Welcome! Email: info@internalcontrol.co.uk, Call mobile: 07597 386728

Our News

Three lines of defense and internal control

Many newly regulated firms are struggling to understand the value of the three lines of defense, who can blame them, as many well established organisations also struggle with the concept.

Most organisations realise that they have business objectives that they strive to achieve. In pursuit of these objectives, the organisation will encounter events and circumstances which may threaten the achievement of these objectives. These potential events and circumstances create risks that must be identified, analysed, reported and actioned.

The responsibilities of each of the “lines”are:

  • First line. Own and manage risk and control (front line operations)
  • Second line. Monitor risk and control in support of management (risk and compliance functions).
  • Third line. Provide independent assurance to the board and senior management reporting the effectiveness of risk and control framework (internal and external audit).

Each of the three lines plays a distinct role within the organisation’s governance framework. When each performs its role effectively, it is more likely that the organisation will be successful in achieving its overall objectives.

The first line of defense lies with the business and process owners whose activities create and/or manage the risks that can either support or prevent an organisation’s objectives from being achieved and also the assessment of whether they are taking the right risks. The first line owns the risk, and the design and execution of the organisation’s controls to respond to those risks, these may be:

  • Front line operations
  • Risk and control owners

The second line is put in place to support management by bringing expertise, process excellence, and monitoring alongside the first line to help ensure that
 risk and control are effectively managed. The second 
line of defense functions are separate from the first line of defense but are still under the control and direction of senior management and typically perform some management functions.

These could be from the following:

  • Risk Management
  • Information Security
  • Financial Control
  • Quality assurance
  • Health and safety
  • Compliance
  • Legal

The third line provides assurance to senior management and the board over both the first and second lines’ efforts are in line with the expectations of the board of directors and senior management. The third line of defense should not perform management functions, this is to protect its objectivity and independence. In addition, the third line has a primary reporting line to the board. As such, the third line is an assurance not a management function, which separates it from the second line of defense.

This will normally be:

  • Internal Audit
  • External audit (can be considered where there is no internal Audit in place)

Each of the three “lines” has a distinct role within the organisation’s wider governance framework, and when each performs its assigned role effectively, the likelihood of a significant control breakdown is reduced and business objectives can be achieved.