What is the 'three lines of defense' model?

The 'three lines of defense' model serves as a recognized framework that clearly delineates the roles and responsibilities of various functions within an organization concerning risk management and control.

In this model, the first line of defense consists of operational management, who are responsible for identifying and managing risks within their day-to-day operations. They play a critical role in establishing and maintaining effective internal controls. The second line of defense comprises risk management and compliance functions, which provide support and guidance to operational management, ensuring that risks are managed properly and that compliance requirements are met. Finally, the third line of defense is the internal audit function, which offers independent assurance regarding the effectiveness of governance, risk management, and internal controls across the organization.

This structured approach helps organizations better manage risks and align their resources effectively, enhancing overall governance and accountability. It clarifies the interaction between different functions in managing risks while also fostering collaboration and communication among them. Thus, the model is essential in promoting a comprehensive risk management strategy within organizations.