Who Is Responsible for What?

One of the most persistent sources of governance dysfunction in Caribbean organisations — and indeed in organisations globally — is ambiguity about who is responsible for managing risk, who is responsible for overseeing risk management, and who is responsible for providing independent assurance that risk is being managed effectively. When these responsibilities are unclear or overlapping, the results are predictable: gaps in risk coverage, duplication of effort, accountability vacuums, and the dangerous illusion that risks are being managed when in fact they are simply being passed from one function to another without genuine ownership.

The Three Lines Model, published by the Institute of Internal Auditors in 2020 as an update to the widely adopted Three Lines of Defence framework, provides a rigorous conceptual architecture for addressing this challenge. By clearly defining the roles, responsibilities, and relationships of three distinct lines of accountability — management, oversight functions, and internal audit — the model creates a comprehensive blueprint for the assignment of governance responsibilities across the enterprise.

This article, the fourth in Dawgen Global’s The Internal Audit Imperative series, examines the Three Lines Model in depth: its conceptual foundations, the distinct role of each line, the critical importance of coordination between lines, the common failure modes that undermine the model’s effectiveness, and the specific adaptations required for Caribbean organisational contexts. For internal audit professionals, board members, and executives seeking to strengthen their governance architecture, the Three Lines Model is not merely a useful framework — it is the essential organising principle of modern enterprise risk governance.

 

KEY INSIGHT The Three Lines Model does not ask who should be blamed when something goes wrong. It asks who is accountable for ensuring that it does not go wrong in the first place — and it assigns that accountability clearly, comprehensively, and at every level of the organisation.

From Three Lines of Defence to the Three Lines Model: An Evolution in Thinking

The original Three Lines of Defence framework, which gained widespread adoption following the 2008 global financial crisis, represented a significant advance in governance thinking. It provided a clear conceptual structure that distinguished between those who own and manage risk (the first line), those who oversee risk management (the second line), and those who provide independent assurance (the third line). This clarity was particularly valuable in complex financial institutions where risk ownership had become diffuse and accountability had broken down.

However, over time, practitioners identified limitations in the defence metaphor. The language of lines of defence implied a primarily reactive, threat-focused orientation — an organisation defending against risk rather than managing it dynamically in service of strategic objectives. It also encouraged a degree of siloed thinking, with each line focused on its own defensive role rather than on the collaborative governance outcomes that the framework was designed to produce.

The 2020 IIA update addressed these limitations in several important ways. Most significantly, it reframed the model around the concept of contributing to organisational objectives rather than defending against risk. It introduced explicit recognition of the governing body as a distinct governance actor — separate from management and with direct oversight relationships with both senior management and internal audit. And it emphasised the importance of coordination and collaboration between lines, recognising that effective governance requires not just clear role separation but active alignment around shared objectives.

For Caribbean organisations adopting or reviewing their governance frameworks, this evolution matters. The Three Lines Model is not simply an updated version of its predecessor — it reflects a fundamentally more mature understanding of how governance works in practice, and how internal audit’s role as the third line connects to the broader governance ecosystem of the organisation.

The Three Lines Explained: Roles, Responsibilities, and Actors

The model defines four distinct governance actors — the governing body, and three lines of management accountability. Each has a distinct role, a distinct set of responsibilities, and a distinct relationship with the others. The table below provides a concise reference for all four actors:

 

Line	Who	Core Responsibility	Key Roles
First Line	Business unit management, operations, front-line staff	Own and manage risk; design and operate controls; meet business objectives within risk appetite	Operational managers; process owners; control performers
Second Line	Risk Management, Compliance, Legal, Finance, IT Security	Oversee and challenge the First Line; develop risk frameworks and policies; monitor compliance and risk indicators	Chief Risk Officer; Chief Compliance Officer; General Counsel; CISO
Third Line	Internal Audit	Provide independent, objective assurance to the governing body and senior management on the effectiveness of governance, risk management, and control	Chief Audit Executive; Internal Audit team; co-sourced or outsourced IA providers
Governing Body	Board of Directors, Audit Committee	Set direction, values, and risk appetite; oversee management accountability; receive and act on assurance from all three lines	Board Chair; Audit Committee Chair; Independent Non-Executive Directors

The First Line: Owning and Managing Risk

The first line encompasses all the people and processes through which the organisation pursues its objectives — business unit management, front-line operations, process owners, and the staff who execute the organisation’s activities on a day-to-day basis. The defining characteristic of the first line is that it owns the risk: first-line actors are responsible for identifying the risks inherent in their activities, designing and operating the controls that manage those risks, and ensuring that they operate within the organisation’s stated risk appetite.

In practice, first-line risk ownership means that business unit managers are accountable for the integrity of the controls in their processes, not merely for the business outcomes those processes produce. A branch manager in a Caribbean financial institution, for example, is not just responsible for loan origination volumes — they are responsible for ensuring that the credit assessment controls, documentation procedures, and anti-money laundering checks within their branch are operating effectively. This accountability for controls is integral to first-line management responsibility, not an add-on.

A common failure in Caribbean organisations is the absence of genuine first-line risk ownership — a situation where operational managers view risk management as someone else’s job, typically the second line’s. This misunderstanding renders the entire Three Lines architecture ineffective: if the first line does not own risk, there is no foundation upon which the second line can build oversight and the third line can provide assurance.

 

KEY INSIGHT The first line does not manage risk because the second line tells it to. It manages risk because risk ownership is an inherent and non-delegable responsibility of operational management. Without this understanding, the Three Lines Model becomes governance theatre.

The Second Line: Overseeing and Challenging

The second line comprises the specialist oversight functions — risk management, compliance, legal, finance, information security, and other functions whose primary mandate is to support, oversee, and challenge the first line in the management of risk. The second line does not own the risk — that ownership remains with the first line — but it provides the frameworks, policies, tools, and independent oversight that enable the first line to manage risk effectively and consistently with the organisation’s risk appetite and regulatory obligations.

The second line’s effectiveness depends critically on its ability to maintain its oversight independence relative to the first line. A compliance function that is captured by the business units it oversees — that approves whatever business management requests, that escalates concerns only when legal liability is immediate, and that prioritises operational convenience over regulatory integrity — is not fulfilling its second-line mandate. It has, in effect, become an extension of the first line, leaving a critical gap in the organisation’s governance architecture.

In the Caribbean context, second-line functions are frequently under-resourced relative to the size and complexity of the organisations they serve. The Chief Risk Officer role, where it exists at all, may be occupied by a senior manager who also carries significant operational responsibilities — a structural conflict that undermines the function’s independence. Building genuine second-line capacity is a governance investment that many Caribbean organisations have deferred, with consequences that become visible only when risk events materialise.

The Third Line: Independent Assurance

Internal audit occupies the third line — and its role is distinct from both the first and second lines in a fundamental way: it provides independent assurance rather than managing or overseeing risk. This distinction is critical. Internal audit does not own risk (first line), nor does it oversee risk management as a standing function (second line). It evaluates, independently and objectively, whether the risk management, control, and governance processes operated by the first and second lines are effective — and it communicates the results of that evaluation to the governing body.

This positioning gives internal audit a unique and irreplaceable governance role. Because the third line is independent of both operational management and the oversight functions it evaluates, its assurance opinions carry a credibility that neither first-line self-assessments nor second-line monitoring reports can match. The governing body — the board and audit committee — depends on this independent assurance to discharge its own oversight responsibilities with confidence.

Critically, the IIA’s Three Lines Model explicitly positions internal audit as accountable primarily to the governing body, not to management. This is the structural expression of the functional independence principle explored in Article 3 of this series: internal audit serves the governing body’s assurance needs, and it is to the governing body that the CAE’s primary accountability runs.

The Governing Body: Setting Direction and Demanding Accountability

The 2020 update’s explicit inclusion of the governing body as a distinct governance actor — rather than treating it simply as the recipient of assurance — is one of its most important conceptual advances. The board and audit committee are not passive consumers of governance outputs. They are active governance actors who set the organisation’s values, risk appetite, and strategic direction; who hold management accountable for the effectiveness of the first and second lines; and who maintain a direct oversight relationship with internal audit as the provider of independent assurance.

This active governance role requires board members to understand the Three Lines Model well enough to ask informed questions about how it is functioning. Are the first-line controls designed adequately? Is the second line genuinely independent of the first? Is internal audit resourced to cover the full audit universe? Are the gaps and weaknesses identified by the third line being remediated with appropriate urgency? These are not technical questions — they are governance questions that any well-equipped board member should be able to pose and evaluate.

Coordination Between Lines: The Architecture of Collaboration

One of the most important practical implications of the Three Lines Model is that clear role separation must be accompanied by active coordination. A model in which each line operates independently, without alignment on risk priorities, coverage areas, or shared governance objectives, produces governance gaps and duplications that undermine the very assurance the model is designed to provide.

Effective coordination between the three lines typically involves the following mechanisms:

• Combined assurance forums: Regular meetings between internal audit (third line), second-line risk and compliance functions, and where appropriate first-line risk owners, to align on risk coverage, share findings, and identify emerging risks that require coordinated attention across lines.
• Risk assessment alignment: Internal audit’s annual risk-based audit plan should be informed by the second line’s enterprise risk assessment, ensuring that IA resources are allocated to areas of genuinely elevated risk rather than areas of historic audit interest.
• Finding coordination: When internal audit identifies control weaknesses that involve second-line failures — for example, a compliance monitoring function that has not identified a regulatory breach — those findings must be communicated to the audit committee with appropriate framing that distinguishes between first-line and second-line accountability.
• External audit reliance: Where external auditors seek to rely on the work of the third line, coordination protocols must ensure that internal audit work meets the quality standards required for external reliance — a quality assurance requirement that will be examined in depth in Article 7 of this series.

 

THREE LINES IN A CO-SOURCED OR OUTSOURCED IA MODEL When internal audit is co-sourced or fully outsourced to a specialist provider, the Three Lines Model architecture remains the same — but the coordination protocols must be explicitly designed into the outsourcing arrangement. The outsourced provider must have the same access to first-line and second-line information as an in-house team, and the same direct reporting relationship with the audit committee. Dawgen Global’s outsourced IA engagements are structured to embed seamlessly within the client’s Three Lines architecture — reinforcing, not displacing, the governance framework the model is designed to support.

 

Five Failure Modes That Undermine the Three Lines Model

Organisations frequently adopt the Three Lines Model as a governance aspiration without fully implementing it in practice. The result is a framework that exists on paper but fails to deliver the governance value it promises. The table below identifies five of the most common failure modes, their manifestations in practice, and their consequences.

 

Failure Mode	Manifestation	Consequence
First Line absent or weak	Operations running without documented controls; no clear ownership of risk	Fraud, operational failures, regulatory breaches go undetected
Second Line captured by First Line	Risk and compliance functions defer to business units rather than challenging them	Controls exist on paper but are ineffective in practice; regulatory exposure accumulates
Third Line performing management roles	Internal audit conducting operational activities or making management decisions	Loss of independence; assurance opinions become unreliable; governance credibility collapses
Governing body disengaged	Board receives IA reports but does not act on findings or hold management accountable	Three Lines architecture exists structurally but produces no governance value
Lines operating in silos	First, Second, and Third Lines do not coordinate; duplicate effort and create coverage gaps	High-risk areas receive no assurance coverage; low-risk areas are over-audited

 

Each of these failure modes is observable in Caribbean organisations. The most prevalent is the absence of genuine first-line risk ownership — the tendency of operational managers to treat risk management as a compliance obligation imposed by the second line rather than as an integral dimension of their management responsibility. Addressing this requires not just governance architecture but deliberate cultural change, supported by training, performance management frameworks, and consistent messaging from the governing body.

Applying the Three Lines Model in the Caribbean Context

Caribbean organisations face specific structural challenges in implementing the Three Lines Model effectively, and these challenges must be addressed with practical, context-sensitive solutions rather than simply transplanting governance frameworks designed for large global enterprises.

Scale and Resource Constraints

In smaller Caribbean enterprises, dedicated second-line functions may not be economically viable as standalone departments. A mid-sized manufacturing company or regional credit union cannot realistically employ a Chief Risk Officer, Chief Compliance Officer, and Head of Internal Audit as separate full-time roles. The Three Lines Model must therefore be adapted to the organisation’s scale: second-line responsibilities may be consolidated within a finance or operations leadership role, supported by specialist external advisors, while the third line’s independence is maintained through an outsourced or co-sourced IA arrangement that provides genuine structural separation from management.

Family-Owned Enterprise Dynamics

In family-owned Caribbean enterprises, the governing body role is frequently exercised by family members who are simultaneously significant shareholders and operational executives — a structural combination that blurs the boundaries between all three lines. The patriarch who chairs the board, controls the executive team, and personally approves significant transactions is simultaneously a first-line operator, a governance actor, and, in effect, his own oversight mechanism. Implementing the Three Lines Model in this context requires deliberate structural intervention: the introduction of independent non-executive directors onto the governing body, the constitution of a genuine audit committee with independent membership, and the appointment of an independent third-line provider — whether in-house or outsourced — with a direct reporting line to that committee.

Public Sector and Statutory Bodies

Caribbean public sector entities operate within governance frameworks established by statute and ministerial oversight — frameworks that do not always map cleanly onto the Three Lines Model. Political accountability, which is the ultimate governance mechanism in the public sector, does not operate through the same channels as board oversight in the private sector. Nevertheless, the principles of the Three Lines Model are applicable and valuable in the public sector context: clear assignment of operational risk ownership to programme managers (first line), dedicated internal oversight through audit and compliance functions (second line), and independent internal audit reporting to a board or parliamentary oversight committee (third line). The adaptation of the model to specific public sector governance structures requires both technical expertise and institutional knowledge — capabilities that specialist advisors can bring to bear on behalf of public entities seeking to strengthen their governance frameworks.

The Model Is the Map, Not the Territory

The Three Lines Model provides a powerful and comprehensive map of how governance responsibilities should be distributed across an enterprise. But like all maps, it is only as useful as the accuracy with which it represents the territory — the actual governance structures, behaviours, and accountabilities that exist within the organisation. A beautifully documented Three Lines framework that does not correspond to how people actually behave, how accountability is actually exercised, and how assurance is actually provided is not a governance achievement. It is a governance illusion.

The organisations that derive genuine value from the Three Lines Model are those that treat it not as a document to be produced for regulatory or governance review purposes but as a living framework that shapes how the organisation makes decisions, assigns accountability, and learns from its failures. Achieving this requires sustained commitment from the governing body, genuine investment in the independence and capability of the third line, and the cultural willingness to hear and act upon independent assurance — even when that assurance is uncomfortable.

In Article 5 of this series — Outsourcing Your Internal Audit Function: A Strategic Decision — we move from the conceptual architecture of the Three Lines Model to one of the most consequential practical decisions Caribbean organisations face in implementing it: whether to build an in-house internal audit function, outsource it entirely to a specialist provider, or adopt a co-sourced model that combines the benefits of both approaches.

 

DOES YOUR ORGANISATION OPERATE A ROBUST THREE LINES MODEL? Dawgen Global helps Caribbean organisations design, implement, and embed the Three Lines Model — ensuring that risk management, control, and governance responsibilities are clearly assigned, effectively executed, and independently assured. Request a Proposal Today: [email protected] Tel: 876-929-3670  |  876-665-5926  |

 About Dawgen Global