Three Lines of Defense or TLoD model is an important part of every organization. The board of an organization works as an agent for the shareholders and is responsible for the organization’s stewardship. The board sets the risk and controls culture, approves policies, monitors the performance of management, and sets strategies for the organization. 

The board requires periodic reporting on risks, issues, incidents, and challenges faced by the organization, and such periodic reporting is made to the board by senior management. The board, through senior management, builds the lines of defense in the organization. Such lines of defense are known as the Three Lines of Defense or the TLoD model. 

TLOD model plays a crucial role in developing and maintaining the internal controls system of the organization. In the TLOD model, each line of defense plays a significant role in supporting other lines of defense to ensure that internal controls are followed and implemented at all organizational levels.

The Three Lines of Defense or TLoD Model Definition and Responsibilities

The definition and key responsibilities of each of the three lines of defense are as follows:

First Line of Defense

The businesses and functions engaged in or supporting revenue-generating activities that own and manage the risks. In other words, the first line of the defense comprises those departments and functions involved in making sales to the customers. These departments and functions work from the frontline of an organization. 

The following are the key responsibilities of the first line of defense: 

• Propose the risks required to undertake the revenue-generating activities. 
• Identity, monitor, and escalate risks and issues to Second Line and the Senior Management. 
• Manage risks within Risk Appetite. 
• Set and execute risk remediation plans. 
• Own and design processes, controls, and standards for adhering to Risk Type Frameworks and Policies set by the Second Line. 
• Validate and self-assess the compliance to Risk Type Frameworks and Policies, confirm the validation quality, and provide evidence-based affirmation to Second Line. 
• Ensure systems and processes meet risk data aggregation, risk reporting, and data quality requirements set by the Second Line. 
• Ensure that applicable laws and regulations are complied with and escalate significant regulatory non-compliance matters and developments to the Second Line and Senior Management. 
• Promote a healthy risk culture and good conduct. 

Second Line of Defense

The control functions independent of the First Line that provide oversight and challenge of risk management to provide confidence to the senior management and the board.

The following are the key responsibilities of the first line of defense: 

• Review First Line risk proposals and make decisions to approve or reject as appropriate. 
• Oversee and challenge first-line risk-taking activities. 
• Own processes for setting Risk Type Frameworks, Policies, and Standards, and monitoring compliance. 
• Own and manage processes for oversight and challenge. 
• Propose Risk Appetite to the board, monitor and report adherence to Risk Appetite. 
• Intervene to curtail business if it is not in line with existing or adjusted Risk Appetite, material non-compliance with policy requirements, or when operational controls do not effectively manage risk. 
• Ensure effective implementation of the policies and risk type frameworks and affirm the effectiveness to Risk Framework Owners. 
• Identify, monitor, and escalate risks and issues to the risk owners, senior management, and the board or the board-level committees. 
• Review risk remediation plans set by the first line to mitigate Risk Appetite issues. 
• Set risk data aggregation and quality and ensure that systems and processes meet the requirements. 
• Ensure there are controls to comply with applicable laws and regulations and escalate significant regulatory non-compliance breaches and new developments to the risk and controls owners, the management, and the board. 
• Promote a healthy risk culture and good conduct. 

Third Line of Defense

The internal audit function provides independent assurance of the effectiveness of controls that support the first line’s risk management of business activities and the processes maintained by the second line of defense. The third line of defense keeps an eye on the activities of both the first and second lines of defense, checks the internal controls, and identifies deficiencies in the internal controls structure.

The following are the key responsibilities of the third line of defense: 

• Independently assess whether management has identified the key risks in the business and whether these are reported and governed in line with the established internal controls framework. 
• Independently assess the adequacy of controls’ design and operating effectiveness. 
• Identify and reports the findings and control lapses to risk owners in different processes and sub-processes of the first and second lines of defenses.
• Propose suggestions to the management to resolve the control issues identified during the internal audit activities of different departments and functions. 
• Report the internal controls issues and significant findings to the board audit committee or BAC.

Final Thoughts

The Three Lines of Defense (TLoD) model is a vital part of organizational structure that provides a robust mechanism for risk management and internal control. With the first line responsible for managing risks in revenue-generating activities, the second line overseeing these activities, and the third line conducting independent audits to identify and rectify control deficiencies, the model is integral for achieving effective governance and maintaining compliance.

It is essential that each line functions in unison and performs its designated responsibilities in a robust manner, to assure the Board and shareholders of the organization’s sound risk management and control mechanisms. In essence, the TLoD model serves as a roadmap to better organizational governance and resilience, guiding every function towards best practices in risk and control management.