Three Lines of Defense

It can be difficult to allocate responsibilities in risk management. In practice, especially in the case of information security risks, people often refer to the CISO or the Security Officer, and if there is no such position, the focus will shift to the IT Manager or CIO. The Three Lines of Defence model (3LOD), or nowadays simply the Three Lines Model, provides a framework for company-wide risk management structures. It helps in allocating roles and responsibilities and aims to create insight into how the organisation is “in control” in terms of risk management.

What is the Three Lines Model?

Understanding risks at the right level requires reporting according to the requirements of the different levels and, above all, clear responsibilities at each level. Taking the specific information security process as an example, the three lines of this model can be described in the following simplified terms:

  1. The first line is the implementing, operational layer. This is the IT department, which is responsible for implementing information security measures. This layer is also responsible for the risks associated with achieving its own objectives.
  2. The second line is the internal control (or internal management) function. This line advises the first line on the risks and supports the first line in taking appropriate measures for those risks. Many companies refer to this function as the “GRC” (Governance Risk Compliance) function. Logically, the CISO or Security Officer is part of this second line too.
  3. The third line is the audit function, for instance, the Internal Audit department. This line assesses whether the risks and associated measures have been set up effectively.

This model ensures that risks are allocated to the right level and that they are controlled in an adequate manner. This, then, is also the basis for sound (and comprehensive) reporting.

How can we help you implement the Three Lines Model?

We have used the Three Lines Model for various companies in setting up their IT Risk Management. These companies ranged from small businesses to listed companies and we always started with the premise that gaining an understanding of the risks was the goal. Aiming for the measures to be completely effective does not give a company the right tools to take steps in risk management; aiming for a complete understanding of the risks and the status of the measures does. The Three Lines Model helps you to allocate responsibilities correctly and to define the reporting structure.

Wij zijn Cuccibu

Interesse of vragen?

Please feel free to contact us via We would be happy to help you find the solution that best suits your company’s needs.

 “We believe that you create added value through secure and responsible digitisation. This leads to opportunities for individuals, companies and society as a whole.”