Using the Three Lines of Defense Model to Manage Risk

A comprehensive risk management framework requires awareness and input from all areas of an organization to ensure adequate risk identification, assessment, and monitoring. With many parties working together and bringing unique skill sets, it is vital to implement a structured approach for assigning roles and responsibilities related to the process. The absence of this approach may result in an ongoing debate over who is responsible for accomplishing specific tasks.

To achieve necessary cohesiveness, the “Three Lines of Defense Model” (a new model for governance and risk management issued by the Institute of Internal Auditors earlier this year) provides a standardized and effective method by defining the responsible parties and associated duties for risk management in an organization. Further, the Three Lines of Defense Model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies and overlaps that often occur when risk is managed by multiple functions.

What if the Three Lines of Defense model doesn’t fit a specific organization due to its structure?  Factors like industry and size do not inhibit the ability for an organization to implement the Three Lines of Defense Model as its primary principal of effectively managing risk can be conformed to specific criteria.


Implementation Approach

Being distinguished across three groups, the main objective of the Three Lines of Defense Model is to define who owns and manages risk, who oversees risk, and who provides independent assurance.  While there can be many variations of what the Three Lines of Defense Model looks like in practice, the roles and responsibilities of each line generally are as follows:

First Line: Business Process Owners

Comprised of numerous teams performing day-to-day operations in an organization, the first line is primarily responsible for identifying and monitoring risk as it arises.  Most business process owners inherently fit into this role since controls are designed into the processes and systems that they use on a recurring basis.  Additional responsibilities include guiding the development of policies and procedures and ensuring that activities are consistent with the objectives of an organization’s mission and risk appetite.  As the individuals on the first line are essentially at the forefront of the risks facing an organization, it is important for them to be empowered with the responsibility and accountability to effectively plan and monitor the overall risk environment.

Second Line: Compliance/Risk Management Functions

Since managing risk is typically an extensive process, organizations often necessitate dedicated compliance and/or risk management functions as the second line.  Specific naming of the functions will vary by industry but typically they are constructed by an organization to ensure the first line is operating as intended.  During this effort, the second line supports the first line in their ownership of risk and controls by establishing and communicating common risk management taxonomies, assessment methodologies, and standards/practices.  Also, they are responsible for proactively monitoring high risk areas to determine if processes implemented by the first line are working effectively in order to comply with applicable rules and regulations.  A common way for the second line to summarize the results of this analysis is within recurring reports to management and stakeholders involved in the process.

Third Line: Internal Audit

The ability for an organization to provide assurance to senior management and the board while using independence and objectivity is critical in achieving its overall strategy.  To support this effort, internal audit acts as the third line by assessing the manner in which the first and second lines achieve risk management and control objectives.  An effective method for ensuring that organizations properly identify and manage risk is to create an annual audit plan focusing on high-risk areas.  The use of an integrated audit approach to assess both business and technology processes can be leveraged when performing risk-based assessments of controls across an organization.

Does your organization have an effective risk management framework in place?  Being unprepared for threats that were either not seen as a possibility or underestimated in terms of impact is a scenario that no organization wants to face.  The adoption and implementation of the Three Lines of Defense model could be the driving factor needed to ensure that risk is managed holistically from top to bottom.


To learn more or inquire about how Clearview Group can help your organization implement this new model for governance and risk management, contact:

More in Risk & IT Risk Advisory