The Three Lines of Defense Model is a framework used within MSP (Managing Successful Programmes) 5th edition, primarily supporting the Assurance theme and informing the Decisions theme. It provides a structured approach to governance, risk management, and assurance by clearly delineating responsibi…The Three Lines of Defense Model is a framework used within MSP (Managing Successful Programmes) 5th edition, primarily supporting the Assurance theme and informing the Decisions theme. It provides a structured approach to governance, risk management, and assurance by clearly delineating responsibilities across three distinct lines, ensuring that programmes are managed effectively and risks are appropriately controlled. The FIRST LINE OF DEFENSE consists of operational management and those directly responsible for delivering the programme's outputs and managing day-to-day activities. These individuals own and manage risks and controls at the operational level, implementing corrective actions to address deficiencies. In MSP terms, this includes the programme team and project delivery functions who maintain and apply internal controls in their routine work. The SECOND LINE OF DEFENSE comprises functions that oversee and support risk management, such as risk, compliance, and quality management functions. This line monitors the first line, provides guidance, sets policies and frameworks, and ensures that risks are managed within acceptable tolerances. It offers a degree of independence but is still part of management, helping to challenge and support the effective functioning of first-line controls. The THIRD LINE OF DEFENSE provides independent and objective assurance, typically through internal audit or external reviewers. This line reports to the governing body or sponsoring group, offering unbiased evaluation of the effectiveness of governance, risk management, and internal controls across both the first and second lines. In the context of MSP's Assurance theme, this model ensures assurance activities are coordinated, avoiding gaps or duplication. It supports the Decisions theme by providing decision-makers, such as the Programme Board and Senior Responsible Owner, with reliable, layered information to make informed, confident choices. By separating responsibilities, the model enhances accountability, transparency, and the overall integrity of programme governance, ultimately strengthening the programme's ability to achieve its intended benefits.
The Three Lines of Defense Model
The Three Lines of Defense Model
Within the MSP (Managing Successful Programmes) framework, the Three Lines of Defense Model is a key concept supporting the Assurance and Decisions themes. It provides a structured way of thinking about how risk management, control and assurance responsibilities are distributed across a programme so that decisions are well-informed and reliable.
Why It Is Important
Programmes are complex, high-risk undertakings involving significant investment and organisational change. Without clarity about who is responsible for managing risk and providing assurance, gaps and overlaps can occur. The Three Lines of Defense Model matters because it:
• Clarifies accountability for risk and control across different roles. • Ensures assurance is independent, coordinated and proportionate. • Helps decision-makers (such as the Sponsoring Group and Senior Responsible Owner) trust the information they receive. • Reduces duplication of assurance effort and avoids assurance 'blind spots'. • Strengthens governance and stakeholder confidence.
What It Is
The model organises risk management and assurance into three distinct 'lines', each with a different degree of independence from the day-to-day delivery of the programme.
First Line of Defense – Operational management and delivery teams who own and manage risk directly. This is the front line where controls are applied as part of normal work. In a programme context this includes those managing projects and delivering the work, who identify and respond to risks and issues as they arise.
Second Line of Defense – Oversight functions that set policy, monitor and support the first line. These are functions such as risk management, compliance, and the programme management office (PMO). They provide frameworks, standards and monitoring but do not deliver the work themselves. They offer a degree of independence but are still part of management.
Third Line of Defense – Independent assurance, typically internal audit or independent external reviewers. This line provides objective, independent assurance to the programme board and sponsoring group that governance, risk management and controls are operating effectively. It is separate from both delivery and oversight functions.
How It Works
The three lines operate together to create layered protection:
1. The first line manages risks and applies controls as part of delivering the programme. 2. The second line defines the frameworks, monitors compliance and supports the first line, providing early identification of problems. 3. The third line independently reviews and provides assurance to governance boards, confirming whether the first and second lines are working effectively.
Crucially, the degree of independence increases as you move from the first to the third line. This layering means that if a risk slips through one line, it can still be caught by another. The model feeds directly into the Assurance theme by structuring assurance activity, and into the Decisions theme by ensuring decision-makers receive reliable, independently-verified information.
How to Answer Questions on The Three Lines of Defense Model in an Exam
Exam questions may test whether you can distinguish between the three lines, identify which role belongs to which line, or understand the purpose of independence. Focus on the function and level of independence of each line rather than just memorising labels.
Exam Tips: Answering Questions on The Three Lines of Defense Model
• Remember the ordering by independence: first line = does the work, second line = oversees and supports, third line = independent assurance.
• Link roles to lines. Delivery/operational teams are the first line; PMO, risk and compliance functions are the second line; internal audit and independent reviewers are the third line.
• Watch for the word 'independent'. If a question emphasises independent or objective assurance, the answer usually points to the third line.
• Connect to the themes. Show how the model supports the Assurance theme (coordinated, proportionate assurance) and the Decisions theme (reliable information for decision-making).
• Avoid confusing support with delivery. The second line supports and monitors but does not perform the delivery work – a common trap in multiple-choice questions.
• Read scenario questions carefully. Identify what the role in the scenario actually does before mapping it to a line.
• Use elimination. For multiple-choice questions, eliminate options that mix up responsibilities between lines.
By understanding the purpose and independence of each line, and how the model underpins good governance, you will be well equipped to answer both knowledge-based and scenario-based exam questions confidently.