The Three Lines of Defense (LoD) model is a risk management framework that provides a structured approach for organizations to clearly define and separate responsibilities related to three distinct layers of accountability: governance, risk management and disclosure. 

Originally formalized in 2011 by the Basel Committee - the main world-wide standard setter for the prudential regulation of banks, serving as a forum for cooperation on banking supervisory matters - within the “Principles for the sound management of operational risk”, the model establishes three distinct lines of defense to ensure robust oversight and accountability:

1. First Line of Defense: Business Units
   
   1. Operates within business functions and owns day-to-day risk management.
   2. Implements internal controls and ensures adherence to policies and procedures.
   3. Identifies, monitors and reports emerging risks, escalating concerns when necessary.

2. Second Line of Defense: “Risk and Compliance” - An independent Corporate Operational Risk Function (CORF); also known as the corporate operational risk management function in many jurisdictions
   
   1. Generally complements the business unit’s operational risk management activities with oversight and support in risk policies, tools and training.
   2. Independently monitors the risk profile and challenges risk decisions when needed.
   3. Tracks regulatory developments to ensure ongoing compliance.

3. Third Line of Defense: Independent Review / Audit
   
   1. Conducts independent reviews of the first two lines to evaluate their effectiveness.
   2. Assesses internal control systems, governance structures and risk mitigation practices.
   3. Reports findings directly to the board or audit committee - ensuring impartial oversight.

This layered approach ensures comprehensive risk management by distributing responsibilities while maintaining checks and balances within the institution.

‍