Why the Three Lines of Defense Model Is Outdated? What Every Board Should Know About the Three Lines Model

The Three Lines of Defence (3LOD) framework has guided risk and assurance for decades. But in 2020, the Institute of Internal Auditors (IIA) replaced it with the Three Lines Model (3LM) — a more collaborative, governance-driven, and value-focused approach.
This article explains what changed, why 3LOD no longer fits today’s complex risk landscape, and how boards can apply 3LM to strengthen governance and strategic decision-making.

What Is the Three Lines of Defence (3LOD)?

The Three Lines of Defence (3LOD) model is a governance framework designed by the IIA to clarify roles and responsibilities in risk management and internal control.
It defines three lines of accountability:

1. First Line – Operational Management: Owns and manages risks within day-to-day processes.
2. Second Line – Risk & Compliance Functions: Provides oversight, expertise, and policy frameworks.
3. Third Line – Internal Audit: Offers independent assurance that governance and controls are effective.

The model provided clarity in accountability, but over time it reinforced silos and created duplication. Organizations began treating risk as compliance paperwork rather than a driver of strategic value.

The Shift to the Three Lines Model (3LM)

In response, the IIA introduced the Three Lines Model (3LM) in 2020 — modernizing the approach to corporate governance and assurance.
3LM reframes the model from defence to alignment: emphasizing collaboration, shared accountability, and integrated governance across all functions.

Despite this update, many firms still rely on the outdated 3LOD framework. Understanding why it changed is essential for board members and executives overseeing enterprise risk management (ERM) programs.

Why the IIA Replaced the Three Lines of Defence Model (3LOD)

Over time, the Three Lines of Defence model exposed deep structural flaws. The IIA’s 2020 revision incorporated feedback from more than 2,000 stakeholders to address those weaknesses:

• Siloed mindset: The “defence” framing reinforced separation instead of collaboration.
• Role ambiguity: Overlapping responsibilities blurred accountability.
• False assurance: Control functions became overloaded with expectation to “catch everything.”
• Compliance over strategy: Risk was treated as paperwork, not decision intelligence.

The shift to 3LM wasn’t cosmetic — it redefined the relationship between risk, governance, and performance.

From Defence to Alignment: What Changed in 3LM

The Three Lines Model is built around six core principles that reflect today’s reality:

In practice, this means less rigidity, more interaction, and stronger linkage between operational execution and board oversight.

3LOD vs 3LM: Key Differences in Practice

Why Some Firms Still Use 3LOD

If the IIA retired the model years ago, why do many consulting firms still use it?
Because change disrupts commercial comfort zones.

• Legacy structures: Many clients are still built on 3LOD frameworks.
• Consulting economics: Complexity keeps service pipelines alive.
• Knowledge inertia: Not all practitioners understand 3LM deeply.
• Low awareness at board level: Few directors question what’s presented.

This perpetuates outdated thinking and leaves organizations less resilient to modern, interconnected risks.

RM1 vs RM2: A Mindset Shift

Think of 3LOD as Risk Management 1.0: compliance-led, reactive, and document-heavy.
The 3LM model represents Risk Management 2.0: value-driven, forward-looking, and embedded in decision-making.

If your risk program feels like box-checking, you’re still in RM1.
If risk insights directly influence decisions and investments, you’ve reached RM2.

Questions Every Board Should Ask

Boards don’t need to redesign the model overnight — but they must ensure governance keeps pace.
Ask these questions to see where your organization stands:

• Which model do we actually operate under: 3LOD or 3LM?
• How does our risk framework support strategy, not just compliance?
• What evidence shows that risk management adds value?
• Do our lines coordinate — or merely coexist?
• Are we relying on consulting templates or evidence-based practices?

Good governance starts with asking better questions.

Putting 3LM into Practice: The Role of GRC Tools

Transitioning to 3LM is about operationalizing collaboration. Technology can enable that shift — but not replace it.

Modern GRC tools like CERRIX support the Three Lines Model by:

• Creating shared visibility: One platform for Risk, Compliance, and Audit, with consistent data and dashboards.
• Automating accountability: Assign tasks and reviews across lines with clear ownership and traceability.
• Enhancing assurance: Link risks, controls, incidents, and audits in one environment for real-time insight.
• Connecting governance with execution: Dashboards give boards and committees continuous oversight of control health and risk exposure.

Technology doesn’t create good governance — it makes it measurable, transparent, and sustainable.

Conclusion

The Three Lines of Defence served its purpose in an earlier era.
But today, governance requires integration, not isolation.

Boards and executives who continue to rely on 3LOD are holding onto a structure that limits agility and collaboration.
The Three Lines Model reflects a modern organization — one where accountability, transparency, and strategy are aligned.

FAQ

What are the three lines in risk management?
They are operational management (first line), risk and compliance oversight (second line), and internal audit assurance (third line).

Why was the Three Lines of Defence model updated?
Because its “defence” mindset encouraged silos and compliance thinking. The updated 3LM fosters collaboration and alignment with strategy.

How can technology support the Three Lines Model?
Integrated GRC platforms like CERRIX provide a single source of truth for risks, controls, and assurance — enabling real-time insights and stronger governance.

‍