Definition:Three lines of defence
🛡️ Three lines of defence is a widely adopted governance and risk management framework that organizes an insurance organization's controls and oversight into three distinct layers, each with clearly separated responsibilities. Originally popularized in the banking sector and subsequently embraced across the global insurance industry, the model assigns frontline operational management as the first line, compliance and risk oversight functions as the second line, and internal audit as the third line. Insurance regulators worldwide — from the PRA and FCA in the UK to the NAIC framework in the United States and Solvency II governance requirements in Europe — expect insurers to demonstrate a functioning model of this kind as part of their supervisory obligations.
⚙️ In practice within an insurance company, the first line consists of the business units and operational teams that own and manage risk daily — underwriters assessing and pricing risks, claims teams handling settlements, and distribution managers overseeing intermediary conduct. These teams operate within the risk appetite and authorities set by senior leadership. The second line comprises functions such as the chief risk officer's team, the actuarial function, and compliance officers who set policies, monitor adherence, and challenge the first line's decisions without being directly involved in day-to-day operations. The third line — internal audit — provides independent assurance to the board that both the first and second lines are functioning effectively. This separation matters enormously in insurance because the products create long-duration obligations: an underwriting error or a reserving misjudgment today may not surface for years, making robust independent oversight essential.
💡 The framework has proven especially critical in the context of delegated authority arrangements, where an insurer grants binding authority to external parties such as MGAs or coverholders. Here, the three lines of defence must extend beyond the insurer's own walls: the first line includes the delegated partner, the second line must monitor that partner's compliance with authority limits and conduct standards, and internal audit must periodically verify that oversight mechanisms are working. The Lloyd's market, for example, has placed significant emphasis on how managing agents govern their coverholder networks through this lens. While some organizations have updated the model — the Institute of Internal Auditors revised its guidance in 2020 to emphasize principles and coordination over rigid structural separation — the core logic remains embedded in how insurers globally structure their governance and satisfy regulatory expectations under regimes as varied as C-ROSS in China and the Insurance Core Principles of the IAIS.
Related concepts: