The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want?

Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking recipe.

However, as I’ve discussed in a previous article, applying standards and frameworks verbatim and actually meeting your company’s needs is more the exception rather than the rule. What often happens is the seamless integration and value promised by the standard or framework runs headlong into the cold hard reality of your company’s culture, industry, sector, geographic location, and a host of other factors.

Nowhere does this fact apply more than with the Three Lines Model

Developed by the Institute of Internal Auditors (IIA), the Three Lines Model is simply a guidance model for corporate governance and risk management, or as explained in the book Combined Assurance:

Several organizations widely use the concept of three lines of defense to list all functions performing risk management and assurance activities to ensure that risks are appropriately addressed in the manner required by the Board and stakeholders. The objective is to coordinate risk management and control activities as well as assurance activities.”

Its traditional role has been to ensure risks don’t slip through the cracks and cause trouble for the company. The latest iteration of this model released in 2020 drops the word “defense” and acknowledges the necessary role any model or standard should play in helping the company achieve objectives.

Although the Three Lines Model has been around for many years, as has my blog, I’ve never really written about it until now.

Why now, you ask?

The answer is simple – it hasn’t been a focus of mine because I just don’t like the concept of the Three Lines Model. However, since I frequently see it referenced in articles, comments, and emails to me, I thought it was worthwhile to provide my perspective.

While the new iteration of the model is somewhat of an improvement since it drops the ‘defense’ label and places greater emphasis on achieving objectives, it still retains the concept of the three separate lines (e.g., Governing Body, Management, and Internal Audit).

This leads to the first reason why I don’t like the Three Lines Model.

  1. Creates a wall or partition between different areas of the company

The simple structure of this model leads to at least the perception that the company is segmenting these different areas and putting them into their own camps – like one of those accordion style partitions. Companies unintentionally do this already, so creating yet another “wall” will not be helpful. This “silo” approach inevitably leads to missed risks and opportunities.

Instead, ERM should serve as an internal consultant whose mission is to make sure business units and executives have the risk information and perspective needed to make the best decisions possible. After a decision is made, ERM shifts into a support role for implementing the decision and managing any risks and opportunities around it. The separation inherent with the Three Lines Model implies that ERM is the “gotcha” people rather than a vital partner in managing the company for success.

  1. Its inflexibility doesn’t account for the company’s unique needs

More and more lately, we’ve been discussing the importance of being agile in an environment characterized by constantly shifting sands. Like the COSO ERM framework, the Three Lines Model is very prescriptive. Saying models like these can apply to all companies is too generic, especially as needs can (and do) vary based on industry, sector, and many other factors.

Therefore, in the case of the Three Lines Model, saying there are three distinct lines really doesn’t allow for any customization, which is a characteristic that any standard or framework must absolutely possess in my opinion. The book Strategic Risk Management: New Tools for Competitive Advantage in an Uncertain Age states:

All business entails risk. Wise managers work not just to eliminate, mitigate, or transfer risk, but also to leverage it.

Can an inflexible tool like the Three Lines Model help a company do that?

  1. Terms can be confusing

Similar to other frameworks and standards, the Three Lines Model uses terminology that can be confusing to anyone outside of the auditing world. Let me reiterate that ERM or any other effort will not be successful when it is based on confusing technical jargon that no one in your company understands.

Instead, you need to adopt the language of the business and decision-makers so they can understand what you do and how it contributes to the company’s success. As an example, in the Three Lines Model, it says the “roles” of the Governing Body line are integrity, leadership, and transparency. I don’t know about you, but these seem like attributes to me, not roles. As I mentioned earlier though, since the Third Lines Model was written by auditors, it will necessarily include that type of lingo.

The Three Lines Model is heavily favored by auditors because it places clear and distinctive lines on who is responsible for what. By their nature, they want things very black and white and auditable.

However, this sort of cut/paste approach rarely, if ever, provides the needed support for helping a company succeed. As Horst Simon emphatically states:

Too often we are looking to implement a model…when we should be focused on shifting a mindset.”

In the end, it’s culture and the overall mindset of the company, and not adherence to some standard, that will make the difference between success and failure.

Has your company used the Three Lines Model for managing risks and opportunities? If so, how did it ultimately work out?

This is most certainly a topic with varying perspectives and opinions. As always, we want to hear everyone’s perspective, even if you disagree with my take on this subject. To share your thoughts, leave a comment below or join the conversation on LinkedIn…just keep it professional.

If your company has tried the Three Lines Model or another standard or framework and been disappointed by the results, reach out to me through my contact page or schedule a call today to discuss your situation.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More