How does the Three Lines of Defense model work in risk management?

Question

AcadiFi · Accepted Answer

The Three Lines of Defense (3LoD) is the dominant governance model for organizing risk management responsibilities in financial institutions. Each line has a distinct role:

```mermaid
flowchart LR
    subgraph First["1st Line of Defense"]
        A["Business Units
& Operations"]
        A1["Own the risks
Implement controls
Daily risk decisions"]
    end
    subgraph Second["2nd Line of Defense"]
        B["Risk Management
& Compliance"]
        B1["Set frameworks
Monitor & challenge
Report to board"]
    end
    subgraph Third["3rd Line of Defense"]
        C["Internal Audit"]
        C1["Independent assurance
Test effectiveness
Report to audit committee"]
    end
    First --> Second --> Third
    style A fill:#1a1a2e,stroke:#c9a84c,color:#fff
    style B fill:#1a1a2e,stroke:#c9a84c,color:#fff
    style C fill:#1a1a2e,stroke:#c9a84c,color:#fff
```

**First Line — Business Units (Risk Owners)**
- Front office traders, lending officers, operations staff
- They take and manage risks as part of daily business
- Responsible for implementing controls (e.g., pre-trade checks, four-eye approvals, reconciliations)
- Example at Harborview Bank (hypothetical): A loan officer must verify borrower income, check credit limits, and document exceptions before approving a commercial loan

**Second Line — Risk Management & Compliance (Risk Oversight)**
- Independent risk function (CRO organization), compliance department
- Sets risk policies, methodologies, and limits
- Monitors first-line activities and challenges decisions
- Does NOT take risks itself
- Example: The market risk team at Harborview monitors VaR utilization across all trading desks and escalates breaches to senior management

**Third Line — Internal Audit (Independent Assurance)**
- Reports directly to the audit committee of the board (not to management)
- Provides independent verification that the first and second lines are functioning effectively
- Tests control design and operating effectiveness
- Example: Internal audit reviews whether Harborview's loan approval process actually follows documented policy, not just on paper but in practice

**Where the Model Breaks Down:**

1. **Blurred boundaries** — When the second line starts making risk decisions (e.g., the risk team approves trades rather than just monitoring), it loses its independence
2. **Weak first line ownership** — Business units view risk as 'the risk department's problem' rather than their own responsibility
3. **Under-resourced second line** — Risk teams too small to meaningfully challenge a large, complex first line
4. **Audit captured by management** — If internal audit reports to the CFO instead of the audit committee, independence is compromised
5. **Checkbox mentality** — All three lines exist on org charts but operate as paper exercises

**IIA's Updated Model (2020):** The Institute of Internal Auditors updated the model to emphasize *principles* over rigid structural lines, recognizing that the original model was too often implemented mechanistically.

For governance practice questions, check our FRM Part I question bank on AcadiFi.

How does the Three Lines of Defense model work in risk management?

Master Part I with our FRM Course

Related Questions

Practice Questions