Module 8: Three Lines of Defense

CRISC Domain 1 — Governance Section B 6–8 min read
When roles blur, governance weakens.

Why this topic is high-yield

Three Lines of Defense (3LoD) is not about memorizing a diagram.

CRISC uses it to test:

  • Accountability
  • Oversight
  • Independence
  • Structural clarity

Most wrong answers violate separation of duties.

The structure you must know (clean and simple)

First Line — Management (Owns and Manages Risk)

  • Business units
  • Operational managers
  • System owners

They:

  • Own risk
  • Implement controls
  • Make day-to-day decisions

If you remember nothing else:
Risk ownership lives here.

Second Line — Risk & Compliance (Oversees Risk)

  • Risk management
  • Compliance
  • Security governance
  • Enterprise risk functions

They:

  • Provide guidance
  • Monitor
  • Challenge
  • Report

They do not implement controls.

They do not own risk.

They provide oversight.

Third Line — Internal Audit (Independent Assurance)

They:

  • Provide independent review
  • Evaluate effectiveness
  • Report to the board or audit committee

They do not design controls.
They do not manage risk.
They do not implement fixes.

Independence is everything here.

What the exam is really testing

When Three Lines appears in a question, CRISC is asking:

  • Is ownership correctly assigned?
  • Is oversight separated from execution?
  • Is independence preserved?
  • Is reporting appropriately structured?

If one function is performing another's role, governance maturity is compromised.

The most common exam traps

These show up repeatedly:

  • Risk management implements operational controls
  • IT accepts enterprise risk without business approval
  • Internal audit designs and deploys remediation
  • Audit reports to management instead of the board
  • Compliance owns risk decisions

All of these blur governance lines.

CRISC favors structural integrity over speed.

The mindset shift

Technical professionals think:

“If audit found it, audit should help fix it.”

CRISC thinking:

“If audit helps fix it, audit can't independently assess it later.”

Independence must be protected.

Example scenario (walk through it)

Scenario:
Internal audit identifies control deficiencies in a financial system. To accelerate remediation, audit staff work directly with IT to design and implement new controls.

Question: What is the PRIMARY governance concern?

Tempting answer:
“Inadequate technical documentation.”

Correct CRISC thinking:

  • Audit is part of the third line.
  • Third line must remain independent.
  • Implementation compromises independence.

Correct answer:

Loss of independence of the internal audit function.

This is structural — not technical.

Ownership confusion scenario

Scenario:
The risk management department formally accepts a high-impact operational risk to prevent project delays.

Question: What governance issue exists?

CRISC logic:

  • Who owns risk? The business.
  • Risk management provides oversight, not ownership.
  • Accepting risk exceeds second-line authority.

The issue is improper role execution.

Reporting structure matters

CRISC also tests reporting lines.

Strong governance:

  • First line → manages risk
  • Second line → reports oversight findings
  • Third line → reports independently to the board

If audit reports through operational management, independence is weakened.

The “FIRST” question pattern

When Three Lines appears in a question, ask:

  • Is role clarity missing?
  • Is independence compromised?
  • Is risk ownership misplaced?
  • Is oversight confused with execution?

Fix structure first.

Governance maturity signals

Strong Three Lines model includes:

  • Clear role definitions
  • Formal documentation
  • Independent audit reporting
  • No overlap in responsibilities
  • Board-level visibility

Weak governance includes:

  • Combined oversight and implementation
  • Risk acceptance outside authority
  • Audit involvement in operations
  • No clear accountability

CRISC wants you to recognize the difference instantly.

Quick knowledge check

1) Which function owns operational risk in a mature governance structure?

A. Internal audit
B. Enterprise risk management
C. Business management
D. Compliance

Answer & reasoning

Correct: C

The first line (business management) owns and manages risk.

2) If the risk management function directly implements mitigation controls, what governance issue arises?

A. Excessive control layering
B. Loss of independence in the third line
C. Blurred separation between oversight and execution
D. Weak risk quantification

Answer & reasoning

Correct: C

The second line provides oversight and guidance, not execution.

3) Internal audit reports directly to the CIO instead of the board. What is the PRIMARY concern?

A. Increased remediation speed
B. Reduced control effectiveness
C. Compromised independence
D. Poor asset management

Answer & reasoning

Correct: C

Audit must report independently to preserve objectivity.

The master rule for Three Lines

If you see role overlap, that is the problem.

CRISC prefers:

  • Clean separation
  • Proper authority
  • Preserved independence
  • Governance clarity

If a scenario feels messy structurally, you're probably looking at a Three Lines issue.

Next Module Module 9: Risk Profile