The Three Lines of Defense (LoD) model is a risk management framework that provides a structured approach for organizations to clearly define and separate responsibilities related to three distinct layers of accountability: governance, risk management and disclosure.
Originally formalized in 2011 by the Basel Committee - the main world-wide standard setter for the prudential regulation of banks, serving as a forum for cooperation on banking supervisory matters - within the “Principles for the sound management of operational risk”, the model establishes three distinct lines of defense to ensure robust oversight and accountability:
- First Line of Defense: Business Units
- Operates within business functions and owns day-to-day risk management.
- Implements internal controls and ensures adherence to policies and procedures.
- Identifies, monitors and reports emerging risks, escalating concerns when necessary.
- Second Line of Defense: “Risk and Compliance” - An independent Corporate Operational Risk Function (CORF); also known as the corporate operational risk management function in many jurisdictions
- Generally complements the business unit’s operational risk management activities with oversight and support in risk policies, tools and training.
- Independently monitors the risk profile and challenges risk decisions when needed.
- Tracks regulatory developments to ensure ongoing compliance.
- Third Line of Defense: Independent Review / Audit
- Conducts independent reviews of the first two lines to evaluate their effectiveness.
- Assesses internal control systems, governance structures and risk mitigation practices.
- Reports findings directly to the board or audit committee - ensuring impartial oversight.
This layered approach ensures comprehensive risk management by distributing responsibilities while maintaining checks and balances within the institution.