The Three Lines of Defence is a model that the Financial Services Authority (which became the Financial Conduct Authority) encourages firms to adopt to provide clarity in responsibilities and accountabilities between the three lines, and ensures effective independent oversight and assurance activities take place, covering key decisions and processes.

The Business is regarded as the first line of defence and has primary responsibility for risk decisions; identifying, measuring, monitoring and controlling risks within their areas of accountability. They are required to establish effective governance, risk and control frameworks for their business unit to ensure they are compliant with the firm’s risk policy requirements, to maintain appropriate risk management skills, methodology, frameworks and solutions, and to ensure they are operating within the risk appetite boundaries set and approved by the Board.

Risk Management is regarded as the second line of defence, and provides oversights of the risk management process and independent challenge of decisions taken by the business, providing advice, insight and guidance. The Second Line is also responsible for reporting on the risk profile of the firm and ensuring that high/extreme risks, and those outside of appetite, all have mitigation plans and that those plans are being executed.

Internal Audit is regarded as the third line of defence, providing independent, objective assurance and advice designed to add value and improve the organisation’s strategic and operational performance. The Third Line supports the board and senior management in sustainably delivering objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Does your firm use the Three Lines of Defence? How do you define it? Does it add value to your business?