The Three Lines of Defence

6 minute read  10.02.2025 Nicole Salimbeni

The Three Lines of Defence – Is this an effective model for managing risks within large organisations?

The Three Lines of Defence (3LOD) model is a framework for managing risk within an organisation. It is a widely used model across many industries and worldwide.

The model is adopted as expected practice by regulators throughout the world as a way of ensuring that organisations identify and manage risks, have a structured approach to risk management and internal governance and to maintain a culture within an organisation which ensures that risks are managed effectively.

In Australia, however, and in various countries around the world, many organisations continue to experience risk management failures. Examples of this include the miss-sale of products, the miss-use of the customer data and the non-compliant design of products. Large remediation programs or product recalls remedy the impact of these issues, but all of this is costly and impacts the customer experience. With organisations spending so much money on the implementation of the 3LOD models – why do things keep going wrong?

Let us explore each element of the model including where things can work well and where the implementation of the model can result in limitations to its effectiveness.

The first line of defence

Effective management of risk starts with business unit/line management. That is, business unit management has the primary responsibility for the ownership and management of the risks associated with day-to-day operational activities. To do this effectively, Management needs to identify their risks and design and implement controls to manage these risks. People within the business unit teams are responsible for the operation of these controls.

When this is done well, and Management understands the risks and the operational controls, the first line of defence is deemed to be working.

However, things often go wrong in the first line - at the risk identification stage. Specifically at the regulatory risk stage. Regulatory risk is extraordinarily complex. Governments and regulators all over the world are extremely focused on ensuring that organisations do the right thing and consequently there are many Laws, rules and regulations which govern the way that organisations operate. These can often be incredibly detailed, hard to understand and while it is common practice to "risk accept" non-compliance with these obligations, this is fraught with the potential to cause large risk issues.

It follows that if risks are not appropriately identified then any control environment will struggle to be effective. It is impossible to implement controls to manage risks if the risks have not been properly identified and while a "great" risk culture, including the desire to "do right by the customer" can help, it is not foolproof. The larger and more complex the organisation the harder this gets as the rules and regulations are more complex, as is the general operating environment (i.e. the systems, the people, the interdependencies with other parts of the organisation).

The second line of defence

The second line of defence involves the risk management and compliance functions. The second line function is responsible for the identification of emerging risks in the operation of the business. It does this by providing frameworks, policies, tools, and techniques to support risk and compliance management. It also plays a role in the monitoring of adherence.

While it is important that everyone within an organisation is responsible for and plays a significant role in the management of risk, arguably, an effective second line function can be the key to the successful management of risk within the organisation.

Effective second line functions are characterised by people who understand the business, the business’ objectives, the processes within a business as well as the varying risks and compliance obligations the business faces. They can effectively assess if the processes to manage the risks are the right ones. These risk managers can advise the business, helping it understand the drivers of their risks and obligations and how their key operational processes manage risks. They can balance the ability to support the business to achieve their objectives while maintaining their independence, but importantly do not use independence as an excuse for a lack of support. These functions need to be the right size – too small and they are stretched too thin to perform their function effectively, too large and they trip over each other and the business, often impacting productivity in a desire to "do their job" by implementing processes that are not important in the overall management of risk.

There is no specific "risk" degree in Australia and many risk managers have learnt "on the job" which can mean that there is a large variability in the qualifications and performance of the risk and compliance functions within organisations. That said, an effective second line function can make all the difference, and an ongoing assessment of their performance can support this.

The third line of defence

The third line function is responsible for the provision of independent assurance. They are responsible for the assessment of whether the first- and second-line functions are operating effectively. They play a significant role in informing the Board and Risk/Audit Committee as to the ongoing effectiveness of risk management within the organisation.

Typically, the third line function is performed by Internal Audit. In larger more complex organisations this is often an "in house" function while in smaller less complex organisations this may be outsourced. Regardless of the model, the ability for Internal Audit to effectively perform their role has been challenged in recent years. An effective third line needs to be able to understand the deep technical nature of the risks the business faces and couple this with the skills and knowledge to assess the effectiveness of the control environment. Internal audit needs to cover the entirety of the risks facing the business – this is broad even in smaller and less complex organisations and covers all the varying regulatory and compliance risks through to cyber and technology and everything in between. Having all the requisite skills and capabilities to cover these areas and assess the operation of the varying controls to the level of detail required can be challenging. When this does happen though, it can enable the organisation to quickly address any issues and gaps and the way in which an organisation responds to these is an important indicator of its risk culture.


Three Line of Defence continues to be widely regarded by regulators, industry bodies, policy makers and the like as the preeminent model for risk management. That said, its effectiveness can be impacted by the implementation of the model. In assessing the implementation of the model within one's organisation, Boards and Management should be asking themselves:

  • Are all risks, including compliance obligations identified to the right level within my organisation?
  • Are there appropriate controls in place to manage these risks and obligations?
  • Do I have the right risk function in place – do my risk professionals have the right skills and capabilities to enable the business, is it the right size and how is their effectiveness being assessed?
  • Do I have access to a top-class internal audit capability with the requisite skills and capabilities to assess the entire spectrum of risks and controls within my organisation?
  • Does my organisation respect the views of Internal Audit and respond to these with the appropriate urgency?

Seven specialists join the partnership

With more than 13 decades of experience, the addition of our new consulting specialists reinforces our commitment to providing market-leading advice.

READ MORE

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI1M2YwMTI4Yy1jZDc4LTQ5OTEtOTkxOS1lN2MzNTQ3ODMwYjciLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0NjA2OTY5MywiZXhwIjoxNzQ2MDcwODkzLCJpYXQiOjE3NDYwNjk2OTMsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3RoZS10aHJlZS1saW5lcy1vZi1kZWZlbmNlIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvdGhlLXRocmVlLWxpbmVzLW9mLWRlZmVuY2UifQ.ZjFCwIZJVPxdlHUs5at2EXeQBjK8f9XlgT8E-fzBRdg
https://www.minterellison.com/articles/the-three-lines-of-defence