The Three Lines of Defence – An Introduction

What you can expect …

  • An introduction to the benefits of an integrated Governance, Risk & Compliance approach

  • A simple overview of the Three Lines of Defence model and its benefits for organizations

  • A list of the most essential elements in an effective management system as well as the roles within a GRC function


Thomas Müllner is a consultant
and account manager focused on
Governance, Risk & Compliance
at BOC Group.

The Governance, Risk & Compliance (GRC) system in a company or organization indisputably represents an essential component of corporate governance. Various management functions such as Risk and Compliance Management, Internal Control System, Security Management, Data Protection or Emergency and Crisis Management serve to protect the company from dangers and risks and to ensure its continued existence.

The technical and organizational design of these functions plays a decisive role in terms of how effectively and efficiently these tasks can be performed.

When setting up a GRC system, there are basically two strategies, the isolated systems approach, known as management islands, and the integrated approach, which creates synergies between the individual functions.

In the case of the first, isolated approach, each GRC function defines a management system for itself, without considering dependencies with other GRC functions and the impact on the operational units. In comparison, it is often more promising to set up a GRC system integrated with the various management functions.

Isolated Approach

  • No coordination in terms of methods
  • Use of different systems
  • Inhomogeneous data stock
  • Operational units are confronted with a multitude of different requests
  • Inefficient performance of tasks
  • Historical or cross-sectional observations are hardly possible

Integrated Approach

  • GRC functions work “hand in hand” & speak the same language
  • Unified system with a common data set
  • Consistent and reusable data across the entire organization
  • Efficient task fulfillment for all parties involved
  • Historical and cross-cutting views allow extended analysis

This comparison makes it clear that following an integrated approach when setting up your company’s GRC system is the best choice. This approach requires greater coordination between the individual topics, however, the advantages of an integrated GRC system speak for themselves. The Three Lines of Defence (TLoD) model of the European Confederation of Institutes of Internal Auditing (ECIIA) and the Federation of European Risk Management Associations (FERMA) has proven its worth as a basis for setting up and operating a GRC system.

A brief introduction to the Three Lines of Defence

The Three Lines of Defence model is a recognized and proven model for organizing and explaining the various efforts and issues involved in managing an organization’s risk. The model divides an organization into three lines of defence, which define the tasks for the operational units, GRC functions and monitoring respectively.

Operational Management as 1st Line of Defence

The first Line of Defence is identified as Operational Management. From the organizational structure point of view of the, this typically consists of department heads or division heads who have the functional responsibility over all processes in this area. The tasks within the organizational unit are structured and defined via these processes. Process responsibility goes along, particularly with responsibility for key figures, risks, controls and adherence to compliance requirements.

GRC Functions or Assurance Services as 2nd Line of Defence

The “system guardians” of various disciplines are part of the second Line of Defence and define the procedure and method to perform and fulfill the various tasks or duties within the respective function. These include functions such as:

  • Process Management
  • Risk Management
  • Internal Control System
  • Compliance Management
  • Corporate Security Management
  • Data Protection (DPR)
  • as well as Quality Management, Environmental Protection and Occupational Safety

Internal Audit as 3rd Line of Defence

In the third Line of Defence, the internal or external auditors assume the tasks of monitoring and supervising the GRC or governance system, as well as auditing its effectiveness and efficiency.

Share this page

3 important tasks that your GRC functions
should fulfill in any case

1  Define the governance structure of a GRC function

The definition of the governance structure includes all tasks that need to be completed in order to define the system for the task in question. For this purpose, basic definitions must be made for each system with regards to roles, methods used, tool support, knowledge management, maturity measurement and support for the operational units, among other things. These definitions are typically recorded in manuals or guidelines that serve as instructions for operational management.

In the context of integrated GRC, this task is of particular importance, since the coordination of essential topics (role definition, methods, tools, etc.) takes place on a cross-functional basis.

2  Strategic management of the GRC function

Strategic management in the context of a GRC function involves setting up a data structure in which the operational units can classify the results of their tasks. For example, the top level of the process map or the definition of risk categories and control groups. Based on this, the planning for implementation of tasks in all relevant organizational units is created, including resource planning for the GRC function or the operational units.

In addition to the planning and implementation of tasks, the monitoring of task progress or escalation handling is also a typical task of the strategic management of a GRC function.

3  Tasks of operational management

Operational management is of particular importance in the context of the Three Lines of Defence model. After all, all tasks within this GRC function must be completed conscientiously and on time in addition to day-to-day business. Usually this leads to a juggling act in which balance between the various tasks needs to be found.

It is therefore very important for the GRC functions to coordinate as well as possible at the second line of defence level in order to enable the operational area to perform its tasks efficiently. In any case, duplicate or multiple data collection should be avoided to prevent tying up unnecessary resources at the operational level.

In general, operational management must perform various tasks for a GRC function. The primary goal should be to perform the same tasks for different systems only once.

Get the most from an integrated
GRC system

The Three Lines of Defence model is ideally suited for dividing up the individual topics and tasks of enterprise-wide risk management among the different levels of corporate management. Using this model purely to define the terms or determine the responsibilities would leave some unused potential on the side.

The full benefit of this approach is realized once those responsible for the system along the 2nd Line of Defence recognize the potential of working together to resolve cross-cutting issues and give operational management the opportunity to complete the required tasks efficiently, comprehensively and on time. Mapping the Three Lines of Defence also enables cross-line collaboration, especially between the 1st and 2nd Lines of Defence.

In addition, the resulting integrated and centralized database spares the internal and external auditors time-consuming data collection. The immediately available, clear and historically traceable data reduces the effort required for data analysis. These aspects provide the audit department with additional resources that can be used for the development of improvement potentials as well as for consulting activities.

The success factors of an integrated GRC based on the Three Lines of Defence model are:

  • Collaboration of management functions along the 2nd line of defence in the course of defining the governance structure and in the area of strategic management
  • Definition of common methodologies and the use of unified technical support
  • Use of a common language for the same topics within the organization

BOC Group has many years of experience in consulting and implementation of an integrated GRC system and offers not only expert advice, but also comprehensive tool support as well as training for successful implementation and continued operation.

We would be pleased to master your change towards a process-oriented, integrated GRC system together with you!

Share this page


Together we’ll discuss …

  • the integration of GRC functions in your company
  • the possibilities of ADONIS NP and the GRC Suite to implement a process-oriented and integrated GRC system
  • the implementation of a GRC assessment to determine the status quo and roadmap development


Subscribe to this article series and learn in 6 parts how to successfully
make the transition towards an integrated GRC.