Three Lines of Defense for Risk Management

Mike Ogden

In our continuing quest to improve how companies manage risk, it’s inevitable we’d eventually discuss the “Three Lines of Defense,” a risk management model for clarifying roles and responsibilities. It explains the relationship between these functions and serves as a guide to how responsibilities should be divided. 

That said, we see a more dynamic role for the Three Lines of Defense as a catalyst for business. They set you up to not only manage risk but also to go on the offense. You can use this newfound agility to innovate and discover competitive advantages. 

"Over 80 percent of enterprise risk management leaders surveyed responded they believe the portfolio of risks on the horizon is increasing."  NC State Poole College of Management  

Here’s how the roles of the Three Lines of Defense are defined: 

1st Line of Defense – The Doers 
The first line of defense is represented by the doers—the people on the front lines. They’re managing risk, complying with regulations and standards, and carrying out the company’s defined risk management processes daily. 

2nd Line of Defense – The Superintendents 
The second line of defense is managerial and is responsible for oversight of the doers. They also develop and implement risk management processes, policies and procedures. 

3rd Line of Defense – The Investigators 
The third line of defense are the auditors, both internal and external, who independently assess and report on the work of the other two lines. 

Clarify roles to increase accountability 

Clearly defined roles help everyone know what they’re accountable for in terms of managing risk. It also helps eliminate redundancy of duties across the three lines. Each line knows what it’s accountable for. 

The first line is more effective when the second line coordinates their activities. Doers can take pride in owning risk and being accountable, which enhances their ability to lead. 

The second line is also in a perfect position to see what’s working and what isn’t, and they have the authority to make changes like adding controls to reduce risk. As they monitor the first line’s activities, the second line can provide input and deliver on the organization’s risk management strategy

The third line of defense assesses and reports on what it sees from the first and second lines. With this defined role, it’s easier to gather evidence and conduct investigations. Autonomy, authority and agility are enhanced when the first and second lines respect the work of the third. 

Empower the Three Lines of Defense 

The Three Lines of Defense for risk management brings order to chaos. You have structure and clarity. But watch what happens when you add in an integrated risk and compliance platform?  

The platform streamlines internal processes, which boosts the productivity of first-line business owners. The same platform enables the second line to continuously monitor the first line with dashboards and analytics. Data is recorded and reportable to upper management and the board. The third line uses the platform to streamline audits, everything from collecting evidence and generating audit tasks to creating audit workpapers at the push of a button. 

As a strategy for managing risk, the three lines of defense provides clarity and accountability. Get more out of the three lines by incorporating a platform. It will help to streamline risk management activities, facilitate collaboration, and enhance accountability among the three lines. The two together can be a catalyst for business. 


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.



Coronavirus Comeback: A Framework to Manage Return-to-Work Risk

Here's a framework to address and mitigate risk during return-to-work planning, amid increased disruption from the pandemic. Most R&C professionals are concerned with risks that roll up to three main categories: managing a remote workforce, COVID-specific risks, and risk related to employee conduct.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

5 Steps for Building Better Board Engagement

This year's Definitive Risk & Compliance Benchmark Report identified 7 drivers of compliance program performance – key compliance elements and activities linked with program success. This week, we take a look at how compliance practitioners can use board engagement to enhance their programs and protect their organizations from risk. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.