What is the three lines model and how it works in financial risk management

Find out what the three lines model is, how it can help you control financial risk, and how to apply it in your organization.

If you work in the financial services industry, you know that risk management is a critical activity for the success of your business. But how do you ensure that everyone in your organization is aligned and committed to this task? One way is to use the three lines of defense model, which sets out a simple and effective framework for risk governance, management and auditing.

But how does this model work and what are its advantages? In this post, we’ll answer these questions and show you how to apply the three lines model in financial risk management. Check it out!

What is the three lines model?

The three lines of defense model is a way of organizing risk management, showing who does what in the organization.

It helps to clarify and coordinate everyone’s role and responsibility in controlling risk. Thus, it seeks to improve results and avoid problems and waste in the organization.

Financial institutions can use this model to manage risk effectively and in line with their objectives. Therefore, they can seek to improve results and protect their assets.

The three lines are based on the idea that protection needs an integrated and coordinated approach from different actors. They must act in a complementary way and align with the objectives of the organization.

See below what each line does according to IIA 2020 (The Institute of Internal Auditors):

First line


Conducts organizational activities and processes and controls the risks related to them. Creates and maintains the necessary internal controls.

Second line

Support, advisory, and supervisory roles:

Define the rules, norms, procedures, and methods related to risk management and control in the organization. Provide guidance, training, tools, and resources to the front line. Monitor and assess whether internal controls and risks are adequate and effective.

Third line

Internal audit:

Leads an independent and objective assessment of the efficiency and effectiveness of internal controls and risks in the organization. Provides recommendations for improving internal controls and risks.

Governing body

Establishes the organization’s vision, mission, values, and strategic objectives. Defines risk appetite and tolerance. Approves the control and risk management plans and rules. Supervises and evaluates the performance of management and internal audit. Must report results to stakeholders.

External assessment providers

They complement the third line with external assessments on risk management and control in the organization, following professional standards.

How does the three lines model work?

The three lines of defense must work together to ensure that risks are identified, assessed, addressed, monitored, and communicated appropriately across the organization. They must also ensure that internal controls are implemented, used, maintained and improved according to the organization’s strategic objectives.

The model can be adapted to the characteristics and needs of each organization. There is not a single right or wrong way to use the model, but there could be a way that is more or less appropriate to the context and reality of each organization. It is important that the roles and responsibilities of each line are well defined, documented, communicated, and understood by everyone involved in risk management. Hence, it is possible to avoid conflicts, overlaps or gaps in the activities of each line.

This model is a way to strengthen risk management culture in the organization. It is also a way to increase the confidence of internal and external stakeholders in the organization’s ability to protect its critical assets.

How to implement it?

Now that you know what the three lines of defense model is and how it works, see the step-by-step guide to implement it:

1. Defining objectives

Define the financial institution’s strategic objectives as well as risk appetite and tolerance. Also define the control and risk management plans and rules.

2. Identifying the three lines

Identify the groups that make up the three lines in the financial institution. See also their specific roles and responsibilities in risk control.

3. Communication, coordination and collaboration

Establish how the three lines will communicate, coordinate, and collaborate with each other. Do the same with the governing body and external assessment providers.

4. Implementation of activities and processes

Carry out the activities and processes of each line, following the norms, procedures, and methods defined by the second line. Also follow the professional standards applicable to the third line.

5. Performance monitoring and evaluation

Monitor and evaluate the performance of the three lines, as well as the risks and controls in the financial institution, reporting the results and recommendations to the governing body and stakeholders.

6. Model review and improvement

Review and improve the three lines model periodically, taking into account changes in the financial institution’s internal and external environment.

Advantages of the three lines model

Some of the advantages of implementing the three lines of defense model in the risk management of financial institutions are:

  • Increase the effectiveness and efficiency of internal processes, avoiding errors and failures that could cause losses and damage to the reputation of the financial institution.
  • Reinforce the confidence of internal and external stakeholders in the financial institution’s ability to protect its critical assets and meet its strategic objectives.
  • Foster a culture of risk control in the financial institution, involving all levels of the organization, from the governing body to operational employees.
  • Delimit the roles and responsibilities of each line in risk control, avoiding conflicts, redundancies or gaps in the activities and functions of each line.
  • Adjust the model to the specific characteristics and needs of the financial institution, considering changes in the internal and external environment.

Therefore, the three lines model is a valuable tool to improve risk management and controls in financial institutions, providing benefits both to operational performance and corporate governance.

By implementing this model, institutions can increase their resilience, competitiveness, and sustainability in the financial market.

How SoftExpert can help

You’ve seen how the three lines model can help control financial risk in your organization. But do you know how technology can make this process easier?

Technology can automate, integrate and optimize the activities and processes of each line, increasing the efficiency, security, and quality of risk management.

A solution that can help with this challenge is the SoftExpert Suite, a platform that collaboratively meets all critical demands for excellence in organizational performance.

SoftExpert Suite allows managing risks in an integrated way with other processes, such as governance, compliance, auditing, quality, environment, health and safety. Furthermore, SoftExpert Suite is flexible and scalable, and can adapt to your needs and your growth.

Do you want to learn more about SoftExpert Suite and how it can help you implement the three lines model in your organization?

Then click the button below and talk to an expert!

I want to talk to SoftExpert




    Bruna Borsalli


    Bruna Borsalli

    Bruna Borsalli é Analista de Produto e Mercado da SoftExpert. Engenheira Química e de Segurança do Trabalho com especialização em Gestão da Qualidade, detém experiência na área de SSMA (Saúde, Segurança e Meio Ambiente), certificação de Auditora Interna de Sistema de Gestão Integrado (SGI) - ISO 9001 | 14001 | 45001 e Six Sigma Yellow Belt.

    Get free content in your inbox!

    Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

    By clicking the button below, you confirm that you have read and accept our Privacy Policy.

    Please, fill out the form to download

    Required field
    Required field
    Required field
    Please enter a valid phone number
    Required field

    By clicking the button below, you confirm that you have read and accept our Privacy Policy