(024) 7460024 Ext 112 spi@undip.ac.id

The Three-Line Model is an update to the previously familiar Three Lines of Defense, clarifying and strengthening the underlying principles, broadening the scope, and explaining how key roles in organizations work together to facilitate strong governance and risk management.

Key Roles in the Three Line Model

Various organizations have large differences in the distribution of responsibilities. However, the following outline of roles can be used to emphasize the Principles of the Three Line Model

The Governing Body

  • Have accountability to stakeholders to supervise the organization.
  • Engage with stakeholders to monitor their interests and transparently communicate the achievement of the organization’s goals.
  • Fostering a culture that promotes ethical behavior and accountability.
  • Establish governance structures and processes, including required support committees.
  • Delegate responsibilities and provide resources to management to achieve organizational goals.
  • Determining the organization’s risk appetite and exercising risk management oversight (including internal control)
  • Maintain control over compliance with laws, regulations, and ethical values.
  • Establish and supervise an independent, objective, and competent internal audit function.


First Line Role

  • Leading and directing actions (including risk management) and applying resources to achieve organizational goals.
  • Maintain an ongoing dialogue with the governing body and report on plans, realization, and expected results related to the achievement of organizational goals and risks.
  • Develop and maintain adequate structures and processes for operational and risk management (including internal control).
  • Ensuring compliance with laws, regulations, and ethical values.

Second Line Role

  • Provide supporting expertise, support, monitoring, and challenges in the process of managing risk, including :
    • Development, implementation, and continuous improvement of risk management practices (including internal control) at the process, system, and entity levels.
    • Achievement of risk management objectives, such as compliance with laws, regulations, and ethical behavior; internal control; technology and information security; continuity; and quality assurance.
  • Provide analysis and reports on the adequacy and effectiveness of risk management (including internal control).

Internal Audit

  • Maintain primary accountability to management organs and independence from the implementation of work that is the responsibility of management.
  • Communicate independent and objective assurance and advice to management and management organs regarding the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organizational goals, as well as promote and facilitate continuous improvement.
  • Report the damage to independence and objectivity to the organ of the management and implement the required safeguards.

External insurance provider

  • Provides additional insurance for:
    • Fulfill the expectations of legislative and regulatory provisions in order to protect the interests of stakeholders.
    • Fulfill the requests of management and board organs to complete internal assurance resources


Next >> Three Lines Model (Part 2)