Three Lines of Defence Model

What is the Three Lines of Defence model?

The Three Lines of Defence model helps business leaders to manage risk effectively.

It facilitates a cohesive and coordinated approach, by establishing three independent levels of risk management, segregating key duties and reducing the potential for conflicts of interest.

Among other regulators and organisations, the Three Lines of Defence model is endorsed by:

the Financial Conduct Authority (FCA),
Chartered Institute of Internal Auditors (IIA) and the
Institute of Directors (IoD).

Contact Us

Why do we need Three Lines of Defence model?

The Three Lines of Defence model was developed in response to the 2007/2008 global financial crisis.

The crisis highlighted that some teams within larger organisations were apparently taking risks that were well beyond the organisation's risk appetite.

The risks were neither adequately identified nor monitored by Senior Management and the Board.

The Three Lines of Defence model is still dependent on the Board and Executive leadership defining appropriate risk appetites and governing risks accordingly. The Board is still accountable for their Governance, Risk management and Compliance (GRC).

What are the Three Lines of Defence?

As shown on the diagram below, the Three Lines of Defence forms part of the overall organisational design.

Three Lines of Defence Model

In summary:

The First line of Defence provides day-to-day risk management and control. These are the primarily business units, including operational and technology aspects.
The Second Line of Defence has a level of independence, to oversee risks. They maintain risk management policies, frameworks and approaches, identify and monitor risks, and report to senior management.
The Third Line of Defence provides independent audit and assurance to the Board, that the First and Second Lines of Defence are working appropriately.

Three Lines of Defence for Data Protection

From a Data Protection perspective, for larger organisations, we typically see:

The Data Protection Officer role in the 2nd Line of Defence.
The Head of Information Security role in the 2nd Line of Defence.
The Chief Information Security Officer role in the 1st Line of Defence.
Business Unit Managers were demonstrable accountabillity for privacy and security of their processes.
Regular independent assurance activities, of all of the above, from Internal Audit.

Also see our article on the relationship between Data Protection, Privacy and Security.

Need to know more about the 3 lines of defence?

At DataGRC, our specialists have used the Three Lines of Defence in a wide range of industries and organisations