Concentrate your defenses in one place, and the instant that place is breached, it is over. So an organization braces itself in three tiers: the front line, the management function, and internal audit. Because each watches the same risk from a different angle, the whole holds even if one line falls. Materials review sits on the second of these three lines.
01The Idea of Layering Your Defenses
Wrongdoing and mistakes will happen somewhere, someday. The question is not "whether" they happen, but how many layers stand ready to stop them when they do. Rely on a single wall, and the instant that wall is breached, everything passes straight through.
The three lines of defense (the Three Lines Model) is the idea of placing your defenses in layers. The first line takes risk while controlling it itself; the second line designs and monitors that control; the third line independently verifies the whole. One line's failure is caught by another. Keeping the defense in multiple layers is itself the design intent.
02The Three Lines — Who Carries What
The three lines are divided by role. Rather than a vague "everyone be careful," you draw the lines in advance: who takes risk on the front line, who holds it in check, and who verifies independently. Lay out who does the carrying, and the place of materials review comes into view.
The floor — taking risk and controlling it themselves
Sales and the business units. They manage, on a first-order basis, the risks inherent in their own work through their daily procedures. In materials terms, this is the side that creates and uses the materials.
The management function — setting the criteria and monitoring
Compliance and review departments. They design the criteria the first line must follow and monitor compliance on an ongoing basis. Materials review sits here.
Internal audit — verifying independently
Independent of management and of the first and second lines alike, it verifies whether controls actually function and reports to the board and the corporate auditors.
Materials review is the textbook second line. It holds sales — the first line — in check, and is verified by internal audit — the third line. Fix this coordinate, and the question of who review functions "for, and against whom" connects in a single line.
03Avoiding Overlap and Gaps at the Same Time
Why divide into three? In its 2020 revision, the IIA (the Institute of Internal Auditors) framed its Three Lines Model as a design that avoids both "overlap" and "gaps" in responsibility at the same time. Leave the roles ambiguous, and either several departments watch the same point twice and turn inefficient, or, conversely, a blind spot that no one watches is born.
Divide the lines and give the third line objectivity, and even if one line stops functioning, the others can make up for it. Redundancy in defense is not waste but designed insurance. The duty to build internal control systems, seen in Vol. 6, charges the board with "deciding on, and putting in place" these layers.
04When the Second Line Is Swallowed by the First
The textbook way the three lines collapse is when the second line is absorbed into the first. When review fuses with sales and becomes subordinate to sales targets, the second line's checking function quietly disappears. Even if a review department exists in form, without independence it is no more than an extension of the first line.
The dividing point lies in independence. Are review's performance metrics and personnel decisions free of sales' numbers? Does a reviewer who flags a deviation suffer for it? In the terms of the risk appetite of Vol. 7, the second line needs the strength to push the board-approved "tolerance band" back against the floor.
05The Three Lines as Internal Control in Operation
Read alongside control activities and monitoring — components of the COSO internal control framework — the three lines turn out to be not an abstract ideal but the "arrangement of people" that actually makes internal control run. Who takes risk, who monitors, who verifies. The more that arrangement collapses and the lines blur, the weaker the check becomes and the more the control turns nominal.
The Ministry of Health, Labour and Welfare's report on its program to monitor promotional information-provision activities lists deviation cases that appear to result from a hollowed-out review structure — the second line. Whether the three lines function shows most vividly on the materials-review floor. A reviewer's accurately recognizing their own position as "the second line" is the starting point for keeping the check alive. The work of re-reading materials review, from the board's vantage, as evidence of governance is taken up in Vol. 10.
- The three lines of defense is a multilayered defense by the first line (the floor), the second line (management / review), and the third line (internal audit).
- The IIA's Three Lines Model (2020 revision) sets out a design that avoids overlap and gaps in responsibility at the same time.
- Materials review is the second line. Subordinate it to sales so that it becomes a first line, and it loses its checking function.
- Independence is the premise of the three lines. The more the lines blur, the more the control becomes nominal.
- The Institute of Internal Auditors (IIA). The Three Lines Model (2020 revision). A framework setting out the division of roles among the first, second, and third lines in an organization's governance, and the relationships among them. A Japanese translation is published by the Institute of Internal Auditors–Japan.
- COSO. Internal Control — Integrated Framework. A framework with control activities and monitoring activities as components, securing the operation of internal control.
- Ministry of Health, Labour and Welfare. Report on the Program to Monitor Promotional Information-Provision Activities. Compiles, with company names anonymized, deviation cases of inappropriate information provision (materials and the like) for prescription drugs. Includes examples suggestive of dysfunction in the second line / review structure.