The IIA killed "Three Lines of Defence" in 2020. Your UXO contract hasn't noticed.
Six years on, infrastructure programmes are still buying a model the profession has formally retired — and the gap is biggest where the risk is heaviest.
By Capreae Consulting | Infrastructure Risk Advisory
If you work in risk, audit or assurance, you already know this: in July 2020, the Institute of Internal Auditors retired the "Three Lines of Defence" model and replaced it with the Three Lines Model. The word "defence" came out. The governing body went in at the top. Collaboration replaced gatekeeping. Six years of working papers, training, audit methodologies and academic literature have rebuilt around the change.
Walk onto a UK infrastructure site dealing with unexploded ordnance, however, and you'll find the old language is still everywhere. The risk register says "Three Lines of Defence." The contractor's tender response says "Three Lines of Defence." The client's assurance plan says "Three Lines of Defence."
The label is a tell. When a sector keeps using the retired version of a model, it usually means it has imported the diagram without importing the discipline.
What actually changed in 2020
The 2020 update did three things that matter for infrastructure clients.
It put the governing body in the picture. The original 3LoD framework was almost silent on who the three lines were defending for. The new model is explicit: the governing body (board, sponsor, accountable executive) sits above the three lines and is accountable for the system itself. That is a direct response to the criticism that risk had become "something done in the engine room while the bridge looked elsewhere."
It killed the gatekeeper mindset. The IIA accepted that "defence" framing was producing adversarial second and third lines, defensive first lines, and a culture in which the risk function was treated as something to be managed around rather than worked with. The updated model frames the lines as collaborating roles, not policing tiers.
It tightened the definition of independence. Internal audit — the third line — should not provide assurance over activities for which it has had recent responsibility. It should not make management decisions. Its reporting line, access and budget must protect its ability to deliver uncomfortable findings. The model is unambiguous: if your third line can be commercially leaned on by the first line, it isn't a third line.
That last point is where infrastructure programmes consistently fall over on UXO.
Mapping the model to a UXO project
Here is what the model looks like, properly configured, on a brownfield or marine project with a latent UXO threat.
Governing body. The client's board, programme sponsor or SRO. Owns the residual risk on behalf of the funder and the public. Sets the risk appetite. Has the final say on whether the project proceeds, pauses or replans when conditions change.
First line. The principal contractor and their UXO specialist subcontractor. They survey, they intervene, they make the site safe. They own the operational decisions and the operational consequences.
Second line. The principal designer, the client's H&S advisor, the client's technical assurance team. They set the standard (typically aligned to CIRIA C681 and C785), monitor compliance, challenge first-line judgements and aggregate the risk picture for the governing body.
Third line. An independent assurance provider, contracted directly by and reporting directly to the governing body. Their job is to test whether the first and second lines are actually doing what the framework says they are, and whether the residual risk reported to the board is the residual risk that exists on site.
That is the model. It is straightforward. It is also, on most UK infrastructure projects with UXO exposure, structurally compromised before the first survey is mobilised.
The five compromises we see most often
Across infrastructure projects in the UK, the same five patterns turn up so consistently that they have become the default. They are also the five places assurance professionals should be looking first.
1. The same group sells you all three lines. The UXO specialist who does the desk study also does the survey, also does the EOD support, also does the post-completion assurance. The branding may differ across the group. The P&L doesn't. There is no third line — there is one supplier and a procurement diagram.
2. The second line works for the first line. The H&S advisor monitoring the UXO contractor is sub-contracted by the principal contractor. They can be replaced if their challenge becomes inconvenient. Independence requires the freedom to deliver findings that cost someone else their fee. That freedom does not exist when the same someone signs your timesheet.
3. The third line reports through the first line. Independent assurance findings are routed to the governing body via the project director — who is, in practice, the person being assured. By the time the board sees the report, it has been "contextualised." The IIA model is explicit that the third line's reporting line must protect its objectivity. In practice, it almost never does.
4. The wrong metric defines success. The number of UXO findings goes down quarter on quarter, and the programme calls it good news. Sometimes it is. Sometimes it is the signal that the team has stopped looking hard. The right metric is remediation rate against agreed actions, not finding count. A high-quality assurance function generates uncomfortable findings and tracks them to closure. A low-quality one generates green RAG ratings and a thank-you note.
5. The space between the lines isn't owned. The most dangerous territory in any Three Lines configuration is the space between roles — the risk that doesn't clearly belong to the first line, the second line or the third line, and therefore belongs to none of them. On a UXO project, that space is enormous. Who owns the residual risk in the area cleared to 1 metre when piling is going to 8? Who owns the change of intent when the cable trench moves 30 metres east into ground that was never surveyed? Who owns the assumption in the desk study that the WWII air raid records were complete? The model only works when these gaps are explicitly assigned. They almost never are.
What good assurance looks like
A properly configured third-line assurance arrangement on a UXO-affected project does three things.
It reports independently to the governing body, on its own timetable, with no obligation to clear findings through the first line before they land.
It tests the substance, not the documents. A clean risk register is not evidence that the risk is being managed. Field verification, sample re-review of survey data and live observation of intervention work tell you whether the framework is real or theatrical.
It closes the loop on residual risk. Every project will accept some residual UXO risk — there is no such thing as zero. The third line's job is to verify that the residual the board signs off on is the residual that genuinely exists, and that the assumptions underpinning it are explicit, documented and current.
This is unglamorous work. It is also the only thing that makes the model worth the paper it is drawn on.
A practical test for your current project
Pull out your project's current risk and assurance plan. Find the section that describes the Three Lines configuration for ground risk, including UXO. Ask three questions.
Does each line have a different paymaster?
Does the third line report directly to the governing body without first-line filtering?
Is there an explicit, named owner for each of the gaps between the lines?
If the answer to all three is yes, you have a functioning Three Lines Model. If the answer to any of them is no, you have a diagram. The difference will only matter on one day — the day you find a bomb.
Capreae Consulting provides independent third-line assurance for infrastructure programmes with latent explosive risk. We do not deliver survey, intervention or EOD services. That is the point.