What is the Three Lines of Defense model (3LoD)?

The Three Lines Defense model is a regulated framework designed to provide a standardized, comprehensive approach to governance and risk management.

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, external events, people, or systems. Not long ago, the responsibility for managing operational risk within a company often rested squarely on the shoulders of individual tenured experts. Relying on their own experience and limited internal-audit functions, they would work to identify any obvious weaknesses or oversights that might open the business up to unnecessary risk. The auditor was the only real line of defense standing between the organization and a host of encroaching dangers.

Today, the number and complexity of business risks is growing. To match and mitigate those risks, many businesses are adopting a different governance model: Three Lines of Defense (3LoD).

As the name suggests, the risk management Three Lines of Defense model consists of three different levels of protection. These are designed to provide redundant risk-management support, and to help ensure that dangers are identified and addressed before they can negatively impact operations. At the same time, the most current version of the 3LoD model stresses collaboration alignment, accountability, and a focus on objectives, making it an important framework not only for defense, but also for recognizing and seizing opportunities as they arise.

Here, we take a closer look at each of the Three Lines of Defense in risk, how 3LoD relates to operational resilience, and what we can expect from the three-line approach in the years to come.

The first line of defense (1st LoD) is operational management, consisting of front-line managers responsible for day-to-day risk management activities. These managers supervise employees as they work within business systems and applications, ensuring that proper risk-management procedures are being followed. They are also responsible for implementing corrective measures in the event that process and control deficiencies arise.

Essentially, business operational management is mandated to maintain adequate internal controls, execute risk procedures, identify and assess risks, guide and implement internal policies, and ensure that all activities support established goals—all on a daily basis. The overall purpose of this first line of defense is ongoing compliance, and the ability to quickly identify any control breakdowns, inadequate processes, or emergent events.

Every-day activities play a crucial role in operational risk. As such, this first line of defense is absolutely critical, and must be supported by internal mechanisms, such as reliable management controls and internal control measures. These are developed and implemented with strong oversight from operational management, and should be regularly tested for functionality and effectiveness.

The third line of defense (3rd LoD) in the 3LoD model is the internal auditor. Auditors are responsible for reviewing all risk management processes, procedures, and frameworks, providing comprehensive assurance of the effectiveness of governance and internal controls. This line of defense supports the two previous lines, but must be capable of operating completely independently, taking an objective stance and reporting directly to senior management and any higher governing body, board, or audit committee.

As the final line of defense, internal audits must be capable of supporting a range of objectives related to operational efficiency and effectiveness, reporting reliability, regulatory compliance, and more.

Although the third line of defense is primarily associated with internal audits, external audits may also be brought in to further supplement this line and add another layer of assurance. In fact, in some cases (such as when obtaining SOC1 or SOC2 compliance, creating a PCI report, or documenting SOX-404 control effectiveness) an external auditor may be a mandatory requirement.

The Three Lines of Defense are designed to support and improve an organization’s operational resilience.

Operational resilience is the ability of an organization to continue to serve its customers, deliver products and services, and protect its workforce in the face of adverse operational events. This is accomplished by anticipating, preventing and recovering from, and adapting to adverse events. Potential events may include: pandemics, data breaches, fires, destructive weather, and network outages.

The principles of operational resilience are as follows:


Governance describes the systems and mechanisms an organization relies on for operation and by which it and its employees are held accountable. Both risk management and compliance fall under the umbrella of governance. Effective governance structures allow organizations to create reliable operational-resilience plans and approaches, empowering them to better respond to and recover from disruptive events.

Operational risk management

Operational Risk Management (ORM) is a continuous cycle which includes risk assessment, risk decision making, and implementation of risk controls, which results in the acceptance, mitigation, or avoidance of risk.

Continuity planning

Business continuity planning is the creation, implementation, training, and following of continuity plans for a range of crisis scenarios. The purpose of continuity planning is to create reliable strategies for ensuring continued delivery of critical operations when faced with potentially disruptive events.

Interdependency mapping

Interdependency mapping identifies and charts internal and external connections and interdependencies, clearing mapping which interdependencies are necessary for critical operations and continued service delivery in the event of a possible disruption.

Third-party risk management

Third-party risk management describes the tools and practices for managing third-party relationships, identifying third-party entities that are essential to critical operations.

Incident management

Incident management refers to processes associated with creating response and recovery plans for specific incident scenarios. These plans should be continually refined and updated using insights from data analysis and previous incidents.

Information, communication, and cyber security technology

Information, communication, and cyber security technology should be regularly tested and improved to support the ongoing delivery of critical operations.

The Three Lines of Defense model is a tried-and-true approach to risk management. But just as continuity and resilience plans should be regularly updated to better account for changing situations, 3LoD has seen a number of revisions since it was first introduced.

Recently, the Basel Committee on Banking Supervision (BCBS) released Revisions to the Principles for the Sound Management of Operational Risk. Although these revisions to the 3LoD model are intended specifically for banks and related organizations, they can just as easily be applied to non-banking companies to further improve their risk management profiles.

Basel 3LoD updates include:

  • Increased emphasis on the role of senior management in the execution of operational risk management activities.
  • Clearer descriptions of other roles within the Three Lines of Defense model.
  • Greater articulation of emergent risk sources.
  • A separate focus on operational resilience.

As risks become more diverse, the Three Lines of Defense model must also continue to adapt. This truth may relate most directly to the third line: internal audits. Internal auditors and their associated processes must become more agile and forward thinking, promoting positive change throughout the rest of the 3LoD model. In the future, auditors will be expected to play a much more active role in advising and anticipating, as well as educating stakeholders at all levels.

Beyond internal audits, other advances will continue to shape the 3LoD model. New innovations—including automation, machine learning, and AI implementation—will allow for easier identification and remediation of risks. Likewise, organizations will increase focus on the human element of the Three Lines of Defense, working to improve coordination, communication, and methodologies throughout teams and departments

Managing operational risk is a vital aspect of modern business. The 3LoD model exists to provide redundant layers of protection to offer increased security against a range of possible threats. But by itself, 3LoD may not be enough to fully shield organizations from evolving dangers. ServiceNow, the industry leader in IT management, provides the solution.

Operational Risk Management from ServiceNow empowers organizations with the ability to apply continuous monitoring, incorporate relevant data insights from across the entire enterprise, and prioritize and respond to emergent risks faster than would otherwise be possible. The Operational Risk Management GRC application includes tools for risk self-assessment, control assurance, testing, incident and loss capture, and automated monitoring. Backed by advanced analytics and reporting, integrated predictive-intelligence enhanced issue management, and more, Operational Risk Management offers the increased defences that today’s organizations depend on to survive and thrive.

Reduce operational losses. Build resilience and reliability. Reduce costs and improve productivity. And through it all, enjoy complete, real-time visibility of all risk and control tolerances. Operational Risk Management from ServiceNow makes it all possible.

Get started with SecOps

Identify, prioritize, and respond to threats faster.

Loading spinner