The Three Lines of Resilience
What if there was a unified governance architecture that connected business continuity, operational resilience, and organizational resilience?
Most organizations manage business continuity (BC), operational resilience (OR), and organizational resilience as parallel, disconnected programs. Each has its own standard, its own language, often its own leader. The result is unclear accountability, duplicated effort, and fragmented assurance reaching the board.
There is a simpler way, and it already exists in governance. The Institute of Internal Auditors’ Three Lines Model (2020) is a mature, board-level architecture trusted by regulators and governing bodies worldwide. I propose that the same structural logic can resolve the accountability problem in resilience. I call this adaptation the Three Lines of Resilience (LOR).
The resilience profession has excellent standards, ISO 22301, ISO 22316, DORA, Basel, and other sophisticated frameworks. What has been missing is a shared governance architecture that clearly assigns roles between the three domains and connects them credibly to the governing body.
The Three Lines Model solves exactly this in governance: the first line owns and executes risk, the second line enables and challenges, and the third line assures independently. Apply that logic to resilience, and three things happen. Accountability becomes unambiguous. Duplication between business continuity and OR disappears. And the board receives independent assurance on resilience. This is not an analogy; the three domains are structurally equivalent to the three lines.
The first line executes. Business continuity owns the response to disruption. It develops BCPs, BIAs, DRPs, RTOs, and RPOs, runs exercises, and leads crisis execution. Like any first line, independence would defeat its purpose: it must sit inside the operations it is protecting.
The second line enables, monitors, and challenges. Operational resilience governs execution. It defines important business services and end-to-end dependencies mapped, including critical infrastructure and critical suppliers; sets impact tolerances; designs cross-functional scenario tests; and verifies alignment with DORA, Basel, and equivalent frameworks. Critically, it challenges business continuity assumptions: are plans realistic, are scopes complete, and are tolerances met?
The third line assures integration & independence. Organizational resilience evaluates the ecosystem. It ensures both business continuity and OR effectiveness, reviews resilience culture and leadership, and reports directly to the governing body on long-term viability. Its credibility, like an internal audit's, depends on independence from management.
This structural mapping can produce a set of practical governance consequences, for example:
- Policy hierarchy. The first line owns the business continuity policy and framework. The second line owns the operational resilience policy and framework. The third line ensures both are aligned with the organization's overarching organizational resilience policy and linked to its strategic objectives. Without this hierarchy, policies develop in silos.
- Integrated reporting. First-line operational status feeds second-line monitoring dashboards. Second-line risk and tolerance assessments feed third-line assurance reports. Third-line conclusions reach the governing body as independent intelligence. A gap at any point creates blind spots at the top.
- The BIA–IBS–critical Infrastructure chain. When a BIA is updated, a critical process is reclassified, an RTO revised, or a new dependency is identified, that change must cascade to the second line’s important business services mapping and to any affected critical infrastructure and supplier dependencies. Without cross-line integration governance, each line updates in isolation, and the three pictures drift apart. The third line’s role is to independently validate that this chain actually functions in practice, not just in design.
- Crisis execution if this stays in the first line of independence during an incident it would be operationally dangerous. The second and third lines support, observe, and learn.
- Infrastructure resilience is shared between lines 1 and 2 and requires explicit collaboration protocols.
- KPI governance across the lines. Each line monitors resilience performance at a different altitude: the first line tracks business continuity level KPIs, plan readiness, RTO/RPO compliance, and exercise outcomes; the second line monitors OR KPIs, important business services availability, impact tolerance status, and regulatory compliance. The third line reports a resilience index to the governing body, a strategic, organization-wide view of resilience maturity and adaptive capacity that neither of the other two lines can objectively provide.
- Maturity progresses through the lines: a first-line-only organization survives disruptions; adding a second line means it absorbs and adapts; a genuine third line enables it to exceed and transform.
The Three Lines of Resilience is a personal perspective developed through practice, reflection, and an opinion that resilient governance deserves a similar structure. This view offers a framework for practitioners to build upon, rather than a definitive answer, and aims to help them think more clearly about resilience, accountability, and integration in governance practices.
ISO 22301:2019 Security and resilience: Business continuity management systems
ISO 22316:2017 Security and resilience: Organizational resilience
EU Digital Operational Resilience Act (DORA), 2022/2554
Basel Committee on Banking Supervision (2021). Principles for Operational Resilience. Bank for International Settlements. March 2021
The IIA’s Three Lines Model is the intellectual property of the Institute of Internal Auditors. The Three Lines of Resilience (LOR) is the author’s independent adaptation and does not represent an official IIA position or endorsement.
More on
About the author
Mohamed Ahmad Abuelqroush
Head of GRC Solution Practice
