The Three Lines of Defense Model structures risk management responsibilities across three layers: first-line business units that own and manage risk, second-line risk and compliance functions that oversee and challenge, and third-line internal audit that provides independent assurance. Each line has distinct roles, accountabilities, and reporting relationships to prevent conflicts of interest. For example, a bank's trading desk (first line) executes transactions, the risk management function (second line) sets limits and monitors exposures, and internal audit (third line) validates the effectiveness of both. This model has evolved into the Three Lines Model by the IIA, emphasizing coordination over rigid separation.