Why the Three Lines Model Solves the Wrong Problem
A series of essays on Risk Intelligence
The Three Lines Model has become one of the most widely adopted organising frameworks in modern governance. Boards recognise it. Regulators reference it. Assurance functions are designed around it. For many organisations, it provides a comforting sense that risk ownership, oversight, and assurance have been properly allocated.
That familiarity is precisely its strength. It is also its weakness.
The Three Lines Model was designed to answer a particular question: who is responsible for managing, overseeing, and independently assuring risk? In relatively stable environments, with well-defined processes and observable controls, this is a reasonable question to ask. Clear accountability matters. Duplication can be wasteful. Gaps can be dangerous.
The problem is that most contemporary organisational failures do not arise because responsibility was unclear. They arise because reality was misunderstood.
The Three Lines Model assumes that risk is something that can be cleanly separated into layers of defence. Management owns it. Oversight challenges it. Assurance tests it. Information flows upward. Assurance flows back. The architecture is linear, sequential, and ordered.
But the dominant risks facing organisations today are not linear. They are behavioural, systemic, and emergent. They arise from interactions between incentives, culture, strategy, technology, and external ecosystems. In such conditions, the central challenge is not allocation of responsibility, but collective sensemaking.
The model therefore solves the wrong problem. It is optimised for control assurance, not for understanding uncertainty.
This is not a criticism of the intentions behind the framework. The modern articulation of the model by the Institute of Internal Auditors explicitly acknowledges the importance of coordination, communication, and organisational context. But the underlying metaphor remains one of layered defence. That metaphor quietly shapes behaviour.
Linear defence models encourage a belief that if each line performs its role diligently, risk will be contained. They promote a division of labour that works well for testing controls, but poorly for integrating insight. Over time, this division creates distance between those closest to emerging risk and those formally responsible for challenging it.
In practice, the first line becomes focused on delivery and compliance. The second line becomes focused on frameworks, policies, and oversight processes. The third line becomes focused on assurance plans and auditability. Each line can perform competently, even impressively, while the organisation as a whole drifts towards surprise.
The difficulty is not incompetence. It is fragmentation.
Information does not move through organisations as cleanly as the model implies. Signals are interpreted, softened, reframed, or filtered as they cross organisational boundaries. By the time they reach formal escalation points, much of their ambiguity has been stripped away. What remains is often reassurance, not insight.
This creates a subtle but pervasive problem. Challenge becomes something that happens after management has stabilised a narrative, rather than while uncertainty is still live. Oversight focuses on whether processes were followed, not on whether assumptions still hold. Assurance tests the design and operation of controls that may already be misaligned with reality.
In this environment, the model unintentionally reinforces the ritualisation of risk management. Each line can demonstrate diligence within its remit. Artefacts move smoothly through governance forums. Boards receive assurance that roles are clear and processes are operating. What they receive less reliably is early warning.
The model also struggles with risks that do not sit neatly in one line. Cultural drift, incentive distortion, strategic overreach, and ecosystem dependency cut across organisational boundaries. They are not “owned” in the way operational risks are owned. As a result, they are often discussed everywhere and acted on nowhere.
This helps explain why so many post-mortems conclude that risks were “known” but not acted upon. Knowledge existed, but it was distributed, partial, and unintegrated. No single line felt authorised to convert unease into intervention.
None of this implies that the Three Lines Model should be abandoned. It performs a valuable function in clarifying accountability and preventing obvious gaps in assurance. The mistake is to treat it as a sufficient architecture for governing uncertainty.
When organisations rely on it as the primary lens through which risk is understood, they confuse control with comprehension. They mistake clarity of structure for clarity of insight. They assume that because responsibility is allocated, understanding will follow.
It does not.
The central question for boards is therefore not whether the Three Lines Model is in place, but what sits alongside it. Without mechanisms that deliberately integrate perspective, surface weak signals, and hold uncertainty open long enough to be examined, linear defence frameworks will continue to function smoothly while risk accumulates unseen.
The danger is not that the lines fail. It is that they succeed at the wrong task.
About the author
Richard Anderson is a board chair, non-executive director, and risk-governance practitioner with over three decades of experience across financial services, payments infrastructure, critical national infrastructure, and regulated industries. A Chartered Accountant and LSE graduate, he has chaired and advised boards through periods of structural change, regulatory scrutiny, and institutional stress. His work focuses on Risk Intelligence, trust, behavioural risk, and governance under uncertainty, and he is the co-founder of RiskMetrica.
I'm intrigued. Would you consider this an example of the type of failure that you envisage.
As computers increasingly become embedded in sensors and actuators, some types of device, notably medical measurement/intervention devices and smart maters, will change behaviour over time. This is an opportunity that should be exploited (new insights can be rapidly exploited/risks avoided), but existing models of validating devices based on a one off evaluation will fail.
I've seen this not picked up well by the MHRA, which has validation cycles designed for hardware defined devices that take many iterations of a software defined device to execute. Also, Ofgem/OPSS seem to have gaps in who is picking up smart meter failures that may be difficult to spot for consumers, and which may have a significant effect on vulnerable consumers.