https://www.insurerbrain.com/w/index.php?action=history&feed=atom&title=Definition%3AThree_lines_of_defenceDefinition:Three lines of defence - Revision history2026-05-02T16:18:35ZRevision history for this page on the wikiMediaWiki 1.43.8https://www.insurerbrain.com/w/index.php?title=Definition:Three_lines_of_defence&diff=20749&oldid=prevPlumBot: Bot: Creating new article from JSON2026-03-18T03:16:01Z<p>Bot: Creating new article from JSON</p>
<p><b>New page</b></p><div>🛡️ '''Three lines of defence''' is a widely adopted [[Definition:Governance | governance]] and [[Definition:Risk management | risk management]] framework that organizes an insurance organization's controls and oversight into three distinct layers, each with clearly separated responsibilities. Originally popularized in the banking sector and subsequently embraced across the global insurance industry, the model assigns frontline operational management as the first line, [[Definition:Compliance | compliance]] and risk oversight functions as the second line, and [[Definition:Internal audit | internal audit]] as the third line. Insurance regulators worldwide — from the [[Definition:Prudential Regulation Authority (PRA) | PRA]] and [[Definition:Financial Conduct Authority (FCA) | FCA]] in the UK to the [[Definition:National Association of Insurance Commissioners (NAIC) | NAIC]] framework in the United States and [[Definition:Solvency II | Solvency II]] governance requirements in Europe — expect insurers to demonstrate a functioning model of this kind as part of their supervisory obligations.<br />
<br />
⚙️ In practice within an insurance company, the first line consists of the business units and operational teams that own and manage risk daily — [[Definition:Underwriter | underwriters]] assessing and pricing risks, [[Definition:Claims | claims]] teams handling settlements, and [[Definition:Distribution | distribution]] managers overseeing intermediary conduct. These teams operate within the risk appetite and authorities set by senior leadership. The second line comprises functions such as the [[Definition:Chief risk officer (CRO) | chief risk officer's]] team, the [[Definition:Actuarial function | actuarial function]], and compliance officers who set policies, monitor adherence, and challenge the first line's decisions without being directly involved in day-to-day operations. The third line — internal audit — provides independent assurance to the [[Definition:Board of directors | board]] that both the first and second lines are functioning effectively. This separation matters enormously in insurance because the products create long-duration obligations: an [[Definition:Underwriting | underwriting]] error or a [[Definition:Reserving | reserving]] misjudgment today may not surface for years, making robust independent oversight essential.<br />
<br />
💡 The framework has proven especially critical in the context of [[Definition:Delegated underwriting authority (DUA) | delegated authority]] arrangements, where an insurer grants [[Definition:Binding authority agreement | binding authority]] to external parties such as [[Definition:Managing general agent (MGA) | MGAs]] or [[Definition:Coverholder | coverholders]]. Here, the three lines of defence must extend beyond the insurer's own walls: the first line includes the delegated partner, the second line must monitor that partner's compliance with authority limits and conduct standards, and internal audit must periodically verify that oversight mechanisms are working. The [[Definition:Lloyd's | Lloyd's]] market, for example, has placed significant emphasis on how managing agents govern their coverholder networks through this lens. While some organizations have updated the model — the Institute of Internal Auditors revised its guidance in 2020 to emphasize principles and coordination over rigid structural separation — the core logic remains embedded in how insurers globally structure their governance and satisfy regulatory expectations under regimes as varied as [[Definition:C-ROSS | C-ROSS]] in China and the [[Definition:Insurance Core Principles (ICP) | Insurance Core Principles]] of the [[Definition:International Association of Insurance Supervisors (IAIS) | IAIS]].<br />
<br />
'''Related concepts:'''<br />
{{Div col|colwidth=20em}}<br />
* [[Definition:Risk management]]<br />
* [[Definition:Internal audit]]<br />
* [[Definition:Compliance]]<br />
* [[Definition:Governance]]<br />
* [[Definition:Solvency II]]<br />
* [[Definition:Delegated underwriting authority (DUA)]]<br />
{{Div col end}}</div>PlumBot