Definition:Three lines of defense model

🛡️ Three lines of defense model is a governance framework widely adopted by insurance carriers and reinsurers to structure how risk is identified, managed, and independently assured across the organization. In its insurance application, the first line comprises the business units that own and manage risk day to day — underwriting teams, claims operations, and distribution functions. The second line consists of risk management and compliance functions that set standards, monitor adherence, and challenge the first line's decisions. The third line is internal audit, which provides independent assurance to the board and audit committee that both preceding lines are functioning effectively.

⚙️ Within an insurer's operations, each line has distinct responsibilities that should not overlap in ways that compromise independence. First-line managers — say, an underwriting authority holder or a claims adjuster — apply risk controls embedded in their workflows, such as adherence to underwriting guidelines and reserving protocols. Second-line functions like the chief risk officer's team develop enterprise risk frameworks, run stress tests, and ensure compliance with regulatory requirements from bodies such as the NAIC or the PRA. Internal audit then independently evaluates whether controls across both lines are designed and operating as intended, reporting findings directly to the board rather than to operational management.

💡 Regulators expect insurers to demonstrate a credible three-lines structure as part of their enterprise risk management obligations, and its absence can trigger supervisory action. The model gained particular importance after the 2008 financial crisis exposed governance gaps in large financial institutions, including insurers deemed too big to fail. For insurtech companies scaling rapidly, implementing this framework early helps avoid the governance debt that accumulates when growth outpaces controls — an issue that can surface during regulatory examinations or when seeking delegated authority from capacity providers who scrutinize operational governance before granting binding rights.

Related concepts: