The Three Lines of Defense Framework – What is it?

The Three Lines of Defense Framework is a model risk management system that assigns responsibility for risk across an organization. The First Line of Defense is the business line or unit responsible for managing the risk. The Second Line of Defense is the independent function, such as Internal Audit, that provides assurance to management and the Board that the risk is being managed effectively by the business. The Third Line of Defense is the control function, such as Risk Management, that provides challenge and oversight to ensure that risks are appropriately identified and mitigated.

The Three Lines of Defense Framework was first introduced by COSO in 2004 as part of its Enterprise Risk Management–Integrated Framework. COSO updated the framework in 2017 to reflect changes in how organizations operate and manage risk.

The framework provides a structure for understanding an organization’s risk governance practices and can be used to assess an organization’s current state and identify opportunities for improvement. It can also be used as a common language for dialogue between the three lines of defense and other stakeholders.

The Three Lines of Defense Framework is not intended to prescribe specific roles and responsibilities but rather to provide guidance on how the three lines of defense can work together effectively to manage risk.

The Three Lines of Defense Framework is a widely accepted tool for managing risk across organizations. If you work in Internal Audit, Risk Management, or Compliance, it’s important to be familiar with the framework and how it can be used to assess and improve your organization’s risk management practices.

Like this article?

Email
Share on Facebook
Share on LinkedIn
Share on XING

Talk to an Expert

"*" indicates required fields

Are you looking for support?

If you're looking for product support, please login to our support center by clicking here.

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit a Pricing Request

"*" indicates required fields

First, what's your name?*
This field is for validation purposes and should be left unchanged.

Submit an RFP Request

"*" indicates required fields

First, what's your name?*
Which solution does your RFP require a response on?*
Drop files here or
Accepted file types: pdf, doc, docx, Max. file size: 1 MB, Max. files: 4.
    This field is for validation purposes and should be left unchanged.
    Skip to content