The three lines of defence model explained
- 26 February 2020
The three lines of defence (or 3LOD) model is an accepted regulated framework designed to facilitate an effective risk management system. Traditionally, this model is used because it provides a standardised and comprehensive risk management process that clarifies roles, reduces cost and reduces effort.
While there are many variations of what the model looks like in practice, here's what the roles of each line generally look like.
Line 1: Risk owners
The first line of defence (1LOD) is provided by front line staff and operational management. The systems, internal controls, control environment and culture developed and implemented by these business units is crucial in anticipating and managing operational and non-financial risks.
Line 2: Risk oversight
The second line of defence (2LOD) is provided by the risk management and compliance functions. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing and monitoring risks.
Line 3: Risk assurance
The third line of defence (3LOD) is provided by the internal audit function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.
How do financial firms actually implement the three lines of defence model?
The above is, in theory, is how the three lines of defence model generally works, but how are financial firms using it in reality? Do they stick to the traditional model or are they changing it to better meet their needs?
To find out, we're carrying out a practice benchmark study, surveying financial firms to understand how the three lines of defence actually works at their organisation. The study will also look at how firms are altering the model's structure to meet their own requirements and the three lines of defence might evolve in the future.