The Three Lines of Defence is the standard governance model in regulated financial services for organising risk management and internal control. It divides responsibilities across three distinct functions so that risk is owned, overseen and independently assessed, rather than managed solely by those who take it.
The three lines
First line: business functions. The front line of the business: product, sales, operations, trading, lending, and other revenue-generating and operational functions. The first line is responsible for identifying, assessing and managing risk as part of day-to-day activity. It owns the risk in the sense that the people running the business are the ones taking it on, and they are accountable for managing it within the firm’s risk appetite.
Second line: risk management and compliance. The risk management function and the compliance function operate as the second line. They set the firm’s risk framework, policies and limits; monitor compliance with those limits; challenge the first line when risks are being taken outside appetite; and provide oversight and reporting to senior management and the board. The compliance function within SM&CR typically holds Prescribed Responsibilities for the firm’s compliance framework.
Third line: internal audit. Internal audit provides independent assurance, to the board and the audit committee, that the first and second lines are functioning as intended. Unlike the second line, internal audit has no day-to-day role in managing or overseeing risk: its independence from those functions is what gives its assurance value. The Chief Internal Auditor typically holds an SMF function at larger firms.
Three Lines of Defence and SM&CR
The model maps directly to SM&CR’s accountability structure. Prescribed Responsibilities for the compliance function, the risk management function, and internal audit are typically held by Senior Managers in the corresponding lines. Where a Senior Manager’s Statement of Responsibilities covers a second-line function, the FCA will assess whether that individual took reasonable steps to ensure effective oversight of the first line.
Training in the Three Lines of Defence model is a standard component of SM&CR senior manager induction and governance training programmes. For the compliance training programme more broadly, see our guide to building a compliance training plan.