3 Lines Of Defence Risk Management Model BusinessRiskTV Risk Management and Corporate Governance

Taking More Business Roisk More Confidently More Profiably

Improve your risk management process. Mitigate risks more quickly after balanced risk assessment process. Align your risk management process with appetite for risk. The three lines of defence model should simple and clearly clarify roles and duties of those charged with deploying an effective risk management strategy to boost business performance.

  • 1st line of risk management defence is business management control. Business managers must own the business risk exposure. They can not be on every shoulder but they must maintain effective processes and systems to manage risks including internal controls and documented procedures. By providing sufficient information training and resources others can control risks adequately and effectively within BoDs appetite for risk. To this end business management must have appropriate supervisory controls and review processes in place designed to identify risk control weaknesses and inadequate processes. The 1st line of defence are responsible for implementing corrective actions to address risk assessment process and risk control deficiencies.
  • 2nd line of risk management defence is the risk management governance and compliance functions. The risk control governance and compliance GRC functions should be independent from the business management and report directly to the CEO or C-Suite member. Control functions provide independent oversight of risks including setting risk appetite and risk tolerance limits and protect against non compliance with applicable laws and regulations. Risk management governance and compliance functions need to be coordinated to reduce duplication and be assured that there are no risk control gaps.
  • 3rd line of risk management defence is independent risk assurance or internal audit reporting to the Audit Committee of the Board of Directors. This line of defence should evaluate the overall effectiveness of governance risk management and the compliance environment including the assessment of how the first and second lines of defence meet their objectives. Internal Audit report direct to senior management and BoD. The Internal Audit report should cover including efficiency and effectiveness of operations safeguarding of assets reliability and integrity of reporting processes regulatory and policy and procedure compliance. In addition the report should cover a review of the risk management framework risk assessment process adherence to business risk management principles and risk culture management information quality and risk reporting and monitoring. Establishing a professional internal audit activity should be a governance requirement for all organisations to ensure the effectiveness of governance and risk management processes

Each line of defence should be supported by appropriate policies and role definitions. There should be coordination and cooperation among the separate lines of defence to be more efficient avoid gaps. However lines of defence should not be combined or coordinated in a manner that compromises their effectiveness.

Set appropriate risk management governance framework and risk appetite principles within clear and transparent risk assessment process to improve business performance more sustainably.

Risk Management and Risk Control

Management must create develop monitor and review risk management governance and compliance framework policies procedures and controls for the management of all risks to protect customers and all stakeholders.

The risk management governance framework in financial services normally operates along three lines of defence.

The Board of Directors BoD is responsible for determining the risk principles risk appetite and risk tolerance of the business.

Senior management and the BoD are responsible and accountable for setting the organisations business objectives defining risk management strategy to achieve those objectives and establishing governance structures and processes to best manage the risks in accomplishing those objectives. The Three Lines of Defence model needs senior management and BoD buy in to work well.

The Board is supported by the Risk Committee which monitors and oversees the business risk profile and the implementation of the risk framework as approved by the BoD as well as review the risk management process.

Significant risks should be escalated and deescalated to the BoD and Risk Committee in accordance with the risk management framework policy and procedures.

Risk Appetite Framework

Business risk appetite is defined as the single or aggregate level of risk the business is willing to accept to achieve business objectives.

Each business could have a different risk appetite depending on the BoD at the helm of the business. Their leadership is crucial to make risk management work well.

A range of risk management tools can be used to qualify and quantify risk appetite. The resulting risk appetite statement should then be embedded within the normal business decision making process. The risk appetite statement is fundamental to the success of risk management and will form the basis of the risk culture of the business.

Quantitative and qualitative risk appetite tools must tackle the risk tolerance and resilience to potential severe adverse economic or geopolitical events. These risk limits and targets must cover the business capital solvency earnings potential liquidity and funding and be subject to periodic review as part of the normal business planning process.

All types of risk need to be covered including political economic social technological legal organisational and economic environment risks.


Potential risk events events that exceed predetermined risk tolerances must be escalated to the respective business risk owners as appropriate.

Key Risk Indicators KRIs and Key Controls Indicators KCIs linked to risk appetite will aid the management of risk over time and raise concern when breached.

The above measures will help all levels of the organisation understand the business risk profile and performance better.

  • Protect financial sustainability. Protecting financial strength
    by controlling risk exposure and avoid potential risk aggregation or concentrations
  • Protect brand and reputation. Protect business reputation through appropriate holistic integrated risk management culture to boost business performance and sustainable success.
  • Business management must be clearly individually accountable and take ownership of key significant risks impacting on business objectives.
  • 2nd line defence of risk control governance and compliance functions must be independent to effectively monitor the effectiveness of the businesses risk management and oversee risk taking activities.
  • Risk reporting and business risk management transparency. Rising risk or failure of risk control measures must be reported and acted upon quickly before major risk event materialises.

Find out more about risk management news headlines opinions and reviews.

Helping connect business leaders online

Finding the latest best risk management practices can be time consuming or unfruitful. We make it easier.

Searching for what you need to inform your business decision making is free. Come back often to find the best business practices. Pick up the latest business risk management news headlines opinions debate and business reviews.

Business leaders do not always have the marketing budget to promote their business. We provide a range of online marketing options for businesses to fit most budgets so you can promote your business products or services for longer.

Become 3 Lines Of Defence Risk Management Model sole sponsor for 12 month

Paypal is an independent third party payment system provider. We will never see your full payment details. Pay with your credit or debit card and be protected by Paypals secure systems.

Sponsor 3 Lines Of Defence Risk Management Model for 12 months

Name of your business

When Paypal tell us your sponsorship fee has cleared to our account we will

  1. Email you to get your logo or image an link it to your business website
  2. We will also ask for more information about your business to create a business review to promote your business
  3. We will include all your preferred contact details to make it easy for new potential customers to buy from you instead of your competitors

Alternatively CLICK HERE to find other ways of promoting your business more cost effectively.

Recommended articles and videos

Financial Services Industry Risks Forum
Asset Management Regulatory Requirements UK
Changing the way individuals are regulated
Business Networking
Practical Business Risk Management Meeting Place
Business Breaking News
Risk AcademyOnline Marketplaces
Online ExhibitionsEnterprise Risk Management Magazine
Follow us @HolisticRiskMgt for updates and highlights on BusinessRiskTV

BusinessRiskTV Risk Management and Corporate Governance