Contact
Demo
Menu
  • Open submenu (Software)Software
  • Open submenu (Customers)Customers
  • Open submenu (Consulting)Consulting
  • Blog
  • Open submenu (About)About
Close submenuSoftware
  • Open submenu (Organization & HR)Organization & HR
  • Open submenu (Certifications)Certifications
  • Open submenu (Internal control software)Internal control software
  • Open submenu (Risk management)Risk management
Close submenuOrganization & HR
  • Process modelling
  • Job description
  • Corporate repository
  • Knowledge management
  • Organisation chart
  • Performance indicators
  • Operational manual
Close submenuCertifications
  • ISO 9001
  • ISO 14001
  • ISO 45001
  • ISO 22000
  • ISO 13485
  • ISO 27001
  • ISO 17025
  • QSE – QHSE
  • RJC
  • CSR
Close submenuInternal control software
  • Internal Control System
  • ISAE 3402
Close submenuRisk management
  • Enterprise Risk Management
  • GRC – Governance Risk and Compliance
Close submenuCustomers
  • Financial institutions
  • Insurance
  • Public Sector
  • Medical
  • Social
  • Industry
  • Energy
  • Transport
  • Building and Construction
  • Real Estate
  • Agri-Food Industry
Close submenuConsulting
  • Consulting and realisation service
  • Update service
Close submenuAbout
  • Optimiso Group
  • Team
  • Vision
  • CSR
  • Optimiso Suite
Search
    No results found.
    • fr
    • en
    Logo Optimiso Group
    MENUMENU
    • Software
      • Certifications
        • ISO 9001
        • ISO 14001
        • ISO 45001
        • ISO 22000
        • ISO 13485
        • ISO 27001
        • ISO 17025
        • QSE - QHSE
        • RJC
        • CSR
      • Internal control software
        • Internal Control System
        • ISAE 3402
      • Risk management
        • Enterprise Risk Management
        • GRC – Governance Risk and Compliance
      • Organization & HR
        • Process modelling
        • Job description
        • Corporate repository
        • Knowledge management
        • Organisation chart
        • Performance indicators
        • Operational manual
    • Customers
      • Financial institutions
      • Insurance
      • Public Sector
      • Medical
      • Social
      • Industry
      • Energy
      • Transport
      • Building and Construction
      • Real Estate
      • Agri-Food Industry
    • Consulting
      • Consulting and realisation service
      • Update service
    • Blog
    • About
      • Optimiso Group
      • Team
      • Vision
      • CSR
      • Optimiso Suite
    Book a demo
    Contact us

    The 3 Lines of Defense Model

    What do the fortifications of Carcassonne and Internal Control have in common? They both involve lines of defense that serve to protect the castle on one hand, and to reduce and manage risks on the other.

    In the context of governance, internal control, and risk management, the Three Lines of Defense Model is often discussed.

    This concept, initiated by the Institute of Internal Auditors (IIA), primarily aims to reduce risks associated with errors and fraud in businesses.

    What exactly does it entail? What is the role of each line of defense? Discover this through concrete examples encountered in the field.

    Modèle des trois lignes de défense

     

    The Role of the Three Lines of Defense

    The “warrior” origin of the term line of defense perfectly illustrates its role against adverse events and risks. Their occurrence can be reduced if the organization is well-defined and each line performs its role effectively.

    The first line of defense represents risk management and controls handled by operational staff. These first-level controls are essential because they are directly related to the delivery of products or services to customers.

    The second line of defense represents risk management and controls performed by support functions such as the Head of Internal Control, the Risk Manager, or the Compliance Officer. They initiate the controls and ensure their proper execution by the first line.

    The third line of defense is the company’s internal audit, which is responsible for the administration of controls and, more broadly, the management of the risk control process.

    The first two lines are directly driven by the Executive Management, which initiates the strategy and sets objectives. Regularly, these two lines must report to the Management the results of the controls and actions implemented. The third line of defense, meanwhile, is more independent and provides assurance and advice to the Executive Management and the Board of Directors.

    3 lines of defense model

    Here are two concrete examples to illustrate the Three Lines of Defense Model.

     

    The Three Lines of Defense Model, example in a show ticket office

    Let’s consider an example that everyone can understand: a show ticket office where there might be risks of errors or fraud. Controls can be implemented at multiple levels to manage these risks.

    3 lines of defense model

     

    The Three Lines of Defense Model, example in a bank

    The Three Lines Model is very prevalent in the banking sector. For example, when creating new customer accounts, banks must conduct checks to ensure that the potential customer does not pose a risk to them.

    Here is a concrete illustration of what the three lines of defense might look like in this activity.

    3 lines of defense bank

     

    Continuous and periodic control

    The concepts of continuous control and periodic control are sometimes associated with the Lines of Defense. Is there a link between these two concepts?

    Continuous control covers the daily checks carried out by operational staff in the context of processing transactions (first level) and by internal control, risk management, and compliance (second level).

    Periodic control allows for a certain perspective and encompasses the third-level controls conducted by internal audit (third level).

    periodic and continuous controls

     

    Are there other lines of defense?

    Depending on the industry, it is possible to find additional lines of defense. This may be related to the prevailing regulations or simply to the organization of the company.

    The fourth line of defense, although not always formalized, is present in many companies as it involves external entities that will be in charge of audits.

    The fifth line of defense is more specific to certain sectors such as banking. It consists of regulatory bodies such as the ACPR in France, FINMA in Switzerland, or BaFin in Germany.

     

    The Three Lines of Defense Model is thus an essential tool to help companies adopt a structure and processes that are effective in reducing risks and achieving their objectives.

    The use of internal control software and risk management software also supports this by efficiently simplifying their management.

    Updated at 02 July 2024

    Share this article

    Optimiso Group is the trusted partner of private companies and public institutions. We model and communicate their organization: processes, procedures, risks, controls, job descriptions…
    Consulting solutions are based on years of field experience and our software has been used for more than 20 years.

    • French
    • English

    Software

    • Internal Control
    • Enterprise Risk Management
    • Process modelling
    • ISO 9001 Certification
    • ISO 14001 Certification
    • ISO 45001 Certification

    About

    • About the software
    • Modules
    • Vidéos
    • Blog
    • Contact

    Contact us

    GENEVA (head office)
    Chemin JB Vandelle 8
    1290 Versoix
    +41 22 755 21 27

    PARIS
    Place Vendôme 10
    75001 Paris
    +33 1 53 45 54 26

    Copyright Optimiso Group © 2025
    Legal terms | Terms of use | Politique de confidentialité clients
    Manage consent
    To provide the best experiences, we use technologies such as cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Failure to consent or withdrawing consent may negatively impact certain features and functions.
    Functional Always active
    Access or technical storage is strictly necessary for the purpose of legitimate interest of allowing the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of communication on an electronic communications network.
    Preferences
    Technical access or storage is necessary for the legitimate interest purpose of storing preferences which are not requested by the subscriber or Internet user.
    Statistics
    Technical storage or access that is used exclusively for statistical purposes. Storage or technical access that is used exclusively for anonymous statistical purposes. Absent a subpoena, voluntary compliance by your Internet Service Provider, or additional records from a third party, information stored or retrieved for this sole purpose cannot generally not be used to identify you.
    Marketing
    Technical access or storage is necessary to create Internet user profiles in order to send advertisements, or to track the user across a website or across multiple websites with similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}
    x
    immobilier démarche qualité
    Gérance Immobilière
    Démarche pour une organisation efficace & une certification ISO 9001 utile
    Invalid email address
    Merci pour votre demande. Un email donnant accès au livre blanc vous a été transmis.Si l'email n'est pas dans votre boîte de réception, pensez à vérifier le dossier spam.
    x
    optimiso group secteur public
    Établissements publics

    Guide pour un système de contrôle interne utile

    Invalid email address
    Merci pour votre demande. Un email donnant accès au livre blanc vous a été transmis.Si l'email n'est pas dans votre boîte de réception, pensez à vérifier le dossier spam.
    x
    finma asset management
    Complete then watch the replay of the webinar

    Guide pour un système de contrôle interne utile

    Invalid email address
    Thank you for your request. An email giving access to the replay has been sent to you.If the email is not in your inbox, please check your spam folder.