When The Three Lines of Defense Creates Four Blind Spots

The risk is real. The data is concerning. The pattern is clear enough to warrant discussion.

First line: “We manage operational controls around third-party dependencies. But this is a strategic concentration question—that’s second line territory.”

Second line: “We provide oversight and can escalate concentration risk. But the operational expertise on vendor relationships sits in first line.”

Third line: “We audit control frameworks. This is still emerging, not yet established in our scope. We’ll pick it up in next year’s cycle.”

For standard risks, this clarity is exactly what keeps accountability clean.

The meeting continues. The risk gets noted in the minutes. Everyone agrees it’s important. Someone suggests it’s a “shared risk” that requires cross-functional coordination. It sounds mature. Collaborative, even. Someone says, “Let’s take that offline and come back with a view.”

Six months later, nobody can point to who actually has the pen. The risk hasn’t been rejected—it’s been relocated through polite scope language until it’s effectively orphaned.

This isn’t about people avoiding accountability. It’s about a governance model that works brilliantly for categorizable risks and creates seams when risks live between the lines.

I’ve watched this pattern repeat across organizations, industries, and risk types. The mechanism is structural, not behavioral.

The Model Logic

The Three Lines of Defense model exists for sound reasons. It solves real problems that organizations face when managing risk.

Without clear separation, operational teams both take risks and oversee themselves. Conflicts of interest multiply. When the same people who design processes also audit them, independence disappears. When revenue-generating units also determine their own risk appetite, objectivity erodes.

3LOD creates structure. The first line owns and manages risk. The second line provides independent oversight and challenge. The third line offers assurance that the system works. Each line has clear accountability. Nobody oversees their own work. The conflicts that plagued older governance models get separated into distinct roles.

For established risks—the ones that fit clear categories, have known controls, and follow predictable patterns—this separation works exceptionally well. The model also scales. As organizations grow and risk categories proliferate, 3LOD provides a framework that can absorb complexity while maintaining clarity around who owns what. Accountability improves. Regulatory compliance strengthens. Board reporting becomes more structured.

The logic is sound. The implementation, in many cases, is effective. The model deserves its prominence.

That same clarity has a cost: it creates seams where interaction risks fall through.

The Boundary Problem

The clarity that makes 3LOD work for categorizable risks requires boundaries. Clear roles need defined scope. Defined scope creates edges.

First line manages operational processes. But “operational” has boundaries—strategic questions sit elsewhere. Second line provides oversight. But “oversight” has limits—operational expertise sits elsewhere. Third line offers assurance. But “assurance” has a scope—emerging risks aren’t yet established enough to audit.

These boundaries aren’t arbitrary. They’re necessary. Without them, roles blur, accountability diffuses, and the conflicts 3LOD was designed to prevent reappear.

But boundaries create seams. And not all risks fit neatly into bounded categories.
Some risks are interactions—dependencies between systems, concentrations across vendors, cascading failures that cross functional boundaries. They don’t fit into “operational risk” or “oversight” or “assurance.” They sit between the lines.

When a risk involves both operational execution and strategic positioning, both technical controls and business model implications, both existing processes and emerging threats—it doesn’t have an obvious home in a category-based governance model.

The organization has assigned ownership clearly for established risk types. It hasn’t necessarily assigned ownership for the interactions between them.

The Seam Mechanism

The mechanism isn’t that people refuse accountability. It’s that each line operates rationally within its mandate—and interaction risks live outside all three mandates simultaneously.

First line looks at the risk and sees elements that require strategic oversight. They manage controls, but the risk has implications beyond operational execution. Escalating to second line is the right move within their mandate.

Second line looks at the same risk and sees elements that require operational expertise. They provide oversight, but they don’t run the processes. The detailed knowledge sits in first line. Referring back is rational within their mandate.

Third line looks at the risk and sees something still forming. Their role is to audit established controls against defined standards. This risk hasn’t crystallized into a framework they can assess. Deferring until it’s more established is consistent with their mandate.

All three lines are behaving correctly according to their defined roles. And the risk remains unowned.

I’ve watched organizations cycle a risk through all three lines, each providing thoughtful analysis of why it sits slightly outside their scope, each suggesting coordination with the others. The documentation is comprehensive—there’s a clean paper trail. The risk gets “noted” in multiple forums.

What doesn’t happen is someone saying, “This is mine. I have the pen. I’ll make the call.”

Because the model allocates ownership by category and process. Interaction risks don’t fit categories. They cross processes. So they become “shared”—which often means orphaned.

The Accountability Diffusion

The consequence of the seam isn’t chaos. It’s diffusion.

The risk doesn’t disappear from view. It appears in multiple places—risk registers, committee minutes, escalation logs. Everyone is aware of it. Everyone agrees it matters. Everyone has documented their engagement with it.

What’s missing is singular accountability. Who makes the decision when trade-offs are required? Who has authority to commit resources? Who owns the outcome if the risk surfaces as an incident?

These are the risks that are everyone’s job and nobody’s KPI.

“Shared risk” sounds like distributed ownership. In practice, it often becomes distributed ambiguity. When everyone has a piece of oversight, nobody has full decision rights. When multiple lines need to coordinate, no single line can move without the others.

I’ve watched risks that are everyone’s responsibility become nobody’s priority. The first line gets measured on operational excellence. The second line gets measured on oversight effectiveness. The third line gets measured on audit coverage. None of them get measured on whether emergent interaction risks were identified and owned before they materialized.

So the rational response is to engage with the risk—note it, discuss it, document it—without actually carrying it. Engagement is visible and demonstrable. Carrying requires decision rights that might not exist, resources that might not be allocated, and accountability for outcomes that cross multiple mandates.

“Not my line of defense” doesn’t mean “I don’t care.” It means “my mandate doesn’t give me the authority to own this fully, so I’ll engage appropriately within my scope and coordinate with the lines that own the other pieces.”

That’s rational behavior within a bounded role. It’s also how risks become orphaned.

The Consequence

The consequence isn’t that organizations lack governance. It’s that governance looks perfect while critical risks remain unowned.

The 3LOD model is documented. Roles are clear. Reporting lines are established. Each line has adequate resourcing, defined responsibilities, and regular touchpoints with the others. Board presentations show comprehensive risk coverage across all three lines.

And somewhere between the lines, an interaction risk is migrating from “noted” to “monitored” to “under review” to “being coordinated”—without anyone having singular authority to make the call when it needs to be made.

The model works brilliantly for categorizable risks. Operational risks get managed by first line with oversight from second and assurance from third. Compliance risks flow through defined ownership with clear escalation. Financial risks, reputational risks, known risk types—all fit the framework.

What the model struggles with are risks that don’t fit established categories yet. Dependencies that cross business units. Concentrations that span vendors. Vulnerabilities that emerge from interactions between systems that each look fine in isolation.

These risks get discussed extensively. They appear in minutes. They get escalated appropriately within each line’s mandate. What they don’t get is owned—because ownership was allocated by category, and they’re interactions.

When the risk surfaces as an incident, the post-mortem reveals extensive documentation that everyone was aware, everyone engaged, everyone coordinated. What nobody can answer is: who had the pen?

The Pattern Isn’t Fixable Through Better Coordination

The pattern is structural, not fixable through “better coordination” or “clarifying accountabilities.” When governance models allocate ownership by category and process, they create seams where interaction risks fall through.

This isn’t unique to Three Lines of Defense. Any governance model with clear boundaries faces the same tension: the clarity that makes standard risks manageable creates gaps where emergent risks become orphaned.

3LOD works as designed—for risks that fit categories. Strategic dependencies, cross-functional vulnerabilities, and emergent interaction risks don’t fit categories yet. They’re interactions.

The model allocates ownership clearly for what’s already established. It struggles with what’s still emerging. And organizations discover the limitation only when a risk materializes that everyone “noted” but nobody carried.

In 3LOD meetings, the risk is often owned in the minutes and orphaned in execution.

Clear division of labor doesn’t guarantee ownership of the spaces between.

Continue the Series

Related Reading

• The Compliance Trap: Why risk teams become reporting factories when asymmetric incentives drive optimization toward compliance over strategic insight.
• Why Expertise Becomes a Liability: How risk teams hired for regulatory credibility struggle with executive influence—because technical precision and strategic positioning require different optimization.
• The Reporting Treadmill: Why risk functions drown in their own output when scheduled work with clear deadlines crowds out emergent sensing that’s impossible to prove was done.

“Clear boundaries make standard risks manageable. Those same boundaries orphan the risks that don’t fit categories yet. 3LOD works as designed—just not for everything.”

View all posts in this series →