The Compliance Operating System

Why the Three Lines of Defence was never designed to be a delivery chain — and what to build in its place. A Stance position paper.

June 2026 /Approx. 8 min read

Walk into the offices of any large regulated bank and you will find three departments doing what looks, from a distance, like the same work. The first line owns the controls in practice: the systems, the configurations, the day-to-day operation of the things the regulator cares about. The second line owns the framework, which is to say the policies, the control library, the regulatory mapping, the question of whether what the first line is doing is what the institution committed to doing. The third line owns the assurance, providing independent verification that the first two lines are doing what they say they are doing. Three departments, three reporting lines, three sets of tooling, three vocabularies. Often three different floors.

Now watch what happens when an examiner asks a question. Not a hard question, but a precise one. Show me which controls satisfy this obligation, and prove they were operating on the date of this transaction. The question is sound. The institution has all the pieces required to answer it. The regulation is on file. The control framework is documented. The systems are running and producing logs. Somewhere in the building, every component of the answer exists.

The answer still takes weeks. It takes weeks because the question has to be translated three times to be answered, and the answer has to be translated three times to be reported. Second line reads the regulation and asks first line which controls apply. First line doesn't think in regulatory obligations, they think in systems and processes, so they translate the question into their own argot, answer it, and translate the answer back. First line asks engineering whether a particular control was operating. Engineering doesn't think in controls. They think in pipelines and configurations and monitoring alerts. So they translate again, answer, and translate back. Third line, when it asks for evidence to verify both, gets it in a fourth form. By the time the answer reaches the examiner, four translations have happened, none of them documented, and nobody on the chain is fully confident that the meaning survived the trip.

Broken by necessity

This is what people mean when they say compliance is broken. They usually attribute the brokenness to bad tooling, or to overworked teams, or to the volume of regulation. None of those is the real story. The tooling is, in most large institutions, expensive and competent. The teams are staffed by professionals doing exactly what they have been asked to do. The volume of regulation is real but not new. The real story is structural, and it requires going back to where the three-lines model came from.

The three-lines model emerged from internal audit practice and was formalised about a decade ago. It is a model for control: for keeping the people doing the work separate from the people checking the work, and both separate from the people auditing the check. It succeeds at this. It has always succeeded at this. The 2020 revision of the model dropped "of defence" from its name, partly in recognition that the defensive framing had calcified into siloed thinking. But the architecture of separation was sound, and remains sound. The model was never intended to describe a delivery chain. It was intended to describe a control structure.

The problem is what happened next. Once the model became the blueprint for how the function was organised, three departments grew up around the segregation, each with its own language, its own conventions, its own tooling, optimised independently because the model never asked them to act as a chain. Each line is, internally, coherent. Across the lines, the work has to be stitched together by hand, every time, by translation work that nobody is formally responsible for and nobody is tracking.

The three lines are not broken. They are working as designed. The chain they are part of is broken, and it is broken because the chain was never designed.

Here is the diagnosis underneath the diagnosis. The reason translation work is so costly between the lines is not that the lines don't communicate. They communicate constantly. The reason is that, when they communicate, they routinely ask each other questions the other line cannot answer in the form they were asked. Second line asks first line which controls cover a particular obligation. First line, in the language they operate in, doesn't have a notion of "which controls cover an obligation." They have a notion of which systems implement which processes, with which configurations, monitored by which dashboards. They have to reconstruct, in their own terms, what the question even is before they can begin to answer it. First line asks engineering whether a control is operating. Engineering has no notion of "control" in their working vocabulary. They have pipelines, deployments, configurations, alerts. The same reconstruction happens, in reverse, before any useful answer can come back. Third line asks both lines for evidence, and gets two different reconstructions of the same underlying reality, neither of which lines up cleanly with the original regulatory question.

The translation work is invisible because it happens inside people's heads and inside informal exchanges. It is manual because nothing in the system maintains the mapping between the languages. It is lossy because each translation discards detail and adds interpretation. And it is repeated, in full, every time a new question is asked, because the previous translations were never recorded as reusable artefacts.

This is what we mean when we say the chain is broken by necessity. The 3LoD was not designed to accelerate delivery. It was designed to enforce separation. The separation, applied to organisational design, produced three departments speaking different argot, asking each other questions in languages the other could not answer in. The work of joining them up has been borne, invisibly, by the people in them, for the entire history of the model.

Figure 01
The chain that was never designed
FIRST LINE SECOND LINE THIRD LINE FIRST LINE SECOND LINE THIRD LINE
Figure 01. Each line is internally coherent — the first line operates the controls, the second owns the framework, the third provides assurance. Between them there is no shared language, so every exchange fails at the boundary and must be reconstructed by hand.

A compliance operating system

The structural answer is not to reorganise the three lines, or to merge them, or to hire more people into them. Those interventions either undermine the separation that gives the model its value, or they add capacity to a problem that capacity does not solve. The structural answer is a common language that runs from regulation through policy, management standards, controls, all the way down to implementation evidence, and that each line can translate into and out of using their own conventions, their own tooling, their own argot, without ever having to abandon any of it.

In this paradigm, the second-line person continues to think in regulations and obligations. They ask their questions in those terms. The first-line person continues to think in systems and processes and runs their function in those terms. The engineer continues to think in configurations and pipelines and writes their code in those terms. None of them is asked to learn the others' vocabularies, and none of them is asked to translate. The translation is done by the substrate underneath, which holds the mapping between the languages because the mapping is part of how it was built. The lines stay autonomous. Their conventions stay their own. The chain becomes continuous because the substrate makes it so.

This is what we mean by a compliance operating system. The word "system" is doing real work in the phrase. An operating system, in its original sense, is the layer that lets independent processes share resources and communicate without each one having to know how the others work internally. The processes stay independent. The operating system holds the protocols. The same idea, applied to the compliance function, produces a layer that holds the common language (clauses, obligations, controls, slots, tests, evidence, all the way through) and lets each of the three lines operate in their own register against a shared underlying reality.

The same principle applies to how the system interacts with any individual user, and this is not a separate idea. It is the same idea operating at a different scale. One of the founding tenets of how we build is that the system should never ask a user a question they cannot answer. It should ask the question they can answer, make an inference about what that implies, check that the inference is safe, and then ask the next question. The point is not just usability, though it is that. The point is that asking someone a question in the wrong language is the failure mode that broke the chain in the first place, and a system designed to fix the chain has to fix that failure at every level, including the level at which a person sits at a keyboard. The system meets each user in their own argot and assembles the joined-up answer underneath, because that is what the substrate is for.

Gaps become visible

There is one more thing to say about what a system like this does, and it follows naturally from the rest. Once the substrate exists, once the languages are mapped, once the chain is continuous, gaps become visible. Places where a policy doesn't cover an obligation. Places where a control doesn't have an implementation. Places where evidence isn't being captured for a control that requires it. These gaps existed before. They were just invisible until audit found them. With a continuous chain, they are visible in real time, and the system can do more than surface them. It can propose how to fill them, drawing on the management standards and best practices it already knows about, and let the responsible line accept, modify, or reject the suggestion in their own language. The system aids the user. It doesn't replace the judgement. It does the translation work so the judgement can happen on the substance.

Figure 02
The chain either conducts or it doesn't
REGULATION OBLIGATION POLICY CONTROL IMPLEMENTATION EVIDENCE closed end to end — evidence lights up REGULATION OBLIGATION POLICY CONTROL IMPLEMENTATION EVIDENCE
Figure 02. Continuity is testable. An open switch anywhere — an obligation without a policy, a control without an implementation, evidence never captured — and the chain does not conduct. Close it, and current flows from regulation to evidence.

What changes, and what doesn't

The translation tax stops being paid by the people in the lines and starts being paid by the system that was built to bear it.

None of this requires the three lines to change what they are. The segregation of duties is preserved. The independence of each line is preserved. The expertise of the people in each line is preserved and, in fact, made more productive because they are no longer spending half their working week reconstructing what other people have already worked out. What changes is that the chain between them, which was always supposed to be one thing and has been pretended to be one thing for as long as the model has existed, finally becomes one thing in fact.

The institutions that figure this out will not be the ones that reorganise their compliance function. They will be the ones that recognise the segregation was never the problem, and build the substrate that lets the segregation work as it was always designed.

Brendon Byrne
Brendon Byrne

CPO

Certified Internal Auditor; two decades in technology controls across Standard Chartered, JP Morgan, and Morgan Stanley.