Introducing Marketplace: Fast-track your ERM system implementation
Learn More

Effective risk management requires governance structures and processes commensurate with the organisation’s context. Regardless of the organisation’s size and complexity, implementation of the three lines of defence should be the first principle of an effective risk management framework.

At each line of defence there needs to be risk governance to support and provide oversight to the risk management framework

The three lines of defence model has become a standard model in managing uncertainty and mitigating downside risks.


In this model:

  1. The first line consists of the organisation's frontline staff. They are charged with understanding their roles and responsibilities and carrying them out correctly and completely;

  2. The second line is created by the oversight function(s) made up of risk and compliance management. These functions set and monitor adherence to policies, define work practices and oversee the first line with regard to risk and compliance; and

  3. The third and final line of defence is that of internal and external auditors and the Board or Governing Body. Both internal and external auditors regularly review both the first and second line and the oversight functions to ensure that they are carrying out their tasks to the required level. The Board receives reports from audit, oversight and the business, and will act on any items of concern from any party; they will also ensure that the three lines of defence are operating effectively and according to best practice.

But where does risk governance fit into the three lines of defence model?

Line management is the first line of defence of the risk governance framework. They must be empowered with the responsibility and accountability to effectively plan, build, run and monitor the day-to-day risk environment, with appropriate assistance from the Risk and Compliance Management functions. Line management provide direction regarding risk treatment for those risks that are outside of the organisation's risk tolerance.

Line management also has the responsibility to identify and assess risks and to ensure that the control activities that treat risk are enforced and monitored for compliance. The information that line management should report to the Risk and Compliance Management to enable it to achieve this objective includes:
  • Risk heat map
  • Key risk issues, planned mitigation actions and owners
  • Status of existing mitigation actions to mitigate risk
  • Key risk indicators (red or amber)
  • Incidents and near misses (including historical/ trend analysis/statistics, status of mitigation actions and lessons learned)
  • Outstanding internal/external audit items that are past their action due date.

The second line of defence is the organisation’s Risk and Compliance Management function(s) that provide independent oversight of the risk management activities of the first line of defence. They may have their own management and governance committees that are part of the ERM framework, or they may have direct reporting lines into appropriate ERM framework structures.

Depending upon the size and complexity of the enterprise and its business, there may be a management risk committee which serves as the second line of risk governance. The Management Risk Committee should ideally have a term of reference which clearly defines its role, mandate and authority to manage the risk environment.

The internal and external auditors regularly review the first and second line of defence activities and results, including the risk governance functions involved, to ensure that the risk management arrangements and structures are appropriate and are discharging their roles and responsibilities completely and accurately.

The results of these independent reviews need to be effectively communicated to executive management and, more importantly, to the Board to ensure that appropriate action is taken to maintain and enhance the risk management framework.

The body that has the highest level of risk governance is the Board, often with delegated oversight authority to the Board Audit and Risk Committee that is charged with the role of representing the enterprise’s stakeholders in respect to risk issues. The Board has the responsibility and accountability for reviewing and approving the overall risk management strategy including determining the organisation’s appetite to risk. The Board also provides effective oversight of the organisation’s risk profile and should ensure that the organisation’s executive management is effectively governing and managing the organisation’s risk environment.

The Board Audit and Risk Committee should have a charter that clearly sets out its role, responsibilities and accountabilities in providing risk governance to effectively discharge the requirements delegated by the Board.

The critical issue facing the Board Audit and Risk Committee (and often the Board itself) is risk information. Too often, there is too much information (i.e., risk noise), which overwhelms them. The Board needs to know the critical risk issues that require their attention. The Board Audit and Risk Committee needs to state clearly what risk information it requires, and the format and timing of such information.

The following diagram illustrates the three lines of defence concept and corresponding risk governance.Risk-Governance-and-the-Three-Lines-of-Defence_DIAGRAMGovernance refers to the actions, processes, traditions and structures by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks.

For many organisations, the setting up of a risk governance structure and supporting ERM arrangements is relatively simple. The real challenge is ensuring that the expectations and perceptions of risk governance and management and the Board are aligned, and that risk-related information is effectively and consistently obtained, analysed and used.

Does your organisation have an effective risk management framework in place? Contact Protecht at to discuss your risk transformation requirements.

Book a Consultation!

This article was originally published in November 2014.  

Related Articles

feature image
Enterprise Risk Management, ERM

RMIA speaking session: Maturing ERM to the next level

Maturing ERM to the next level by focusing on dynamic, real-time, integrated risk management The agenda for our RMIA conference presentation on...
Read more
feature image
Enterprise Risk Management

ERM Webinar Review: Moving from a Siloed to a True Enterprise Approach

The traditional siloed view of risk management has evolved over many years of its development as a discipline, but there is increasing pressure to...
Read more
feature image
Enterprise Risk Management

Why insurers need to prioritise the digitisation of risk and compliance management

The global insurance industry has been impacted heavily by COVID and extreme weather events. Insurers worldwide have had to respond and adapt to such...
Read more