What is the Three Lines of Defence model (3LoD)?

The Three Lines Defence model is a regulated framework designed to provide a standardised, comprehensive approach to governance and risk management.

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, external events, people or systems. Not long ago, the responsibility for managing operational risk within a company often rested squarely on the shoulders of individual tenured experts. Relying on their own experience and limited internal-audit functions, they would work to identify any obvious weaknesses or oversights that might open the business up to unnecessary risk. The auditor was the only real line of defence standing between the organisation and a host of encroaching dangers.

Today, the number and complexity of business risks is growing. To match and mitigate those risks, many businesses are adopting a different governance model: Three Lines of Defence (3LoD).

As the name suggests, the risk management Three Lines of Defence model consists of three different levels of protection. These are designed to provide redundant risk-management support and to help ensure that dangers are identified and addressed before they can negatively impact operations. At the same time, the most current version of the 3LoD model stresses collaboration alignment, accountability and a focus on objectives, making it an important framework not only for defence, but also for recognising and seizing opportunities as they arise.

Here, we take a closer look at each of the Three Lines of Defence in risk, how 3LoD relates to operational resilience and what we can expect from the three-line approach in the years to come.

The first line of defence (1st LoD) is operational management, consisting of front-line managers responsible for day-to-day risk management activities. These managers supervise employees as they work within business systems and applications, ensuring that proper risk-management procedures are being followed. They are also responsible for implementing corrective measures in the event that process and control deficiencies arise.

Essentially, business operational management is mandated to maintain adequate internal controls, execute risk procedures, identify and assess risks, guide and implement internal policies, and ensure that all activities support established goals—all on a daily basis. The overall purpose of this first line of defence is ongoing compliance and the ability to quickly identify any control breakdowns, inadequate processes or emergent events.

Everyday activities play a crucial role in operational risk. As such, this first line of defence is absolutely critical and must be supported by internal mechanisms, such as reliable management controls and internal control measures. These are developed and implemented with strong oversight from operational management, and should be regularly tested for functionality and effectiveness.

The third line of defence (3rd LoD) in the 3LoD model is the internal auditor. Auditors are responsible for reviewing all risk management processes, procedures and frameworks, providing comprehensive assurance of the effectiveness of governance and internal controls. This line of defence supports the two previous lines, but must be capable of operating completely independently, taking an objective stance and reporting directly to senior management and any higher governing body, board or audit committee.

As the final line of defence, internal audits must be capable of supporting a range of objectives related to operational efficiency and effectiveness, reporting reliability, regulatory compliance and more.

Although the third line of defence is primarily associated with internal audits, external audits may also be brought in to further supplement this line and add another layer of assurance. In fact, in some cases (such as when obtaining SOC1 or SOC2 compliance, creating a PCI report or documenting SOX-404 control effectiveness) an external auditor may be a mandatory requirement.

The Three Lines of Defence are designed to support and improve an organisation’s operational resilience.

Operational resilience is the ability of an organisation to continue to serve its customers, deliver products and services, and protect its workforce in the face of adverse operational events. This is accomplished by anticipating, preventing and recovering from, and adapting to adverse events. Potential events may include: pandemics, data breaches, fires, destructive weather and network outages.

The principles of operational resilience are as follows:


Governance describes the systems and mechanisms an organisation relies on for operation and by which it and its employees are held accountable. Both risk management and compliance fall under the umbrella of governance. Effective governance structures allow organisations to create reliable operational-resilience plans and approaches, empowering them to better respond to and recover from disruptive events.

Operational risk management

Operational Risk Management (ORM) is a continuous cycle which includes risk assessment, risk decision making and implementation of risk controls, which results in the acceptance, mitigation or avoidance of risk.

Continuity planning

Business continuity planning is the creation, implementation, training and following of continuity plans for a range of crisis scenarios. The purpose of continuity planning is to create reliable strategies for ensuring continued delivery of critical operations when faced with potentially disruptive events.

Interdependency mapping

Interdependency mapping identifies and charts internal and external connections and interdependencies, clearing mapping which interdependencies are necessary for critical operations and continued service delivery in the event of a possible disruption.

Third-party risk management

Third-party risk management describes the tools and practices for managing third-party relationships, identifying third-party entities that are essential to critical operations.

Incident management

Incident management refers to processes associated with creating response and recovery plans for specific incident scenarios. These plans should be continually refined and updated using insights from data analysis and previous incidents.

Information, communication and cyber security technology

Information, communication and cyber security technology should be regularly tested and improved to support the ongoing delivery of critical operations.

The Three Lines of Defence model is a tried-and-true approach to risk management. But just as continuity and resilience plans should be regularly updated to better account for changing situations, 3LoD has seen a number of revisions since it was first introduced.

Recently, the Basel Committee on Banking Supervision (BCBS) released Revisions to the Principles for the Sound Management of Operational Risk. Although these revisions to the 3LoD model are intended specifically for banks and related organisations, they can just as easily be applied to non-banking companies to further improve their risk management profiles.

Basel 3LoD updates include:

  • Increased emphasis on the role of senior management in the execution of operational risk management activities.
  • Clearer descriptions of other roles within the Three Lines of Defence model.
  • Greater articulation of emergent risk sources.
  • A separate focus on operational resilience.

As risks become more diverse, the Three Lines of Defence model must also continue to adapt. This truth may relate most directly to the third line: internal audits. Internal auditors and their associated processes must become more agile and forward thinking, promoting positive change throughout the rest of the 3LoD model. In the future, auditors will be expected to play a much more active role in advising and anticipating, as well as educating stakeholders at all levels.

Beyond internal audits, other advances will continue to shape the 3LoD model. New innovations—including automation, machine learning and AI implementation—will allow for easier identification and remediation of risks. Likewise, organisations will increase focus on the human element of the Three Lines of Defence, working to improve coordination, communication and methodologies throughout teams and departments

Managing operational risk is a vital aspect of modern business. The 3LoD model exists to provide redundant layers of protection to offer increased security against a range of possible threats. But by itself, 3LoD may not be enough to fully shield organisations from evolving dangers. ServiceNow, the industry leader in IT management, provides the solution.

Operational Risk Management from ServiceNow empowers organisations with the ability to apply continuous monitoring, incorporate relevant data insights from across the entire enterprise, and prioritise and respond to emergent risks faster than would otherwise be possible. The Operational Risk Management GRC application includes tools for risk self-assessment, control assurance, testing, incident and loss capture, and automated monitoring. Backed by advanced analytics and reporting, integrated predictive-intelligence enhanced issue management and more, Operational Risk Management offers the increased defences that today’s organisations depend on to survive and thrive.

Reduce operational losses. Build resilience and reliability. Reduce costs and improve productivity. And through it all, enjoy complete, real-time visibility of all risk and control tolerances. Operational Risk Management from ServiceNow makes it all possible.

Get started with SecOps

Identify, prioritise, and respond to threats faster.