Your project doesn’t have Three Lines of Defence. It has one line and a logo.
Why most infrastructure sponsors are buying assurance they don’t actually have, and what changes when there’s a bomb in the ground.
Ask the sponsor of any major UK infrastructure programme how they manage risk and, somewhere in the answer, you’ll hear “Three Lines of Defence.”
It will be in the tender documents.
It will be on a governance slide.
It will almost always be wrong.
The Three Lines model is the most cited, most diagrammed—and most misunderstood—risk framework in construction. Sponsors point to it like a pilot points to a checklist, as proof the system is sound.
Then a 500kg bomb turns up in the spoil heap.
10,000 people are evacuated.
The programme slips a quarter.
And the post-incident review reveals all three lines were paid by the same parent company.
That isn’t a defence. It’s a logo.
What Three Lines was meant to be
The original model came from banking and audit. In 2020, the Institute of Internal Auditors deliberately dropped the word “defence” to move away from a gatekeeping mindset and toward accountability.
At its core, the model is simple:
First line: owns and delivers the risk (contractors and supply chain).
Second line: sets standards, monitors, and challenges (HSE, technical assurance, risk).
Third line: provides independent assurance to the governing body.
That last word—independent—is where most projects quietly fail.
What sponsors actually buy
A typical UXO-affected project looks like this:
A principal contractor is appointed.
UXO risk assessment and survey are subcontracted.
The same specialist provides on-site EOD support.
A related entity provides “independent” assurance.
Three lines. One commercial ecosystem.
When assurance depends on the same revenue stream as delivery, it stops being assurance. The third line’s only real function is to tell the board uncomfortable truths.
If it can’t do that, it doesn’t exist.
Why UXO exposes the flaw
Most risks can tolerate weak governance for a while. UXO cannot.
It is low-frequency, high-severity. Easy to dismiss in planning, impossible to ignore in delivery. Around 450,000 bombs were dropped on the UK; roughly 10% didn’t detonate. The risk hasn’t gone away—only the memory of it has.
It lacks a dedicated statutory framework. Obligations sit within broader legislation, leaving wide room for interpretation and weak challenge.
It is commercially inconvenient. Every pressure—cost, time, programme—pushes toward optimistic risk ratings.
Without a truly independent third line, there is no counterweight to that optimism.
In February 2024, a single device in Plymouth triggered the evacuation of over 10,000 people. Now place that event on the critical path of a £200m programme—and explain to your board that your “independent” assurance reported through the same group that missed it.
What independence actually looks like
Independence isn’t about size or cost. It’s about freedom to speak without consequence.
In a functioning model:
Delivery sits with the contractor and UXO specialist.
Standards and challenge sit with technical assurance functions.
True third-line assurance reports directly to the sponsor or board.
No shared incentives. No diluted messages. No filtered reporting lines.
The third line doesn’t need to be large. It needs to be untouchable.
The board-level question
If your programme carries latent explosive risk—brownfield, former military land, ports, offshore, or any city bombed in the 1940s—ask this:
“Who in our governance structure can tell us our UXO risk is worse than we’ve been told—and has the independence to prove it?”
If the answer is a person with a direct line to the board, you have assurance.
If the answer is a logo, you don’t.
Capreae Consulting provides independent advisory and assurance for high-consequence infrastructure environments where latent explosive risk intersects with delivery, regulatory, and commercial pressure.