Is the three lines of defense model actually working for anyone?

par :name Maya Johansson · Gestion des risques d'entreprise · Mar 29, 2026 · 3 réponses Répondu

Aucune garantie sur le contenu du forum. Les informations, opinions et discussions partagées sur ce forum sont fournies par les membres de la communauté et l'équipe LexFlag et ne constituent pas des conseils professionnels. LexFlag n'approuve, ne vérifie ni ne garantit l'exactitude, l'exhaustivité ou la fiabilité du contenu publié.

Identité des utilisateurs et contenu généré par l'IA. Rien ne garantit que les utilisateurs utilisent leur vrai nom, représentent une organisation ou expriment leurs propres opinions. Les réponses et contributions peuvent être partiellement ou entièrement générées par l'intelligence artificielle.

Vérification indépendante requise. Vous devez vérifier de manière indépendante toute information obtenue sur ce forum avant de prendre toute décision. LexFlag, ses affiliés et les contributeurs déclinent toute responsabilité pour toute perte ou tout dommage résultant de la confiance accordée au contenu du forum.

Genuine question — does the three lines of defense model actually work in practice, or has it become one of those things we all put in our policy documents but nobody really follows?

I've worked at three different financial institutions and at every single one the framework breaks down because:

First line business owners treat compliance as "not my job"
Second line compliance teams are too small to actually challenge the first line
Third line internal audit just produces reports that nobody reads

The IIA updated their model a few years back (dropping "defense" in favor of just "three lines model") which I thought was interesting but didn't really change anything practical.

Has anyone actually made this governance approach work well? What did it take?

Maya Johansson

Membre depuis Apr 2026

Réponse acceptée

I think the problem isn't the three lines of defense model itself but how most organizations implement it. They treat it as an org chart exercise rather than a cultural one.

The one place I saw it work well was an institution where the first line managers had compliance KPIs in their performance reviews. Not vague ones like "support compliance objectives" but actual measurable stuff — percentage of alerts reviewed on time, number of policy exceptions, quality scores from QA. When it hits their bonus, suddenly compliance is their job.

The model specifically tends to fail in banking because banks bolt it onto an existing structure instead of building roles around it. If your relationship managers don't understand they're the first line, no amount of policy will fix that.

Amit Desai

Membre depuis Apr 2026

3 réponses

Amit nailed the cultural piece. A few structural things that help too:

Clear escalation paths — The model works when each line knows exactly what to escalate and to whom. Most failures happen in the gaps between lines, not within them.

Right-sized second line — The second line can't be three people overseeing 500 first-line staff. If your compliance team is chronically understaffed, the framework will fail regardless of how good it looks on paper.

Board reporting that connects the lines — When board risk reports show first-line metrics alongside second-line assessments and third-line findings, the whole structure becomes visible and accountable.

The IIA's updated "three lines model" mostly rebranded the same concepts but it did make one useful point: the lines should be collaborative, not adversarial. If your first line sees compliance as the enemy, you've already lost.

LexFlag Team

Apr 2, 2026 at 11:47 AM

Honestly I think smaller organizations struggle with it most because people wear multiple hats. I've literally been the first AND second line at a previous job which makes the whole segregation of responsibilities kind of meaningless.

For mid-size firms where perfect separation isn't realistic, I've found a "1.5 lines" approach works better — embed compliance champions in the business teams and have a lean central compliance function that sets standards and does quality assurance. It's not textbook but it's better than pretending you have a model you can't actually staff.

Nadia Osei

Apr 3, 2026 at 8:47 AM