Our vision of the Three Lines Model Framework
In control with Three Lines Model
The new Three Lines Model (3LM) is the successor to the Three Lines of Defence (3LOD) model, which is regarded worldwide as the standard for risk management. With this model, an organization is set up in a certain way so that the outside world can see that the organization is in control.
Full Trial
Only 30 minutes
Without obligation

The three lines in a row
The Organization (1st line)
This group is ultimately responsible for the choices that are made and the risks that are taken in daily practice.
Control (2nd line)
This group develops the systems for good risk management and control processes, always in support of the management.
Internal Audit (3rd line)
This group provides assurance to senior management about the quality of management and control in certain areas within the organization.
Good Coordination of Work is key to the Functioning of the Three Lines Model
Within the 3-lines of defence model, management (the first line) is most able to manage risks and be in control. Internal audit, as the third line, must ensure that the control measures and controls are actually operational. The second line has an important role in facilitating the first line with the responsibilities and checking whether or not these are taken care of. The second line has expanded considerably in recent years. As a result, the first line is overloaded with questions from risk specialists such as business control, financial control, CISO, privacy officer and quality assurance officer. Coordination of these activities is the key to the actual functioning of the Three Lines Model. By having an integral risk-based collaboration, the board of directors can obtain the assurance that they are in control.

Three Lines Model
1st line
2nd line
3rd line
The Three Lines of Defense model from The Global Institute of Internal Auditors was updated in July 2020.
The functions are not only intended to protect the value of the organization, but also to increase it. As a result, we no longer talk about ‘lines of defense’ or ‘lines of defence’.
The goals of the organization are central to all functions. The functions are not silos, but coordinate and work together; each from his own role. The design of the model must be geared to the risks and specific situation of the organization.
The 3LM establishes a stronger link with the objectives of the organization.
1st line
This group is ultimately responsible for the choices made and the risks taken in daily practice .
You want to optimally support the people who are responsible for the most important activities and processes in an organization. GRC information is relevant, but often only if you have to. How do you make it easier for them? How is risk management going to live for them? Do they know within which frameworks they have to operate? And how do you effectively conduct a Privacy Impact Assessment without immediately bombarding all teams with a questionnaire of more than 100 questions?
Key words are: Accountability and reporting.
< p>
2nd line
This group develops the systems for a good process of risk management and control , always supporting the ‘business’.
The risk manager, controller, auditor, compliance or security officer (CISO) wants a clear register of risks, controls, compliance sets and, for example, related incidents. NARIS GRC helps the GRC Professional with insight, completeness. Whether you work on the basis of a Risk Control Framework or only do control testing, want to do internal and external audits, or want to comply with a standard. With our knowledge and the flexibility of NARIS GRC you can steer with guts.
Keywords are: Delegation, direction, resources, supervision
3rd line
This group provides assurance to top leadership (assurance) on the quality of direction and control in certain areas within the organization.
Supervisors, Boards of Directors/Supervision/Commissioners, external auditors or accountants, as an internal auditor you want to report in an effective and relevant way. NARIS GRC can help you with those reports; whether it concerns assurance of audits or controls, risks at chain partners or objectives of the organization itself. From detail to dashboard, internally or externally; look back to steer forward. Fueled by useful GRC information so that the right assurance can be given.
Keywords are: Alignment, communication, coordination, cooperation
Link Risks to Objectives
The organization’s strategy is the basis for setting up your control framework. This helps managers to be accountable to stakeholders and thus gain their trust. With NARIS Next, it is possible to visually link risks and controls. This creates a risk strategy map as the basis for the daily management of the organization.


Encourage Collaboration
Due to legislation or guidelines, such as ISO27001 and the AVG, many separate risk control frameworks have been created. The process within these risk specialisms is always the same and cooperation pays off. With NARIS Next, the frameworks are brought together and cooperation between control, management and internal audit is facilitated.
Quick Start and Assurance via a Knowledge Database
Do you want to create your own control framework or do you prefer to use a best practice? NARIS Next contains several examples of risk & compliance frameworks that are easy to adapt to your organization. With that, most of the administrative work is done and you can focus on what really matters: the key risks and controls.

Three Lines Model
Useful infographic

Inspiration around Three Lines of Defense.

GRC – Is it a Necessity?
Topics for Discussion As a Governance, Risk and Compliance (GRC) expert, there are a number of discussion topics that are

Don’t Become a Lone Wolf!
One of the most interesting statements I recently heard from the CEO of a large company was about the usefulness

NARIS launches groundbreaking integral GRC software
Today, NARIS GRC announces the launch of their fully updated – and expanded – Governance, Risk & Compliance (GRC) software.
Let's talk
Do you have questions about our solutions for your organization? Please feel free to contact us
Fill out the form or
call Floor:

Contact us without obligation
Would you like to know what we can do for your organization? Fill in the form below.