The Three Lines of Defense Framework is a model risk management system that assigns responsibility for risk across an organization. The First Line of Defense is the business line or unit responsible for managing the risk. The Second Line of Defense is the independent function, such as Internal Audit, that provides assurance to management and the Board that the risk is being managed effectively by the business. The Third Line of Defense is the control function, such as Risk Management, that provides challenge and oversight to ensure that risks are appropriately identified and mitigated.
The Three Lines of Defense Framework was first introduced by COSO in 2004 as part of its Enterprise Risk Management–Integrated Framework. COSO updated the framework in 2017 to reflect changes in how organizations operate and manage risk.
The framework provides a structure for understanding an organization’s risk governance practices and can be used to assess an organization’s current state and identify opportunities for improvement. It can also be used as a common language for dialogue between the three lines of defense and other stakeholders.
The Three Lines of Defense Framework is not intended to prescribe specific roles and responsibilities but rather to provide guidance on how the three lines of defense can work together effectively to manage risk.
The Three Lines of Defense Framework is a widely accepted tool for managing risk across organizations. If you work in Internal Audit, Risk Management, or Compliance, it’s important to be familiar with the framework and how it can be used to assess and improve your organization’s risk management practices.