https://www.insurerbrain.com/w/index.php?action=history&feed=atom&title=Definition%3AThree_lines_of_defense_modelDefinition:Three lines of defense model - Revision history2026-05-02T08:50:30ZRevision history for this page on the wikiMediaWiki 1.43.8https://www.insurerbrain.com/w/index.php?title=Definition:Three_lines_of_defense_model&diff=12001&oldid=prevPlumBot: Bot: Creating new article from JSON2026-03-12T01:04:00Z<p>Bot: Creating new article from JSON</p>
<p><b>New page</b></p><div>🛡️ '''Three lines of defense model''' is a governance framework widely adopted by [[Definition:Insurance carrier | insurance carriers]] and [[Definition:Reinsurance | reinsurers]] to structure how risk is identified, managed, and independently assured across the organization. In its insurance application, the first line comprises the business units that own and manage risk day to day — [[Definition:Underwriting | underwriting]] teams, [[Definition:Claims management | claims]] operations, and distribution functions. The second line consists of [[Definition:Risk management | risk management]] and [[Definition:Compliance | compliance]] functions that set standards, monitor adherence, and challenge the first line's decisions. The third line is [[Definition:Internal audit | internal audit]], which provides independent assurance to the board and [[Definition:Audit committee | audit committee]] that both preceding lines are functioning effectively.<br />
<br />
⚙️ Within an insurer's operations, each line has distinct responsibilities that should not overlap in ways that compromise independence. First-line managers — say, an [[Definition:Underwriting authority | underwriting authority]] holder or a [[Definition:Claims adjuster | claims adjuster]] — apply risk controls embedded in their workflows, such as adherence to [[Definition:Underwriting guidelines | underwriting guidelines]] and [[Definition:Reserving | reserving]] protocols. Second-line functions like the [[Definition:Chief risk officer (CRO) | chief risk officer's]] team develop enterprise risk frameworks, run [[Definition:Stress testing | stress tests]], and ensure compliance with regulatory requirements from bodies such as the [[Definition:National Association of Insurance Commissioners (NAIC) | NAIC]] or the [[Definition:Prudential Regulation Authority (PRA) | PRA]]. Internal audit then independently evaluates whether controls across both lines are designed and operating as intended, reporting findings directly to the board rather than to operational management.<br />
<br />
💡 Regulators expect insurers to demonstrate a credible three-lines structure as part of their [[Definition:Enterprise risk management (ERM) | enterprise risk management]] obligations, and its absence can trigger supervisory action. The model gained particular importance after the 2008 financial crisis exposed governance gaps in large financial institutions, including insurers deemed [[Definition:Too big to fail | too big to fail]]. For [[Definition:Insurtech | insurtech]] companies scaling rapidly, implementing this framework early helps avoid the governance debt that accumulates when growth outpaces controls — an issue that can surface during [[Definition:Regulatory examination | regulatory examinations]] or when seeking [[Definition:Delegated underwriting authority (DUA) | delegated authority]] from capacity providers who scrutinize operational governance before granting binding rights.<br />
<br />
'''Related concepts:'''<br />
{{Div col|colwidth=20em}}<br />
* [[Definition:Enterprise risk management (ERM)]]<br />
* [[Definition:Internal audit]]<br />
* [[Definition:Compliance]]<br />
* [[Definition:Chief risk officer (CRO)]]<br />
* [[Definition:Solvency II]]<br />
* [[Definition:Corporate governance]]<br />
{{Div col end}}</div>PlumBot