The three lines of defence (or 3LOD) model is an accepted regulated framework designed to facilitate an effective risk management system. Traditionally, this model is used because it provides a standardised and comprehensive risk management process that clarifies roles, reduces cost and reduces effort.
While there are many variations of what the model looks like in practice, here's what the roles of each line generally look like.
Line 1: Risk owners
The first line of defence (1LOD) is provided by front line staff and operational management. The systems, internal controls, control environment and culture developed and implemented by these business units is crucial in anticipating and managing operational and non-financial risks.
Line 2: Risk oversight
The second line of defence (2LOD) is provided by the risk management and compliance functions. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing and monitoring risks.
Line 3: Risk assurance
The third line of defence (3LOD) is provided by the internal audit function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.
How do financial firms actually implement the three lines of defence model?
The above is, in theory, is how the three lines of defence model generally works, but how are financial firms using it in reality? Do they stick to the traditional model or are they changing it to better meet their needs?
To find out, we carried out a Practice Benchmark on the three lines of defence model. This study looked at how firms are actually using it practice, how they are altering the model's structure to meet their own requirements and how the three lines of defence might evolve in the future.
