Are you a Spartan !Three line of defense -to -Three line model

By Alia Noor, FCMA, CIMA, MBA, Oxford fintech programme, GCC VAT Comp Dip, COSO Framework
Associate Partner Ahmad Alagbari Chartered Accountants


Spartan’ was the most dominant army in ancient Greece,
and its prowess was built on strategy for unique “phalanx formation”,
lined up side by side, locking their shields together and moving toward
their enemies, stabbing with their long spears.


Today’s world Organizations combat forces are Three Line of Defense Model” or “Updated Three Line Model ” which help an organization grow, strengthen and win — by building a match-fit and defensive team working together avoids gaps in risk management or duplication of effort.

Success of any business strategy is closely linked to an organization’s understanding and command of risk. Organizations major combat is to identify and manage all kinds of risks, strategic, operational, financial, compliance or reporting.

In July 2020, IIA has replaced “Three Lines of Defense model” with The “Three Lines Model.” This updated Model helps organizations identify structures and processes that help in achievement of objectives and facilitate better governance and risk management.


Comparison Old Vs New Model


In new model role of “compliance” is excluded from second line is shifted to first line i.e. Management along with “Risk management” responsibility.


‘Spartan’s success tactics was discipline!! ….
follow the key and get the maximum value out of your lines of defense!

The new Three Lines Model delineates the “Roles and Responsibilities” of the governing body, as well as executive management and internal audit. These roles are not limited to risk management but focus on the overall governance of the organization.


‘Spartan’s success tactics were discipline !! ….
The ‘Spartan’ armies though small, were well disciplined and
almost unbeatable in combat due to battle techniques the “phalanx.”



Relationships between the Governing body and Management (both first and second line roles)

The Chief Executive Officer (CEO) may be a member of the governing body and may even be its chair. In all cases, there needs to be strong communication between management and the governing body. The CEO is typically the focal point for this communication, but other senior managers may have frequent interactions with the governing body.

Organizations may wish, and their regulators may require, leaders of second line roles such as a Chief Risk Officer (CRO) and a Chief Compliance Officer (CCO) to have a direct reporting line to the governing body


Relationships Between Management (both first and second line roles) and internal Audit

There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization, and to ensure there is no unnecessary duplication, overlap, or gaps.


Relationships Between Internal Audit and the Governing Body

The governing body is responsible for oversight of internal audit, which requires ensuring an independent internal audit function is established.

Remember Model  does not work as a one-size-fits-all model. It is required to be configured and implemented in line with the goals and environment of the entity.



There are now six (6) fundamental principles on which the new Three Lines Model is based on

Principle 1: Governance of an organization requires appropriate enabling structures and processes.
Principle 2: Governing body’s role is to create enablers for governance and align entity objectives to stakeholders’ expectations.
Principle 3: Management is responsible to achieve organizational objectives through first and second line roles.
Principle 4: Internal audit provides independent and objective assurance and advice as Third line role
Principle 5: Internal audit is independence from management.
Principle 6: All roles are working together to collectively contribute  to the creation and protection of value





Management serves as the First and Second line in updated model because they are process owner and are responsible Risk Management , implement and own the controls which are designed for systems and processes under their guidance.

In practice, first and second line roles can be mixed or distinct.

“First line roles “are most directly aligned with the “delivery of products and/or services to clients” of the organization and include the “roles of support functions”  and Management of Risk.

“Second line roles”  provide complementary expertise, support, monitoring, and challenge to those with first line roles. Some second line roles may be assigned to specialists.

However, responsibility for managing risk remains a part of first line roles and within the scope of management.


Below are some of the challenges that are faced by first & Second line “The Risk Owners”

To achieve effective “Enterprise Risk Management”, Management must focus on being ‘proactive, rather than merely reactive’, to drive competitive advantage and sustain future profitability and growth.

Effectiveness of the First line is influenced by ‘Risk tone and culture from the top’ set by BoardThey are responsible for execution, implementation, and monitoring through management controls.

Management should communicate to board of changes that bring new risks and threats to organizations for Timely Adjustment in risk appetite & tolerances’ .

Another challenge is rapid change in external environment that continually creates unexpected ‘Opportunities and Risks’, the challenge is to seize opportunities and avoid inherent risk.

Risk Reports should reach the right people at the right time for informed decisions and should e ‘Dynamic Risk Reporting’, taking into consideration the velocity by which existing risks are changing and new risks are emerging with mitigation strategies.







Third line -Internal Audit’ , an independent internal audit function will through a risk-based approach to its work gives assurance and advice and unbiased evaluations of the results of both first and second lines of defense (management) and reports findings to the governing body.

The ‘Spartans’ were more multi-dimensional than often imagined:the polis
was almost universally literate, excelled in music and dance,produced sculptors,
philosophers, and poets, and engaged in an array of sports and athletics.

‘Internal Audit’ with Emerging risks must enlist innovative tools, skills, and methods for providing assurance likewise the ‘Spartan mindset of Multi- dimension’.








Below are some of the challenges that are faced by the third line:

“Whether emerging risks are on a firm’s doorstep, around the corner, or on
the far horizon, they have the potential to catch organizations unaware”.

Internal Audit must understand Emerging technologies and their risks”, such as Blockchain, Machine Learning and Artificial Intelligence which will have significant global impact.

Focus on implementing a Risk-based approach to planning and executing’ the audit process and directing resources to areas most important to the organization seeking the cost effective way.

‘Challenging the basis of management’s risk assessments’ and evaluating the adequacy and effectiveness of risk treatment strategies is most critical challenge.

‘Role of internal audit’ needs to be re-aligned with strategic risks of the organization. Practically, the internal audit is not part of the strategic session or decision, which make them blinded on the key important areas to be focused on, which are and might be important for board.



All three line forces should join and work together to protect the organization and achieve common goal, enabling the business to succeed, meet the customer and shareholder expectation and be profitable.

The word “Defense” is removed from the title. The new model no longer looks
only at defense, or at protection of value, but at the creation of value,
enhancing the Risk Management, and even more the Internal Audit .

The IIA indicates that the new model recognizes that management, compliance and internal audit must work together to mitigate risk, and changes were intended to “identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.”