Quiz Entry - updated: 2026.07.14
What is the "Three Lines of Defense" governance model and what does each line do?
It splits accountability into three lines: 1st = business operations that own and run controls, 2nd = risk/compliance functions that oversee them, 3rd = internal audit that independently assures — all reporting up to the board.
* Three Lines of Defense: operations own controls, risk & compliance oversee, internal audit assures — all reporting up to the board. *
| Line | Who | Role |
|---|---|---|
| 1st Line of Defense | Business operations / all business units | Own and manage risk: daily risk management, identify/implement controls, ensure product/process/IT compliance, use KPIs |
| 2nd Line of Defense | Risk Management, HR, Compliance, IT Security, Legal | Oversight: monitor, oversee and report; risk and control self-assessment (RCSA, RCA); track Key Risk Indicators (KRIs) |
| 3rd Line of Defense | Internal Audit | Independent assurance: periodic review covering all business units, provides assurance to the Board/CEO |
Above all three sits Management (accountable to the board) and the Board of Directors (accountable to shareholders for organizational oversight, including board committees on governance, internal control, risk culture, roles/responsibilities).
Go deeper:
Three lines of defence / Three Lines Model — TechTarget — Erklärt 1./2./3. Linie (Betrieb, Risiko/Compliance-Oversight, unabhängige interne Revision) und das IIA-Update 2020.