What is the Three Lines of Defense model and how does it structure risk governance at a bank?

Question

AcadiFi · Accepted Answer

The Three Lines of Defense (3LoD) model is the foundational risk governance framework tested on FRM Part I. It establishes clear accountability for risk-taking, risk oversight, and independent assurance. Here is how each line operates and how they connect.

**First Line: Business Units (Risk Owners)**
These are the revenue-generating front-office teams — lending officers, traders, relationship managers. They own the risks they create. At Greystone National Bank, the commercial lending division originates $2.3 billion in corporate loans annually. Each loan officer must assess credit quality, apply internal risk ratings, and ensure exposures stay within approved limits. The first line also includes operational staff who execute transactions and manage day-to-day controls.

**Second Line: Risk Management & Compliance (Risk Oversight)**
This line sets policies, defines risk appetite, builds models, and monitors first-line activities. The Chief Risk Officer (CRO) at Greystone oversees a team of 45 risk analysts who independently validate credit ratings, run portfolio stress tests, and report concentrations to the board risk committee. Compliance officers ensure regulatory requirements (Basel III, Dodd-Frank) are met. Critically, the second line does not take risk — it challenges and oversees those who do.

**Third Line: Internal Audit (Independent Assurance)**
Internal audit provides independent, objective assurance that both the first and second lines are functioning as designed. The audit team at Greystone reports directly to the board audit committee — not to the CEO or CRO — to preserve independence. They test whether risk models are validated, limits are enforced, and policies are followed. If the second line's VaR model understates tail risk, internal audit should detect and escalate the finding.

**How Information Flows:**
1. The board defines risk appetite (e.g., maximum 15% of Tier 1 capital in commercial real estate)
2. The second line translates appetite into specific limits and monitors compliance
3. The first line operates within those limits and escalates breaches
4. The third line independently verifies the entire chain is working

**Worked Example — Limit Breach at Greystone:**
Suppose Greystone's CRE exposure reaches $1.8 billion against a $1.5 billion limit. The first line should have flagged the breach before it occurred. The second line's monitoring dashboard should catch it in real time. If both fail, the third line's quarterly audit should detect the breach and report it to the board audit committee with a remediation recommendation.

**Common Exam Pitfalls:**
1. Confusing the second and third lines — the second line monitors continuously while the third line reviews periodically
2. Thinking the CRO controls the first line — the CRO oversees but does not manage business units
3. Forgetting that the third line must report to the board, not to management, to maintain independence

Explore our FRM Part I Foundations module for more risk governance frameworks and exam practice.

What is the Three Lines of Defense model and how does it structure risk governance at a bank?

Master Part I with our FRM Course

Related Questions

Related Articles

Practice Questions