Explaining 3 lines of Defense in Risk Management.

It´s absolutely not complicated. Worth remembering though.

The Three Lines of Defense is a model used in risk management to ensure effective risk governance and control across an organization. This model provides a clear structure for assigning and coordinating risk management roles and responsibilities. Here’s an explanation of each line of defense:

1. First Line of Defense: Operational Management

  • Role: The first line of defense is composed of operational managers and staff who own and manage risks directly. They are responsible for maintaining effective internal controls and executing risk and control procedures on a day-to-day basis.
  • Responsibilities: Identifying, assessing, controlling, and mitigating risks as part of their operational activities. They ensure that processes and controls are embedded in their operations and that risk management is part of their routine tasks.
  • Examples: Business unit managers, process owners, and frontline employees.

2. Second Line of Defense: Risk Management and Compliance Functions

  • Role: The second line of defense consists of risk management and compliance functions that provide oversight and guidance on risk-related matters. These functions help build and monitor the implementation of effective risk management practices.
  • Responsibilities: Developing risk management frameworks, policies, and procedures. Monitoring compliance with regulatory requirements and internal policies, conducting risk assessments, and providing advice and training to the first line.
  • Examples: Risk management teams, compliance officers, and financial control units.

3. Third Line of Defense: Internal Audit

  • Role: The third line of defense is provided by the internal audit function, which offers independent assurance on the effectiveness of governance, risk management, and internal controls.
  • Responsibilities: Conducting objective assessments and audits to evaluate the adequacy and effectiveness of the first and second lines of defense. Reporting findings to senior management and the board, and recommending improvements.
  • Examples: Internal auditors and external auditors (when engaged for internal audit purposes).


  • First Line: Operational management directly manages risks and implements controls.
  • Second Line: Risk management and compliance functions provide oversight, guidance, and support to the first line.
  • Third Line: Internal audit provides independent assurance on the effectiveness of risk management and controls across the organization.

Leave a Reply

Your email address will not be published.