Concentrate your defenses in one place, and the moment that one place is breached, it is over. So you stand in three tiers — the front line, the management functions, and internal audit. The Three Lines Model, revised in 2020, redrew this posture from the static metaphor of "lines of defense" into a collaboration among roles. Where among these three does materials review sit? That placement changes the very meaning of review.
01Why Layer the Defenses
Misconduct and mistakes will happen somewhere, without fail. The question is whether there is a posture that can stop them when they do. Concentrate the defense in a single line, and the moment that line is breached, the whole system of control collapses.
so why — Splitting roles and layering them creates a fail-safe through independence and mutual checks. If the first line overlooks something, the second line catches it; if the second line goes slack, the third line verifies it. What matters is keeping the one who advises separate from the one who assures. If the second line's advice and the third line's assurance are held in the same hand, you end up rating your own advice as "no problem," and the check disappears. Lines therefore carry meaning not through their number, but through their independence.
02The Three Lines — Who Bears What
The three lines of defense divide the defensive role into three. Mistake what each one bears, and the lines blur and the checks stop working.
Operations — take the risk, control it yourself
Sales, marketing, and the like — the front edge of the business. They are the party that goes out to take the risk and, at the same time, bear the primary control within their own work. This is also where materials are created.
Management & compliance — set the standard, monitor
The specialist functions of risk management and compliance. Independent of the first line, they set the standards and monitor for deviations. This is where materials review typically sits.
Internal audit — verify independently
Independent of both the first and second lines, it verifies whether the controls actually function. The effectiveness of the second line itself falls within its scope of verification.
so what — For the reviewer, these three positions are the coordinates by which to read where you stand. Materials review is neither the first-line creator nor the third-line auditor. It sits in the second line — checking the first line, verified by the third. Only once you place yourself here correctly can you explain where your own independence comes from.
03The 2020 Revision — From Lines of Defense to Collaboration of Roles
In 2020 the IIA (the Institute of Internal Auditors) revised the Three Lines Model. It redrew the earlier static metaphor of the "Three Lines of Defense" as a set of role relationships among the governing body, management, and internal audit.
so why — The word "defense" makes the controls look like a row of walls. But what practice actually asks is not the number of walls; it is how independent each role is, and to whom it reports. The revision set aside the contest over the number of lines and shifted the emphasis to the collaboration and independence of roles, and to reporting lines. Is the second line subordinate to the first? Can the third line report directly to the board, independent of management? That is where the questions lie.
04When the Second Line Is Swallowed by the First
The most common way the three lines break down is the second line being absorbed into the first. The moment materials review merges with sales and begins to move by the creators' logic, its function as a second-line check is lost.
so what — If the reviewer becomes a "proxy for the field," the independent second line is left in name only. The test is simple: are the reviewer's evaluation metrics and personnel decisions subordinate to the sales division? Is "passing materials that sell" what gets rewarded? Where there is subordination, that review falls back into the first line, and one layer of the check is lost. The division of roles among the first, second, and third lines is itself taken up from the governance side in The Board's View, Vol. 8.
05The Third Line Verifies the Second — The Quality of Review Is Also at Stake
The final scene where the independence of the three lines pays off is verification by the third line. It is precisely because internal audit is independent that it can verify even the effectiveness of the second line. For the reviewer, this means the quality of your own work can become a subject of audit.
so why — Are the review standards operated only for form's sake? Are there records of how deviations were handled? Has review been swallowed by sales? The third line checks these from the outside, because the quality of review is itself part of the quality of control. Review with thin records, review that lacks independence, is exposed under third-line verification. Put the other way around: review that functions independently, by withstanding internal audit's verification, becomes one piece of evidence that the company's controls as a whole are working. So the reviewer needs to keep checking, always and for themselves, whether they stand independent as a second line.
- First line = operations, second line = management & compliance, third line = internal audit. The defense is split by role and layered.
- The 2020 revision of the Three Lines Model shifted the emphasis from "lines of defense" to the collaboration of roles, independence, and reporting lines.
- Materials review is the second line. Identify with the creators (the first line), and its checking function disappears.
- The third line (internal audit) can verify even the effectiveness of the review function that is the second line.
- The Institute of Internal Auditors (IIA). The IIA's Three Lines Model (2020 revision). A framework that redraws the former "Three Lines of Defense" from the standpoint of role relationships among the governing body, management, and internal audit, and of independence and reporting lines.
- COSO. Enterprise Risk Management — Integrating with Strategy and Performance (2017). A framework that situates risk response within enterprise-wide governance, including control activities and the separation of functions.
- Tokyo Stock Exchange. Corporate Governance Code, Supplementary Principle 4-13③. A provision that calls for coordination between the internal audit function and the board and audit & supervisory members, supporting the independence of the third line.