The 03 Lines of Defense

Businesses are operating in an increasingly uncertain, volatile and complex world and the need for good governance, risk management and compliance is stronger than ever.

What is Governance, Risk Management & Compliance?

Corporate governance ensures that those responsible for running the organization are doing their jobs properly and are discharging their duties faithfully.

Proper risk management ensures that the organization is aware of the risks present in its environment and have proper mitigating solutions in case those risks materialize.

Compliance to external laws and regulations as well as internal policies and guidelines are a critical issue if the organization is to remain in business and not face huge penalties.

These functions are strongest when there are three separate and clearly identified lines of defense. The three lines of defense model can be used to clarify essential roles and responsibilities regarding risk management, internal controls and governance.

What is a Governing Body?

Before we talk about the three lines of defense, we need to understand the role of the governing body in an organization.

The governing body sets out the policies including the risk management policy and sets responsibilities and reporting structure within these policies to ensure that the policies are implemented as desired.

The governing body works with the first line and the second line to set the direction for the company. Usually the governing body is the board of directors and board committees of the organization.

The First Line - Operational Management

The first line includes the functions which own and manage risks. They are also responsible for implementing corrective actions when there are internal control deficiencies. Operational management serves at the first line of defense.

The Second Line - Risk & Compliance

The second line of defense includes the risk management and compliance functions and they work with the first line of defense in implementing the policies set by the governing body. They are responsible for reviewing, overseeing and facilitating the implementation of the policies which the governing body sets out.

The roles of the second line of defense includes making the risk management framework, compliance framework, providing training on risk and compliance, identifying emerging risks and assisting management to develop processes and controls to manage risks.

The Third Line - Internal Audit

The third line of defense is the internal audit, which provides independent assurance on the internal controls and risk management within the organization to the governing body.

Is there more?

Some standards propose a fourth line of defense, which is the external audit, regulatory bodies and other external parties. This is very relevant to highly regulated industries such as financial institutions.

Three lines defense model — From the IIA position paper; The Three Lines Defense in Effective Risk Management and Control

When governance, risk management and compliance frameworks are set according to the three lines of defense model, it ensures proper accountability and delegation of responsibility.