C | I (audit committee A) |
| Control self-assessment (CSA) | R/A | C | I |
| Audit scope and planning | I | C | R/A |
| Audit fieldwork / testing | I | I | R/A |
| Audit finding remediation | R/A | C | I |
| Regulatory reporting (e.g., SEC, OCC) | C | R/A | I |
| Incident response (operational) | R/A | C | I |
| Enterprise risk reporting to board | C | R/A (CRO) | I |
| Third-party / vendor risk review | R (business) | A (Risk/Compliance) | I |
| SOX control certification | R/A (process owner) | C (Internal Controls) | R (IA) |
Table 2: Three Lines RACI Matrix — Core Risk Governance Activities
A few nuances worth highlighting: SOX control certification shows dual third-line accountability because IA performs the testing even though the process owner certifies.
Third-party risk splits R between the business (which owns the vendor relationship) and Compliance/Risk (which owns the oversight framework). Regulatory reporting sits firmly with the second line except where business units provide the underlying data.
For risk-specific RACI guidance, see our posts on project risk assessment and third-party risk management frameworks, both of which include line-specific RACI templates.
6. KRIs for Each Line: Building an Integrated Early-Warning System
Key Risk Indicators are the quantitative heartbeat of the Three Lines Model. Each line should have KRIs that measure its own effectiveness, not just the risks in the environment.
First-line KRIs track control execution quality. Second-line KRIs track oversight effectiveness. Third-line KRIs track assurance coverage and finding resolution.
The table below provides a starter library. Thresholds should be calibrated to your organization’s risk appetite and historical baselines.
| Line | KRI | Amber Threshold | Owner | Frequency | Escalation Rule |
| 1st Line | Overdue control self-assessments (%) | > 10% overdue | Business Unit Manager | Monthly | Escalate to CRO if threshold breached |
| 1st Line | Incident reports filed within 24 hours (%) | < 90% on-time | Operations Manager | Weekly | Root cause log entry required |
| 2nd Line | Risk appetite limit breaches (count) | > 2 open breaches | CRO | Monthly | Board notification within 5 days |
| 2nd Line | Policy exception requests approved (count) | > 5 per quarter | CCO | Quarterly | Trend review at Risk Committee |
| 2nd Line | KRI data quality score (%) | < 85% complete | Risk Analytics | Monthly | Data remediation plan within 15 days |
| 3rd Line | High-risk audit findings open > 90 days (count) | > 3 open | CAE | Quarterly | Escalate to Audit Committee |
| 3rd Line | Audit plan completion rate (%) | < 80% on schedule | CAE | Quarterly | Revised plan submitted to Board |
Table 3: KRI Library by Line — Starter Set with Escalation Rules
For a comprehensive KRI library mapped to ESG, cyber, and operational risk domains, visit our complete KRI framework guide. For board-level KRI reporting, see our post on risk quantification for boards.
7. Six Common Failure Modes and How to Fix Them
Implementation fails in predictable ways. The following table documents the six most common pitfalls observed in US organizations, how each manifests in practice, and the specific mitigation required.
| Failure Mode | How It Manifests | Mitigation |
| 1st line does not own risk | Operational managers treat risk as a compliance department problem | Embed risk ownership in performance scorecards; link line manager KPIs to control metrics |
| 2nd line becomes another 1st line | Risk function executes controls rather than overseeing them (e.g., IA does risk register entry) | Separate control execution from oversight duties; enforce independence clauses in charters |
| 3rd line relies on 2nd line work | Internal audit reuses risk assessments produced by the risk function without independent testing | Mandate independent sampling; prohibit IA from placing sole reliance on 2nd line outputs |
| Lines blur during crisis | Incident response pulls risk staff into operational roles, destroying oversight integrity | Define surge protocols in BCPs; assign deputy oversight roles during crisis events |
| Reporting overload | Multiple lines produce separate risk reports, creating board fatigue and conflicting signals | Adopt an integrated assurance map; single risk report with three-line commentary |
| Governance vacuum at the Governing Body | Board receives assurance without challenge; rubber-stamps risk appetite statements | Establish a dedicated Audit & Risk Committee with independent directors; mandate CRO access to board |
Table 4: Three Lines Model — Failure Modes and Mitigations
The ‘reporting overload’ failure mode is increasingly common in organizations that adopted GRC platforms without redesigning their reporting architecture.
Our guide on enterprise risk management frameworks covers integrated assurance map design in detail.
8. Three Lines Model in US Regulatory Contexts
The Three Lines Model is not just best practice in the US — in many sectors, it is effectively mandated by regulators. Here is how it maps across the major US regulatory frameworks.
Financial Services (OCC, Federal Reserve, FDIC)
For banks and bank holding companies, the OCC’s Heightened Standards require independent risk management (second line) and independent internal audit (third line) to be clearly separated from business management (first line).
The Federal Reserve’s Large Institution Supervision Coordinating Committee (LISCC) framework explicitly references three-line architecture in its supervisory expectations.
Healthcare (CMS, HHS OIG)
The HHS Office of Inspector General’s compliance program guidance for healthcare organizations mirrors three-line logic: clinical operations (first line), compliance function (second line), and independent compliance audits (third line). The OIG’s 7 Elements of an Effective Compliance Program align directly with the model.
Public Companies (SEC, SOX)
Sarbanes-Oxley Section 302 and 404 require management certification of internal controls (first and second line) and independent auditor attestation (external third line). The SEC’s Staff Guidance on Disclosure Controls reinforces the need for clear ownership and independent testing.
Insurance (NAIC, State Regulators)
The NAIC’s Own Risk and Solvency Assessment (ORSA) framework requires insurers to maintain an enterprise risk management function (second line) separate from business management, with board oversight.
Many state regulators have adopted NAIC Model Audit Rule provisions that specifically require IA independence.
9. Practical Tools for Implementation
Charter Template: What to Include
Every line function needs a charter that defines its mandate, scope, reporting line, independence requirements, and resource rights.
A robust second-line charter should include: purpose and mandate, scope of oversight activities, reporting structure (who the CRO reports to), right of access to information and personnel, resource adequacy provisions, and annual review requirements.
The IIA’s Internal Audit Charter template provides a detailed starting point for third-line charters. Adapt it by removing the independence provisions unique to IA when drafting second-line charters.
Integrated Assurance Map
An integrated assurance map is a single-page view that shows, for each key risk, what assurance is provided by each line and when.
It answers the board’s implicit question: ‘Is anyone looking at our biggest risks, and is there overlap or coverage gaps?’ Build it by listing your top 10-15 risks down the left column, then mapping first-line CSAs, second-line monitoring reviews, and third-line audits across the columns with dates and ratings.
For detailed guidance on assurance mapping connected to business continuity management and IT disaster recovery, including how the three lines interact during a crisis event, see our BCM-specific coverage.
Risk Appetite Statement Linkage
The Three Lines Model only works if it is anchored to a risk appetite statement (RAS). The board approves the RAS; the second line translates it into quantitative limits and KRI thresholds; the first line operates within those limits; and the third line verifies that the limits are being respected. Without this chain, the three lines become organizational boxes rather than a functioning governance system.
See our post on risk appetite statement development and our guide on the COSO ERM framework for tools that connect RAS design to three-line governance.
10. 90-Day Implementation Roadmap
Organizations that have tried to implement the Three Lines Model in a single governance refresh typically stall at the charter stage. A phased 90-day approach builds momentum and produces tangible artifacts at each milestone.
| Phase | Label | Key Actions | Owner | Output |
| Days 1–30 | Diagnose & Design | Map current risk governance against IIA 2020 model; identify line ownership gaps; review charters | CRO / CAE | Gap assessment report; updated charters |
| Days 31–60 | RACI & KRI Build | Draft line-specific RACIs; design KRI library with thresholds; assign risk owners in risk register | CRO + Business leads | Approved RACI matrix; KRI register with red/amber/green thresholds |
| Days 61–90 | Activate & Assure | Run first integrated assurance map; hold cross-line workshop; present unified risk report to board | CAE + CRO + CCO | Board risk report; integrated assurance map; lessons-learned log |
Table 5: Three Lines Model — 90-Day Implementation Roadmap
The most important success factor is executive sponsorship. The CRO and CAE need to jointly present the Three Lines implementation as a strategic initiative, not a compliance exercise. Frame it to business leaders as: ‘This gives you clearer accountability and less audit scrutiny, not more.’
11. The Future of the Three Lines Model: AI, ESG, and Beyond
Three emerging forces are reshaping how the Three Lines Model applies in practice.
Artificial Intelligence and Algorithmic Risk
AI systems create risk ownership ambiguities that the classic model did not anticipate. Who is the first-line owner of an algorithmic credit decision — the model developer, the business unit deploying the model, or the data science team?.
The answer requires explicit governance design. The Fed’s SR 11-7 on model risk provides a useful precedent: model owners (first line), model risk management (second line), and model validation (third line or independent within the second line). See our post on AI and machine learning KRIs for quantitative monitoring tools.
ESG Risk Integration
The SEC’s climate disclosure rules and growing investor ESG scrutiny have pushed sustainability risk into the mainstream risk governance agenda.
Organizations are now asking which line owns ESG risk: the sustainability function (a second-line role in most designs), the business units generating the emissions (first line), or both? Our ESG KRI framework maps 43 ESG indicators across governance, environment, and social dimensions that integrate cleanly into a three-line reporting structure.
Cyber and Operational Resilience
CISA’s Cybersecurity Performance Goals and the SEC’s cybersecurity disclosure rules (effective 2024) require organizations to have clear accountability for cyber risk from board level to operational level — precisely the Three Lines Model in digital context.
The CISO typically sits in the second line, with IT operations in the first line and IA conducting independent cyber audits as the third line. Our guide on operational resilience versus business continuity covers how the three lines interact during major disruptions.
Key External References and Standards
- IIA 2020 Three Lines Model Position Paper — theiia.org
- ISO 31000:2018 Risk Management Guidelines — iso.org
- COSO Enterprise Risk Management Framework — coso.org
- OCC Heightened Standards (2014-001) — occ.gov
- Federal Reserve SR 11-7: Model Risk Management Guidance — federalreserve.gov
- SEC Cybersecurity Disclosure Rules (2023) — sec.gov
- NAIC ORSA Guidance Manual — naic.org
- HHS OIG Compliance Program Guidance — oig.hhs.gov
- AICPA Internal Control Integrated Framework — aicpa.org
- PCAOB Auditing Standards — pcaobus.org
- CISA Cybersecurity Performance Goals — cisa.gov
- ISACA COBIT 2019 Framework — isaca.org
- Basel Committee Principles for Effective Risk Data Aggregation — bis.org
Ready to Implement the Three Lines Model in Your Organization?
Start with the RACI matrix in Table 2. Customize the 15 activities for your industry and organizational structure, assign owners by name rather than title, and schedule a cross-line workshop within 30 days. The model works when it is specific, not generic.
Explore our full library of risk management frameworks and templates at riskpublishing.com, including downloadable Excel KRI dashboards, BCP templates, and board risk report formats designed for practitioners who need to move fast.
References
11. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA.
12. HHS Office of Inspector General. Compliance Program Guidance for Healthcare Organizations. OIG.
Related Resources on RiskPublishing.com
Deepen your implementation with these practitioner guides:
Enterprise Risk Management Frameworks — Complete Guide | ERM design and ISO 31000 alignment
Key Risk Indicators: Building Your KRI Library | Threshold design and escalation rules
Risk Appetite Statement Development | Board-level calibration tools
Operational Risk Management | Process-level risk control frameworks
Project Risk Assessment | First-line risk tools for project teams
Third-Party Risk Management | Vendor oversight across all three lines
Business Continuity Management | ISO 22301 BCM framework and BCP templates
Risk Quantification for Boards | Translating risk exposure into financial terms
ESG Key Risk Indicators Framework | 43 ESG KRIs mapped to SEC and ISSB standards
AI and ML Risk Indicators | KRIs for algorithmic risk governance
Operational Resilience vs Business Continuity | Three-line roles during disruption
Risk Identification Framework | First-line risk identification tools and techniques
COSO ERM Framework Guide | Connecting COSO to Three Lines governance
Risk Management Frameworks and Templates | Downloadable tools for practitioners
KRI Framework for Boards | Board-ready KRI dashboards and reporting
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.