Module 8: Three Lines of Defense

If you can't clearly say who owns risk and who checks the work, you have a Three Lines problem.

Why this topic is high-yield

Three Lines of Defense (3LoD) is not about memorizing a diagram.

CRISC uses it to test:

• Accountability
• Oversight
• Independence
• Structural clarity

Most wrong answers violate separation of duties.

The structure you must know (clean and simple)

First Line — Management (Owns and Manages Risk)

• Business units
• Operational managers
• System owners

They:

• Own risk
• Implement controls
• Make day-to-day decisions

If you remember nothing else:
Risk ownership lives here.

Second Line — Risk & Compliance (Oversees Risk)

• Risk management
• Compliance
• Security governance
• Enterprise risk functions

They:

• Provide guidance
• Monitor
• Challenge
• Report

They do not implement controls.

They do not own risk.

They provide oversight.

Third Line — Internal Audit (Independent Assurance)

A. Internal audit
B. Enterprise risk management
C. Compliance
D. Business management

2) If the risk management function directly implements mitigation controls, what governance issue arises?

A. Excessive control layering
B. Blurred separation between oversight and execution
C. Loss of independence in the third line
D. Weak risk quantification

3) Internal audit reports directly to the CIO instead of the board. What is the PRIMARY concern?

A. Compromised independence
B. Increased remediation speed
C. Reduced control effectiveness
D. Poor asset management

The master rule for Three Lines

If you see role overlap, that is the problem.

CRISC prefers:

• Clean separation
• Proper authority
• Preserved independence
• Governance clarity

If a scenario feels messy structurally, you're probably looking at a Three Lines issue.