The first line is the front line or business unit who are managing third party relationships daily. The second is the independent risk management function like compliance or third party risk departments. The third line in the independent audit function who reviews the first line and second line to verify work product accuracy and effectiveness of the controls in place.