Governance

Three Lines of Defense

A model that separates an organization's risk management and control functions into three distinct lines of defense to ensure effective oversight and governance.

The Three Lines of Defense model is a governance framework that divides the responsibilities for managing risk into three separate groups:

1. The first line includes the business units and their management, who are responsible for day-to-day risk management and control activities.

2. The second line consists of risk management and internal audit functions, which provide oversight and assurance to the board and executive management.

3. The third line is the external audit, which provides an independent assessment of the organization's financial statements and compliance with laws and regulations.

Related Terms

Internal Audit

An independent, objective assurance and consulting activity designed to add value and improve an organization's operations by evaluating and improving the effectiveness of risk management, control, and governance processes.

External Audit

An independent examination of an organization's financial statements, operations, and compliance with laws and regulations conducted by an external auditor.

Related Articles

Three Lines of Defense Model: Implementation for EU Financial Services

Step 1: Open your ICT provider register. If you don't have one, that's your first problem

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.

Request a demo