PlumBot: Bot: Creating new article from JSON

2026-03-18T02:34:41Z

Bot: Creating new article from JSON

New page

🏛️ '''Three lines of defence model''' is a governance and risk management framework that organizes an insurance organization's control activities into three distinct layers: operational management (first line), [[Definition:Risk management | risk management]] and [[Definition:Compliance | compliance]] functions (second line), and [[Definition:Internal audit | internal audit]] (third line). Adopted widely across the global insurance industry — and embedded into regulatory expectations under [[Definition:Solvency II | Solvency II]], the UK's [[Definition:Senior Managers and Certification Regime (SM&CR) | SM&CR]], and supervisory guidance from bodies like the [[Definition:International Association of Insurance Supervisors (IAIS) | IAIS]] — the model provides a structured way to ensure that risk-taking, risk oversight, and independent assurance remain separate and effective. The Institute of Internal Auditors updated the framework in 2020 (rebranding it as the "Three Lines Model"), but the original terminology remains dominant in insurance regulatory discourse.

🔄 Each line carries a distinct mandate. The [[Definition:First line of defence | first line]] — which includes [[Definition:Underwriter | underwriters]], [[Definition:Claims | claims]] teams, [[Definition:Distribution channel | distribution]] managers, and operational staff — owns the risks inherent in daily business activities and is responsible for implementing controls. The [[Definition:Second line of defence | second line]] comprises specialist functions such as the [[Definition:Chief risk officer (CRO) | chief risk officer's]] team, [[Definition:Actuarial function | actuarial function]], and compliance department; these functions design frameworks, set [[Definition:Risk appetite | risk appetite]] parameters, monitor the first line's adherence, and challenge decisions where necessary. The [[Definition:Third line of defence | third line]] — internal audit — operates independently of both, providing the [[Definition:Board of directors | board]] and [[Definition:Audit committee | audit committee]] with objective assurance that the other two lines are functioning as intended. In practice, the boundaries require careful calibration: an [[Definition:Managing general agent (MGA) | MGA]] operating under [[Definition:Delegated underwriting authority (DUA) | delegated authority]] effectively extends an insurer's first line beyond its own walls, demanding that the insurer's second and third lines extend their reach accordingly.

📊 The model's strength lies in creating accountability without duplication — when it works well, each line understands its role and does not encroach on or neglect the others. Regulators frequently assess the effectiveness of the three lines during supervisory visits and [[Definition:Own Risk and Solvency Assessment (ORSA) | ORSA]] reviews, and weaknesses in any single line can trigger enhanced supervision or capital add-ons. Criticism of the model typically centers on the risk that it becomes a checkbox exercise, with the three lines operating in silos rather than engaging in dynamic, two-way communication. For smaller insurers and [[Definition:Insurtech | insurtech]] startups, strict separation can be challenging to resource, leading to proportionate approaches where, for example, the compliance and risk management functions may share personnel but maintain distinct reporting lines. Despite these tensions, the three lines of defence model remains the dominant structural paradigm for insurance governance worldwide.

'''Related concepts:'''
{{Div col|colwidth=20em}}
* [[Definition:First line of defence]]
* [[Definition:Second line of defence]]
* [[Definition:Third line of defence]]
* [[Definition:Internal audit]]
* [[Definition:Risk management]]
* [[Definition:Corporate governance]]
{{Div col end}}

Definition:Three lines of defence model - Revision history

PlumBot: Bot: Creating new article from JSON