Model Governance: Three Lines of Defence
By Jonas Osman Abdelghafour
Clear ownership, independent validation, and audit assurance make the difference between a model inventory that is trusted and one that is merely maintained.
By Jonas Osman Abdelghafour.
Model governance is the set of arrangements that determine who builds, uses, challenges, and assures the models an organisation relies on. In insurers and banks, that population now includes reserving models, capital models, IFRS 9 and IFRS 17 measurement models, ALM and IRRBB engines, pricing algorithms, and an increasing share of machine-learning components. The three-lines-of-defence (3LoD) framework, published in updated form by the IIA in 2020, remains the reference structure for allocating responsibility across those models without collapsing ownership into oversight.
What each line actually does
The first line owns the model. That means specifying business use, sourcing data, developing or configuring the model, producing results, and standing behind those results in front of management. First-line ownership includes day-to-day performance monitoring and the initial documentation of assumptions, limitations, and known weaknesses.
The second line — typically a model risk or independent validation function — sets policy, maintains the model inventory, tiers models by materiality, and performs independent validation. Validation is not a repeat of development. Its purpose is to challenge conceptual soundness, verify implementation, test outcomes against alternative benchmarks, and confirm that the model is fit for its stated use. The output is a validation opinion with findings, ratings, and conditions of use.
The third line — internal audit — provides periodic assurance that the framework itself is designed and operating effectively. Audit does not re-validate models. It tests whether the inventory is complete, whether tiering is consistent, whether findings are tracked and closed on time, and whether governance committees receive information they can act on.
Tiering and proportionality
A workable framework tiers models by a combination of financial materiality, regulatory sensitivity, and reputational exposure. Tier 1 models — typically capital, IFRS 17 CSM, and PD/LGD models for material portfolios — receive full-scope validation, annual monitoring, and board-level reporting. Lower tiers can be validated on a lighter cycle with proportionate documentation. The mistake to avoid is a flat regime that either overwhelms the second line or leaves material models under-scrutinised.
Documentation and evidence
Each model should carry a documented development file, an independent validation report, a use log, and a monitoring pack. Findings are recorded in a central register with severity, owner, remediation plan, compensating controls, and target closure date. Closure requires evidence, not assertion. See the companion note on model risk remediation and finding closure for how that discipline is operationalised.
Common failure modes
Three patterns recur in reviews. First, second-line teams drift into co-development because the first line lacks capacity; this quietly erases independence. Second, validation opinions accumulate but findings never close, so the register becomes a graveyard rather than a management tool. Third, audit tests documentation completeness without ever asking whether the model is being used for the decisions it was built for.
Governance rhythm
A functioning cadence typically includes a monthly model-risk committee at management level, quarterly reporting to the risk committee of the board, and an annual model-risk statement that summarises inventory, validation coverage, open findings, and material limitations. Regulatory expectations for internal-model insurers under Solvency II and for banks under SR 11-7 or the ECB TRIM guidance are broadly consistent on this point.
Limitations
3LoD is a structure, not a control in itself. It works when the three lines have distinct mandates, real authority, and sufficient technical depth. It fails when any line is under-resourced, when reporting lines create conflicts of interest, or when the framework is treated as a compliance artefact rather than a decision-making discipline. Governance quality is ultimately measured by whether model limitations are visible to decision-makers before, not after, they matter.
Conclusion
The three-lines model gives organisations a defensible way to combine ownership, challenge, and assurance across a growing model estate. Its value depends less on the diagram than on the quality of the second-line challenge and the willingness of the first line to accept it. Related practice notes cover actuarial communication for risk committees and credit-risk model monitoring dashboards.
Written by Jonas Osman Abdelghafour, actuary and financial risk manager. Background and contact details are on the about page.