Author picture

What are the three lines of defence* in an organization? What is the role of Compliance in these lines?

By: Ernesto Gómez Gallardo A.


Continuing with the idea of previous posts, trying to paint a clearer picture of the Compliance notion for organizations, I believe it is important to refer to the concept of the “Three Lines of Defence” that is widely used when talking about internal controls, risk mitigation, etc. Essential elements in the purpose of a Compliance program.

The three lines of defence are a risk management model that organizations use, above all to understand the role that each participant must play in addressing vulnerabilities and materializing risks. This model has been increasingly adopted by many companies to understand how to function more safely.

When I hear this “three lines of defence ” I immediately think of a football (soccer) context and imagine a manager explaining to the team what needs to be done to prevent the opponent from converting a goal against us. I don’t know if it’s because of my love of sport, but I think the analogy works pretty well to explain it.


  • The first line of defence is the attack. The first ones who by their role face the opponent (the risks or problems in this analogy) are the, the forwards. By them I mean those who score to profit in their essential function, i.e. those in charge of “the business”. People who are directly involved with generating revenue or managing the purpose of the organization are the first to have contact with customers, suppliers, and other third parties and therefore those who, in addition to their core functions, must assume the activities of trying not to incur in unnecessary risks.
  • The second line of defence is the mid-field. Those who carry out support functions in the team, specialists in their field and those who must know well of all the positions to be able to support what is needed. This line identifies emerging risks. In the organization, these activities are carried out by business partners, sometimes referred to as functional areas. As examples: the legal department, finance, human resources, risk management, etc. If there is a Compliance department in the organization or otherwise compliance’s functions belong to this second line.
  • The third line has the specific function of defending. They are specialists and -worth the redundancy- they would be the defenders. The third line must provide assurance for the organization and dedicate themselves to annulling the risks it faces, both preventively and reactively. This role within the organization is played by the internal audit area. They should review the first and second line and ensure that they are effective in their processes. They are the ones who must assure the manager (in this analogy the Board of Directors and/or the audit committee) of any lack of control or failures in the management of the business.


Understanding where we are located, by the nature of our role, helps us in our daily activities, to be aware of the risk that the organization is taking and how I can help identify those and prevent a problem from materializing.

As far as Compliance is concerned, as mentioned earlier, this function belongs in the second line. It should support the business on the go, listen to the business partners’ concerns and on that basis advise on developing the right policies and review that these are being fulfilled by everyone on the team.

We should consider who the most active Compliance partners should be in the performance of its role. From the start we might think that our peers on the second line… Legal is certainly important for the interpretation of laws and regulations. It could also be said that it would be internal audit as they rely on policies and monitoring to review that things had actually been carried out in the order that was planned. But the way I see it, the most important partner for the Compliance function is the business. If the business does not own the culture of complying with internal and external regulation, the other lines will be of very little use.

At Miranda Compliance, our way of understanding this is not to have a police-like Compliance, but a culture of compliance being impregnated in the spirit of the organization. We’ll be happy to help you do it in your company.

*The word “Defence” is spelled this way in British English, ”Defense” in American English.


Miranda – Compliance

Karla Valdés Posada



Ernesto Gómez Gallardo