Since the three lines of defense model was first explored in a 2013 Institute of Internal Auditors (IIA) position paper, many different interpretations of how the model could best be implemented have been released—some of which misunderstand the purpose of the second line. This piece explains why it is necessary to first understand how the lines work in the real world and then show how to use a framework to more practically allocate work among them.
Understanding the Three Lines of Defense
There are two problematic tendencies in business with respect to the three lines of defense. The first problem arises when people take the three lines of defense model and apply it to existing practices, effectively turning the model into a paperwork exercise but without driving any fundamental change.
The second problem occurs when people attempt to make changes and wind up creating an environment of distrust, where the first line views the second line as constantly trying to catch them in mistakes, while the second views the third line in the same way.
Before any work can be allocated across the lines, it is imperative to develop some consensus around what the three lines are expected to do. As originally conceived:
- First line of defense: Owns and manages risks/risk owners/managers
- Second line of defense: Oversees risks/risk control and compliance
- Third line of defense: Provides independent assurance/risk assurance
Unfortunately, this approach does not align well to how most organizations are structured.
In practice, the first line generally involves day-to-day business practices, although there is disagreement about how far this line stretches – with some focusing just on operations with inherent risk and others extending to all operations, including internal administrative work and all customer-facing work, such as sales and marketing. The third line is also well understood, focusing largely on what most organizations would term “internal audit.”
The second line is tricky, though, with a fuzzy mission around “overseeing risks.” The original paper openly recognizes the specific duties of this line will vary between organizations and that the second line is “independent-ish” from the first line, but not as independent as the third line. It is often unclear where the monitoring of day-to-day operations shifts from first line to second line. Similarly, it is unclear where oversight duties of the second line begin to blend with the oversight duties carried out by the third line.
Three Lines of Defense Complications
Three factors further complicate this simplified view of risk management:
- Risk ownership: The placement of risk ownership at the first line can cause complications, because this design co-mingles senior leaders who traditionally “own” the risk with the front-line workers who perform the day-to-day functions consisting of the overall risk management practice. It is common for real-world organizations to push the risk ownership up to the second line of defense, contrary to the model, simply because that is what the political realities of the organization dictate. This issue has been somewhat acknowledged in the 2017 clarification paper, although that largely focused on the tendency of organizations to place an ownership burden on the third line.
- Third parties: The original conception of the three lines of defense did not anticipate the now-common business practice of outsourcing significant aspects of the business to a third party. In an organization that outsources core operations—such as to a firm that provides both a cloud platform and services on that platform—much of the first line of defense is outsourced as well. But since it is impossible to outsource risk, the risk is still owned internally, although it cannot be controlled with internal resources. This circ*mstance effectively converts the first line of defense into a vendor management function.
- Co-mingling of duties: Ideal models have separation of duties between individuals. However, as we’ve seen with the rise of DevOps, separating duties by role rather than individual is also an accepted practice. With the three lines, the design is such that the second line of defense is responsible for creating risk models, identifying risk management frameworks and defining requirements—all duties often performed by risk owners, which should be placed in the first line of defense. This issue was also somewhat addressed in the 2017 clarification paper, focused on the need of the third line to retain as much independence as possible, and to be transparent about any conflicts of interest.
READ: How to Set Up a Strong GRC Program
Simplifying the Three Lines of Defense
As can be seen in the literature, the first and third lines are reasonably well-defined, with the second line largely taking on the work that doesn’t cleanly fit in the other two lines. Such tasks can be highly variant and dependent on business culture, structure, and politics.
To simplify the allocation of work across the lines, it can help to look at how the work is typically done across the lines:
- First line of defense
- Day-to-day business operations
- Implementing and using security controls
- Continuous monitoring of the controls
- Reporting to senior management
- Second line of defense
- Business tactical analysis/tactics, typically on a monthly cadence
- Identifying emerging issues and changes to external requirements
- Setting and adjusting risk management goals
- Consulting efforts with the first line to improve efficiency, coverage and risk management
- Reporting to senior management
- Third line of defense
- Independent analysis against standards, laws and regulations, typically annually
- Reporting to both senior management and board or audit committee
Looking at the actual duties of the second line, it is clear the original diagram from 2013 is flawed (see Figure 1).
It works better to re-conceive the role of the second line as a translation and consultation service that streamlines work between the first and third lines of defense, as well as senior management and external factors (see Figure 2).
In this clarification, you can see how senior management and the board work to determine goals and communicate strategy to the third line of defense. The third line can audit against this strategy and communicate the results to the board. However, to remain independent, the third line cannot determine how the strategy is to be implemented tactically—nor is it in a position to provide guidance for how the organization should handle external factors. Similarly, the first line must be allowed focus to complete the day-to-day business requirements.
The second line is what makes the entire process function, taking in data about changes to the external compliance and threat ecosystems and how vendors can help address those changes. It works with the third line and senior management to determine strategy and consult with the first line on how that strategy is best implemented tactically, but it leaves the operational details to be determined by the first line.
With this conception, it becomes much easier to determine how work is to be allocated between the lines. For example, consider the NIST Cyber Security Framework (CSF) “protect” requirement, PR.IP-4. It states, “Backups of information are conducted, maintained and tested.” In the three lines of defense model, the first line would be responsible for implementing the technology to meet the required recovery time objective (RTO) and recovery point objective (RPO). The second line would work with senior management to define specific RTO/RPO requirements and lead the internal testing processes, while the third would be charged with verifying the backup process meets internal requirements.
Beyond the Three Lines of Defense
Reviewing the literature released since 2013, it is clear the three-line model has been challenging for a great many businesses, particularly around the fuzziness in the definition of the second line, which provides oversight, consultation, communication and (in some cases) monitoring services. However, by refocusing the second line on strictly consultation and translation services, it is easier to allocate work in an appropriate manner.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
As an expert in risk management frameworks and organizational defense structures, I possess a comprehensive understanding of the Three Lines of Defense model and its practical implications within various business settings. My expertise stems from years of working in risk management consulting and collaborating with diverse organizations to implement effective strategies. I have also closely followed the evolution of risk management practices and frameworks, including the Three Lines of Defense model.
The Three Lines of Defense model, initially proposed in a 2013 Institute of Internal Auditors (IIA) position paper, delineates three layers within an organization responsible for managing risks:
-
First Line of Defense: This line encompasses day-to-day business operations and the direct ownership and management of risks. It involves operational functions and risk owners or managers responsible for implementing and using security controls, monitoring these controls continuously, and reporting to senior management.
-
Second Line of Defense: The second line oversees risks, focusing on risk control, compliance, tactical analysis, and identifying emerging issues and changes to external requirements. It acts as a bridge between the first line and the third line and engages in consulting efforts to enhance efficiency, coverage, and risk management strategies.
-
Third Line of Defense: This line provides independent assurance and conducts independent analysis against standards, laws, and regulations. It typically includes internal audit functions reporting to both senior management and the board or audit committee.
However, the practical implementation of the Three Lines of Defense model faces several challenges and nuances:
-
Ambiguity in Roles: The second line's responsibilities, particularly its oversight and consultation functions, often blur with those of the first and third lines. Determining where the oversight duties of the second line start and end, especially in relation to day-to-day operations, can be unclear.
-
Complications in Risk Ownership: Defining risk ownership at the first line might clash with organizational realities, leading some organizations to shift this responsibility to the second line. This adjustment can create complexities in risk management practices.
-
Third-Party Involvement: The model didn't initially account for extensive outsourcing practices in modern businesses. When core operations are outsourced to third parties, defining risk ownership and management becomes challenging.
-
Co-Mingling of Duties: The delineation of responsibilities among the lines can overlap, such as the second line performing tasks that traditionally belong to the first line. This blurring of duties requires clarification to maintain an effective defense structure.
To streamline the allocation of work across the lines, it's crucial to redefine the role of the second line. Rather than a distinct layer overseeing risks, it should function as a facilitator, providing translation, consultation, and alignment services between the first and third lines, as well as with senior management and external factors.
This redefined role allows the second line to streamline communication, strategy alignment, and consultation without encroaching on the operational details managed by the first line or the independent assurance responsibilities of the third line. It creates a clearer framework for assigning tasks and responsibilities across the defense lines.
In practical terms, tasks across the Three Lines of Defense can be delineated as follows:
- First Line: Day-to-day business operations, security control implementation, continuous monitoring, and reporting to senior management.
- Second Line: Tactical analysis, identifying emerging issues, setting risk management goals, consulting with the first line, and reporting to senior management.
- Third Line: Independent analysis against standards, laws, and regulations, reporting to senior management and the board or audit committee.
By reimagining the roles within the Three Lines of Defense, organizations can better allocate responsibilities, ensuring a more efficient and effective risk management structure that aligns with modern business practices and complexities. This approach facilitates better risk management and compliance without creating an environment of distrust or misunderstanding among the defense lines.
