Skip to content
a computer circuit board

The Three Lines of Defense Model for Public Company Risk Management

Published
Jun 18, 2024
By
Brian Hardenberg
Martin West
Topics
Share

Public companies operate in a global, highly regulated, always changing, and volatile environment. Stakeholders are diverse and include employees, customers, suppliers, and shareholders who may have differing values, morals, and views. Effective governance and risk management strategy are invaluable in navigating this complex risk ecosystem to achieve company objectives.  

Exploring the Three Lines of Defense Model   

The Three Lines of Defense Model has been used for over 20 years and is considered the risk management framework standard. Numerous companies have adopted this model due to its simple yet comprehensive nature, which makes it easily understood and can assist with facilitating effective governance and risk management. 

Three Lines of Defense Model
Comprehensive Breakdown of Defense Lines 

The Three Lines of Defense Model consists of four key groups that have specific roles and responsibilities so that public organizations can identify, manage, and mitigate risk with appropriate governance and oversight.  

The Governing Body 

This group is accountable to stakeholders for organizational oversight. For public companies, this is the board of directors (BoD). Public companies tend to be large with diverse departments and business lines, thus BoDs will delegate oversight responsibility to sub-committees to ensure appropriate oversight granularity. These committees can include compliance, compensation, strategy, and so forth. The sub-committees assist with organizational governance because they report to the BoD for ultimate oversight responsibility. The governing body should promote integrity, leadership, and transparency throughout the organization. Other roles include, but are not limited to, setting organizational risk appetite and promoting ethical behavior.   

Management 

Management is responsible for taking action to achieve organizational objectives, including managing risk. To manage these activities with appropriate governance, the Three Lines of Defense Model breaks down management into two different lines of defense each with different roles and responsibilities. 

First Line of Defense 

The First Line of Defense is responsible for conducting actions to achieve company goals and objectives. These include departments such as sales, marketing, and operations. They set processes and internal controls to manage operations and risk. They own and manage risk in accordance with the risk appetite set by the governing body. Management has ownership of the internal control measures and is responsible for ensuring they are operating at a level that mitigates risk to an acceptable level.  

Second Line of Defense 

The Second Line of Defense contains oversight functions that provide expertise, support, and monitoring first-line actions to ensure they are operating within company risk appetite and organizational policy. The second line is responsible for effectively challenging the first line on risk-related matters to verify they have considered possible outcomes and risk-rated activities and are operating within organizational policies. Second line departments include, but are not limited to, compliance, operational risk management, and credit administration.    

Internal Audit 

Internal audit provides independent and objective assurance for the company's risk and controls. This includes management and assessment over governance, risk management, internal controls, financial reporting, operational efficiency, and compliance with regulations.  

Third Line of Defense 

The first two lines report directly to senior management, while internal audit reports to both senior management and the BoD. The chief audit executive should report administratively to the organization's chief executive officer and functionally to the audit committee.  

External Assurance Providers 

External assurance providers, such as external audit and regulatory bodies (e.g., SEC, Office of the Comptroller of the Currency, and Federal Reserve Bank), coordinate external oversight to verify organizations are complying with regulations and adhering to governance requirements.  

Strategic Implementation of the Defense Model 

For the Three Lines of Defense Model to be most effective, the three lines must be accountable and aligned with proper delegation and reporting capabilities. The governing body sets the organization's objective and risk appetite, which is delegated to management for implementation.  

Management’s first line of defense implements products, services, processes, and controls to achieve the organization’s objective. Management’s second line of defense challenges the first line to verify actions are appropriate and monitors activities to verify compliance with regulations and adherence to company policy. Both lines provide reports to the governing body for oversight.  

Internal audit, as the third line of defense, provides independent and objective assurance of management activity and challenges the business for continuous process and control improvements. The third line provides audit reports to senior management and the governing bodies.   

The Three Lines of Defense Model has been proven to effectively measure, manage, and monitor risks. Public companies should adapt and align the principles and structure to their specific organizations as each differ in reporting committees, business lines, and roles. During implementation, senior management may realize additional committees or departments may be required to fill each aspect of the model. The most critical aspect of the three lines of defense is each line effectively challenging the others in risk management activities, which allows for communication, collaboration, and coordination so that the organization can effectively meet its objectives set by the governance committee. 

 

 

What's on Your Mind?

a man in a suit smiling

Brian Hardenberg

View Profile
Thomas Vitale in a suit

Martin West

View Profile

Start a conversation with the team

Explore More Insights

a group of people walking in a city
Article

SEC Cybersecurity Incident Disclosures for Publicly Listed Technology and Life Sciences Companies

  • Public Companies
  • Technology
Read More
Video

Private Fund Adviser Rules: Best Practices Part 1 - Fairness or Valuation Opinions in Adviser-Led Secondaries

Read More
close-up of hands on a keyboard
Article

Recent Executive Order Looks to Protect Americans' Sensitive Personal Data

Read More
Article

Information Security and Cybersecurity in Real Estate

Read More
a close-up of a person working on a calculator
Article

Agile Solutions in IT SOX Environments

  • Public Companies
  • SOX Compliance
Read More
graphical user interface
Article

SEC’s Cybersecurity Risk Management Rules for Funds and Advisers

Read More
a group of people sitting around a table
Article

Efficiency Boost: How to Optimize Your SOX Program

  • Public Companies
  • SOX Compliance
Read More
text
Article

The Modern Approach to Fraud Prevention and Detection

  • Public Companies
  • Fraud Awareness
Read More
Video

Part ll: SEC’s Proposed Cybersecurity Risk Management Rule for Investment Advisors and Funds: How to Comply

  • Public Companies
Read More
Video

Part 1: SEC’s Proposed Cybersecurity Risk Management Rule for Investment Advisors and Funds: What to Know

  • Public Companies
Read More
graphical user interface
Article

SEC Advertising and Marketing Risks as Part of the Marketing Rule

  • Public Companies
Read More
a gold statue on a book
Article

The SEC Adopts Amendments to the Internet Adviser Exemption

  • Public Companies
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe