First Line Operations, Second Line Oversight, Third Line Audit — How It Actually Works in Practice

The Three Lines of Defence model — sometimes referred to as the “Three Lines Model” following the IIA’s 2020 update — is the foundational risk governance framework adopted across UK financial services. While not explicitly mandated as a single named requirement in the FCA Handbook, the model underpins SYSC requirements, the SMCR governance expectations, and the substantive supervisory expectations the FCA applies to regulated firms. The three lines — first line operational management of risk, second line risk and compliance oversight, and third line internal audit — provide complementary perspectives on risk management, with substantive independence between the lines being the discipline that gives the model its operational value.

This guide explains how the Three Lines of Defence model actually works in practice — the substantive responsibilities of each line, the independence requirements that make the model effective, the recurring patterns where firms operate the model weakly, and how the framework integrates with broader regulatory expectations. It also covers the recruitment dimension — the senior team across the three lines that effective operation requires.

What’s missing from most online explanations of 3LoD is the practical interpretation. The framework concept is widely known; what’s harder to find is what good substantive operation looks like, where the boundaries between lines genuinely matter, and how the FCA examines whether the model is operating effectively. That’s the gap this guide fills.

Origins and Evolution of the Model

The Three Lines of Defence model was articulated by the Institute of Internal Auditors in 2013 and quickly became the dominant risk governance framework across UK financial services. The IIA’s 2020 update — renaming it the “Three Lines Model” and clarifying various aspects — reflected practical experience with the original framework.

The model operates as a complementary structure for risk management:

First line — the business, owning and managing risk in day-to-day operations
Second line — risk and compliance functions, providing oversight and challenge
Third line — internal audit, providing independent assurance on the effectiveness of the first two lines

Each line has distinct responsibilities, with substantive independence between them being the key discipline that gives the model its value. Where the lines are not substantively independent — where second line is captured by first line, or third line is not genuinely independent — the model fails to deliver effective risk governance.

First Line — The Business Owns the Risk

The first line is the business — operational management, customer-facing teams, product manufacturing, transaction processing, and all activities that generate risk in the course of ordinary business. The first line’s substantive responsibilities include:

Risk identification

The business must identify the risks inherent in its activities — product risks, customer risks, operational risks, conduct risks, and others. Risk identification is contextual; the business knows its activities best.

Risk assessment

For each identified risk, the business assesses likelihood, impact, and tolerance — informing risk appetite alignment.

Risk control implementation

The business implements controls to manage identified risks — operational procedures, system controls, training programmes, supervisory arrangements, and similar.

Risk monitoring

Day-to-day monitoring of risk status, with management information flowing to senior business management and onward to second line.

Risk events and issues

The business identifies and reports risk events, control failures, and emerging issues — feeding the broader risk reporting framework.

First line’s risk management function

In larger firms, the first line typically includes its own risk management capability — sometimes called “1.5” — embedded in the business but with risk-specific expertise. This first-line risk function operates closer to the business than second line but with enhanced risk discipline.

Second Line — Risk and Compliance Oversight

The second line provides oversight and challenge to the first line. Two principal second-line functions exist:

Risk function

The risk function — typically led by the SMF4 (Chief Risk Officer) — provides independent risk oversight. Substantive responsibilities include:

Setting the firm’s risk management framework
Defining risk appetite and risk taxonomy
Independent assessment of material risks
Oversight of first-line risk management
Risk reporting to senior management and board
Stress testing and capital framework support
FCA dialogue on risk matters

See our SMF4 Guide.

Compliance function

The compliance function — typically led by the SMF16 (Compliance Oversight) — provides independent oversight of regulatory compliance. Substantive responsibilities include:

Setting the firm’s compliance framework
Monitoring regulatory developments and ensuring firm preparedness
Compliance monitoring programme execution
Independent assessment of conduct and regulatory risks
Regulatory reporting oversight
FCA dialogue on conduct matters

See our SMF16 Guide.

Other second line functions

Beyond risk and compliance, other functions sometimes operate as second line — including financial crime (typically MLRO/SMF17, see our SMF17 Guide), operational risk specialists, model risk management, and information security in some firms.

Second line independence

Substantive second-line independence is essential to model effectiveness. Independence requires:

Reporting lines that don’t go through first-line business management
Resources adequate to deliver oversight effectively
Authority to challenge first-line decisions substantively
Direct access to senior management and board
Compensation structures not aligned to first-line commercial outcomes

Where second-line independence is compromised — through reporting line capture, resource starvation, or commercial pressure — the model fails.

Third Line — Internal Audit

The third line is internal audit — providing independent assurance on the effectiveness of the first two lines. The third line is structurally distinct from the first two lines, with reporting to the audit committee rather than executive management.

Substantive responsibilities

Independent assessment of the firm’s risk management and internal control framework
Audit programme covering material risks and processes across the firm
Assessment of first and second line effectiveness
Reporting to audit committee with substantive findings and recommendations
Tracking remediation of audit findings
Annual assessment of internal audit’s own effectiveness

Internal audit independence

Internal audit independence is structural — the function reports to the audit committee, not to executive management — and substantive — the function must operate without commercial or organisational pressure that would compromise its findings.

Outsourced internal audit

Smaller firms frequently outsource internal audit to third parties (typically professional services firms). Outsourced internal audit must satisfy the substantive independence requirements while operating under contractual arrangements rather than employment relationships. The FCA has been increasingly explicit that outsourced internal audit must be substantively independent — not just contractually labelled as such.

The “Independence in Substance” Standard

One of the most consequential aspects of 3LoD operation is whether the lines are substantively independent — not just formally separated. Common patterns of substantive failure include: second line reporting through first-line business management; second line resourced too thinly to challenge effectively; internal audit conducted by accountants who also provide other services to the firm; third line scope artificially narrowed to exclude commercially sensitive areas. The FCA examines substantive independence, not just organisational separation. Firms with formal three lines but compromised substantive independence fail the framework.

How 3LoD Integrates with the Regulatory Framework

The Three Lines of Defence model integrates substantively with multiple FCA regulatory frameworks:

SYSC requirements

SYSC 4 (general organisational requirements), SYSC 6 (compliance and internal audit), and SYSC 7 (risk control) provide the substantive regulatory basis for the three lines. See our SYSC Guide.

SMCR governance

The SMF allocations under SMCR effectively allocate three lines responsibilities to specific senior individuals. SMF1 (CEO) typically covers first-line accountability; SMF4 (CRO) and SMF16 (Compliance Oversight) cover second line; chair of audit committee oversees third line. See our SMCR Guide.

Threshold Conditions

The Appropriate Resources threshold condition requires substantive resourcing across the three lines. See our Threshold Conditions Guide.

ICAAP/ICARA

Capital adequacy assessment is a cross-line discipline — first line risk identification, second line risk methodology, third line independent assurance. See our ICAAP Guide and MIFIDPRU & IFPR Guide.

Operational Resilience

Operational resilience operates substantively across the three lines, with specific governance expectations.

Sector-Specific 3LoD Considerations

Banks and large investment firms

Banks and large investment firms typically have substantial three lines structures — large risk and compliance functions, dedicated internal audit, and clear functional separation. The three lines model is deeply embedded operationally.

Asset managers and wealth managers

Mid-size investment firms often operate three lines with leaner second-line functions, with risk and compliance sometimes combined or operating with shared resources. Internal audit is frequently outsourced.

Smaller firms

Smaller regulated firms face the challenge of operating credible three lines at proportionate scale. Three lines disciplines must be substantively delivered even where the same individuals may have overlapping responsibilities — though the FCA examines whether substantive independence is maintained despite resource constraints.

Payments and e-money firms

Payments firms have faced increasing FCA scrutiny on three lines effectiveness, particularly around second-line capability commensurate with the rapid growth of the sector.

Cryptoasset firms

Cryptoasset firms registered under MLR 2017 face substantive 3LoD expectations despite often operating with leaner organisational structures than traditional financial services firms.

Common 3LoD Pitfalls

Second line capture by first line. Where second-line functions effectively report through first-line business management, with associated commercial pressures compromising independence.

Resource starvation. Where second or third lines are resourced too thinly to deliver effective oversight, particularly relative to the scale of first-line activity.

Inadequate authority. Where second line lacks authority to challenge first-line decisions substantively, with effective veto power on key risk matters.

Internal audit independence compromise. Where internal audit is outsourced to firms with broader business relationships with the regulated entity, or where audit scope is artificially narrowed.

First-line risk management gaps. Where the business doesn’t substantively own its risks, deferring all risk activity to second line.

Three lines without 1.5. Where the business lacks embedded risk capability, with all risk expertise concentrated in second line.

Reporting line ambiguity. Where second-line functions have unclear or matrix reporting lines that compromise independence.

Compensation alignment problems. Where second-line compensation is aligned to first-line commercial outcomes.

Audit committee weakness. Where the audit committee lacks the seniority, expertise, or engagement to direct internal audit effectively.

Three lines collapsing under stress. Where during commercial pressure or growth, the three lines model is operationally compromised — typically with second and third lines under-resourced relative to the expanding first-line activity.

3LoD and Senior Recruitment

Effective Three Lines of Defence operation requires substantial senior team capability across all three lines:

First line

SMF1 (CEO) — overall accountability for first-line risk management
SMF24 (Chief Operations) — owning operational risk and resilience. See our SMF24 Guide
Heads of business lines — owning business-line risk management
First-line risk and compliance specialists — providing risk capability embedded in the business

Second line

SMF4 (CRO) — leading the risk function
SMF16 (Compliance Oversight) — leading the compliance function
SMF17 (MLRO) — leading financial crime, often considered second line
Heads of risk specialisations — operational risk, market risk, credit risk, conduct risk, model risk
Heads of compliance specialisations — regulatory monitoring, conduct compliance, financial crime

Third line

Chief Internal Auditor / Head of Internal Audit — typically not an SMF but a senior role with substantial regulatory significance
Audit committee chair — providing senior oversight of internal audit
Specialist internal auditors — covering specific risk areas

For senior recruitment across these roles, see our CRO Recruitment, CCO Recruitment, and broader FCA Regulated Firm Recruitment pages.

A Note from Our Founder — Adrian Lawrence FCA

The Three Lines of Defence model is the foundational risk governance discipline across UK financial services — and the area where strong and weak firm practice diverges most visibly. Firms with substantively independent three lines, appropriate resourcing across all three, and senior leadership taking risk governance seriously typically run their FCA dialogue from a position of strength. Firms operating compromised three lines — second line captured, third line under-scoped, first line without genuine ownership — frequently find supervisory pressure intensifying as the FCA tests substantive effectiveness.

The recruitment angle that comes up most often in our placements is the senior team capability across the three lines. Strong CROs and Heads of Compliance demonstrate that they can lead second-line functions with substantive authority and independence — engaging with first-line business managers as substantive challenge providers, not as compliance facilitators. The candidate pool with this combination of skills is genuinely tight at SMF level, and the difference between strong and adequate candidates is meaningful.

For internal audit specifically, the chief internal auditor or head of internal audit role has become more substantively important since SMCR. Even though typically not an SMF role itself, the head of internal audit reports to audit committee and engages with FCA dialogue substantively. Hiring boards looking at this role should treat it as a senior leadership appointment with regulatory significance, not a technical accounting role.

At FD Capital we work on senior risk, compliance and audit mandates regularly across UK regulated firms. If you are recruiting senior leadership across the three lines and want to discuss the framework dimension, I’m happy to have a direct conversation.

Speak to Adrian about a senior risk or compliance appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire Senior Risk and Compliance Leaders

Effective Three Lines of Defence operation requires senior leadership across risk, compliance and internal audit. FD Capital places SMF4 holders, SMF16 holders, Heads of Internal Audit, and senior risk/compliance leaders across UK regulated firms.

020 3287 9501

Chief Risk Officer Recruitment › | CCO Recruitment | Contact Us

The Three Lines of Defence Model: A UK Compliance Guide