An organisational model of accountability in which operational management owns risk, risk and compliance functions provide oversight, and internal audit provides independent assurance to the governing body.
In practiceThe model, refreshed by the Institute of Internal Auditors in 2020, replaces the older rigid three-lines-of-defence framing with a more collaborative structure that distinguishes governing body, management, and internal audit roles. In financial services and regulated AI programmes it remains the dominant frame for allocating control ownership, ensuring that the team building a model is not the team that validates it, and that internal audit retains independence from both. Supervisors expect roles, reporting lines, and escalation paths to be documented in policy.
A bank deploying a credit-scoring model assigns the first line to the lending business that owns outcomes, the second line to model risk management which challenges assumptions, and the third line to internal audit which periodically tests whether the controls operate as designed.
This definition is maintained by Moweb partners and used in live client engagements. For how Three lines of defence applies to your estate, or to challenge a working definition, speak to a partner.