Skip to content

Risk governance and the three lines of defence.

Effective risk management requires governance structures and processes commensurate with the organisation’s context. Regardless of the organisation’s size and complexity, implementation of the three lines of defence should be the first principle of an effective risk management framework.

At each line of defence there needs to be risk governance to support and provide oversight to the risk management framework.


Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now

About the Three Lines of Defence model:

The Three Lines of Defence model has become a standard model in managing uncertainty and mitigating downside risks.

  1. The first line consists of the organisation's frontline staff. They are charged with understanding their roles and responsibilities and carrying them out correctly and completely;

  2. The second line is created by the oversight function(s) made up of risk and compliance management. These functions set and monitor adherence to policies, define work practices and oversee the first line with regard to risk and compliance; and

  3. The third and final line of defence is that of internal and external auditors and the board or governing body. Both internal and external auditors regularly review both the first and second line and the oversight functions to ensure that they are carrying out their tasks to the required level. The Board receives reports from audit, oversight and the business, and will act on any items of concern from any party; they will also ensure that the three lines of defence are operating effectively and according to best practice.

Where does risk governance fit into the Three Lines of Defence model?

Line management is the first line of defence of the risk governance framework. They must be empowered with the responsibility and accountability to effectively plan, build, run and monitor the day-to-day risk environment, with appropriate assistance from the risk management and compliance management functions. Line management provide direction regarding risk treatment for those risks that are outside of the organisation's risk tolerance.

Line management also has the responsibility to identify and assess risks and to ensure that the control activities that treat risk are enforced and monitored for compliance. The information that line management should report to the Risk and Compliance Management to enable it to achieve this objective includes:

  • Risk heat map
  • Key risk issues, planned mitigation actions and owners
  • Status of existing mitigation actions to mitigate risk
  • Key risk indicators (red or amber)
  • Incidents and near misses (including historical/ trend analysis/statistics, status of mitigation actions and lessons learned)
  • Outstanding internal/external audit items that are past their action due date.

The second line of defence is the organisation’s risk management and compliance management function(s) that provide independent oversight of the risk management activities of the first line of defence. They may have their own management and governance committees that are part of the enterprise risk management framework, or they may have direct reporting lines into appropriate ERM framework structures.

Depending upon the size and complexity of the enterprise and its business, there may be a management risk committee which serves as the second line of risk governance. The management risk committee should ideally have a term of reference which clearly defines its role, mandate and authority to manage the risk environment.

The internal and external auditors regularly review the first and second line of defence activities and results, including the risk governance functions involved, to ensure that the risk management arrangements and structures are appropriate and are discharging their roles and responsibilities completely and accurately.

The results of these independent reviews need to be effectively communicated to executive management and, more importantly, to the board to ensure that appropriate action is taken to maintain and enhance the risk management framework.

The body that has the highest level of risk governance is the board, often with delegated oversight authority to the board audit and risk committee that is charged with the role of representing the enterprise’s stakeholders in respect to risk issues. The board has the responsibility and accountability for reviewing and approving the overall risk management strategy including determining the organisation’s appetite to risk. The board also provides effective oversight of the organisation’s risk profile and should ensure that the organisation’s executive management is effectively governing and managing the organisation’s risk environment.

The audit and risk committee should have a charter that clearly sets out its role, responsibilities and accountabilities in providing risk governance to effectively discharge the requirements delegated by the board.

The critical issue facing the audit and risk committee (and often the board itself) is risk information. Too often, there is too much information (i.e., risk noise), which overwhelms them. The board needs to know the critical risk issues that require their attention. The audit and risk committee needs to state clearly what risk information it requires, and the format and timing of such information.

The following diagram illustrates the Three Lines of Defence concept and corresponding risk governance:

blog-lines-of-defence-au-gbGovernance refers to the actions, processes, traditions and structures by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks.

Conclusions and next steps

For many organisations, the setting up of a risk governance structure and supporting ERM arrangements is relatively simple. The real challenge is ensuring that the expectations and perceptions of risk governance and management and the board are aligned, and that risk-related information is effectively and consistently obtained, analysed and used.

To find out more about transforming your organisation's risk management and risk governance structure, you can download and read our free Enterprise Risk Management: What does it mean to manage risk effectively in the enterprise? eBook:

Find out more


Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now


This article was originally published in November 2014.  

About the author

For over 20 years, Protecht has redefined the way people think about risk management with the most complete, cutting-edge and cost-effective solutions. We help companies increase performance and achieve strategic objectives through better understanding, monitoring and management of risk.