Are 3 lines of defense useful?

(extract from the Guide to effective risk management 3.0, read the full book for free:

The risk governance model depends on the management and shareholders’ expectations as well as on the risk manager’s competencies and on the resources available for risk management implementation.

The risk governance model can be built based on the classical concept of three lines of defence:

  • The 1st line of defence – Business units: executives, business department management as well as employees. As part of their daily duties those listed above are responsible for timely identification, assessment, management, monitoring and reporting on risks. Senior management and the Board of Directors determine the strategy for risk management, approve risk appetite and monitor how major risks are managed.
  • The 2nd line of defence – Functions of risk management and other support functions (such as safety and quality, finance, insurance, etc. are business consultants and are responsible for developing the methodology for managing risks, awareness and training, and methodological support. Sometimes the risk management team also performs a quality control function and aggregates information about the risks.
  • The 3rd line of defence – Internal audit: Independent bodies, such as internal audit, provide independent monitoring that the risk management is carried out as in line with internal policies and procedures, and that the management of key corporate risks is performed.

While commonly accepted and simple in theory, the three lines of defence model is overly idealistic and doesn’t work well in non-financial services. Risk managers may want to consider an alternative risk governance structure where:

  • The risk management function is the centre of competence for all risk analysis and is responsible for an independent, timely and quantitative risk analysis for the decisions proposed by management. This model takes certain responsibilities from the traditional first line of defence, giving the risk managers greater responsibility and ownership over the risk analysis. This allows the risk manager to be directly involved in the process of decision making and to assume the responsibility for the outcomes on par with other executives.
  • In certain cases, the risk manager may have the mandate to block excessively risky transactions or projects that do not meet the strategic goals of the company.

Based on the experience of the authors the second option is much more effective. Nassim Taleb calls it ‘having the skin in the game’. To him, this is the only way to manage risks. We agree.

Watch more free risk management videos on or subscrive to RISK-ACADEMY youtube channel

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.