Three Lines of Defense

The Three Lines of Defense is a model for managing risk and internal controls within an organization. The first line, operational management, directly manages risk through day-to-day activities and controls. The second line, risk management and compliance functions, oversee and monitor risk practices, providing guidance and support. The third line, internal audit, independently evaluates the effectiveness of both the first and second lines’ controls. Together, these layers create a comprehensive system to identify, manage, and assure risks are properly controlled, helping the organization operate safely and effectively.