What is a three lines of defence strategy in risk & compliance?

The three lines of defence strategy is a risk management framework that is used to help organisations identify, assess and mitigate risks. The framework is based on the principle of segregation of duties, which means that different people or groups of people are responsible for different aspects of risk management.

What are the three lines of defence? 

The three lines of defence framework is designed to provide a comprehensive approach to risk management. By having different people or groups of people responsible for different aspects, the organisation can reduce the risk of errors and omissions. Additionally, the framework can help to ensure that risks are identified and managed in a timely and effective manner.

First line: Management 

The first line of defence is the business units themselves. The business units are responsible for identifying and managing the risks that they face in their day-to-day operations. This includes things like employee training and security policies and procedures. 

Second line: Risk management & compliance  

The second line of defence is the risk management function. The risk management function is responsible for providing oversight and support to the business units in their risk management activities. This includes things like monitoring and reporting on risk and ensuring policies laid out in line one are fit for purpose. 

Third line: Internal audit 

The third line of defence is the internal audit function. The internal audit function is responsible for providing independent assurance that the organisation's risk management framework is effective. This includes things like testing the effectiveness of risk controls and issuing audit reports.

What are the benefits of a three lines of defence infrastructure?

Establishing an effective three lines of defence framework can work towards:

•    improving the overall risk management maturity of the organisation;
•    reducing the risk of errors and omissions;
•    ensuring that risks are identified and managed in a timely and effective manner;
•    improving the efficiency and effectiveness of the organisation's risk management function.

What is the FCA’s stance on three lines of defence?

Sheree Howard, Executive Director of Risk and Compliance Oversight at the Financial Conduct Authority (FCA), used a recent speech to warn businesses against prioritising “short-term commercial interests over regulatory obligations”.

She reiterated the need for three lines of defence in risk and compliance, adding that a “separate but cohesive” approach was vital for robust risk management in a difficult economic climate. In difficult times, sound risk management protects profitability. Investors, partners, and customers see robust compliance processes as a positive point of difference.

Key takeaways 

The three lines of defence framework is a valuable tool for organisations that are looking to improve their risk management practices. By implementing the framework, organisations can reduce the risk of negative events, improve their overall resilience, and protect their assets. However, it is worth noting that the three lines of defence framework is not a one-size-fits-all solution. The specific roles and responsibilities of each line of defence will vary depending on the size and complexity of the organisation. However, the basic principles of the framework are applicable to all organisations.

How can Ocorian help in established a three lines of defence infrastructure?

Newgate Compliance Limited (UK and Channel Islands) is Ocorian’s independent risk and compliance subsidiary. We help businesses create robust frontline processes and procedures (line one), and work with you to create a comprehensive oversight function (line two). As businesses grow, we can advise on the level of oversight needed to demonstrate a risk-based approach to local and global regulators. We also carry out audits of your risk and compliance functions (third line) on a variety of matters for clients. We have been supporting firms globally for over ten years whether it’s the first, second or third lines of defence they need assistance with.

Learn more about three lines of defence in practice 

In January 2024, Ocorian and Newgate Compliance commissioned an independent survey on the three lines of defence in risk and compliance strategies. Our research findings have been compiled into a three-part report, examining the integration of these strategies into anti-money laundering (AML), compliance, and governance infrastructure, exploring the hows and whys.