The ‘three lines of defence model’ is widely recognised in the world of audit as an effective framework for risk management and internal control. It delineates the roles and responsibilities of different groups within an organisation to ensure a robust system of checks and balances.
The model is typically used to manage various types of risks, including operational, financial, and compliance risks. Here's a brief overview of the three lines of defence that the model refers to, and how the model applies to third-party risk management (TPRM).
The three lines of defence
First line of defence – Operational management
Responsibility: The first line of defence is the operational management and staff responsible for executing day-to-day activities and managing the inherent risks to their operations.
Role: They identify, assess, and manage risks, implement controls, and ensure compliance with policies and procedures relevant to their areas of responsibility.
Second line of defence – Risk management and compliance functions
Responsibility: The second line of defence includes risk management, compliance, and control functions that oversee and support the first line.
Role: They develop risk management frameworks, policies, and procedures; provide guidance and oversight; monitor compliance; and report on risk exposures and control effectiveness.
Third line of defence – Internal audit
Responsibility: The third line is the internal audit function, which operates independently from the first and second lines of defence.
Role: It provides independent assurance on the effectiveness of governance, risk management, and internal control processes; evaluates the adequacy and effectiveness of risk management practices; and recommends improvements.
The three lines and TPRM
First line of defence – Operational management
Responsibility: The operational management responsible for engaging and managing third-party relationships.
Role in TPRM: This team identifies and assesses third-party risks, conducts due diligence, negotiates contracts, sets performance expectations, monitors performance, and manages day-to-day interactions with third parties.
Key activities: Establishing clear criteria for selecting and onboarding third parties, defining roles and responsibilities, monitoring third-party performance and compliance, and managing issues and escalations.
Second line of defence – Risk management and compliance functions
Responsibility: Risk management, compliance, and control functions overseeing TPRM activities.
Role in TPRM: The team develops TPRM frameworks, policies, and procedures; provides guidance and oversight to ensure consistency and alignment with organisational risk appetite and regulatory requirements; and monitors compliance with TPRM practices.
Key activities: Establishing risk assessment methodologies, defining risk appetite and tolerance levels, conducting periodic risk assessments of third-party relationships, and monitoring compliance with contractual and regulatory requirements.
Third line of defence: Internal audit
Responsibility: The internal audit function providing independent assurance on TPRM practices.
Role in TPRM: This team assesses the adequacy and effectiveness of the organisation’s TPRM framework, policies, and practices; evaluates compliance with internal policies, contractual obligations, and regulatory requirements; and identifies areas for improvement.
Key activities: Conducting independent audits and reviews of TPRM processes and controls, evaluating the effectiveness of due diligence and monitoring activities, and recommending enhancements to TPRM practices.
A three-fold approach to building resilience
The three lines of defence model can be effectively applied to TPRM by delineating roles and responsibilities across the organisation, which will ensure a comprehensive and coordinated approach to identifying, assessing, managing, and monitoring third-party risks.
By leveraging the strengths and capabilities of each line of defence, and fostering collaboration and communication among the teams and individuals responsible for them, organisations can enhance their ability to manage third-party risks effectively, mitigate potential exposures, and safeguard their reputation, financial stability, and regulatory compliance.
Adopting a structured and integrated approach to TPRM that is aligned with the principles of the three lines of defence model can help organisations build resilience, enhance stakeholder trust, and achieve sustainable success in an increasingly complex and interconnected business environment.
Orbit Diligence
Automate your DDQ and RFI processes for a wide range of use cases, accessing a library of off-the-shelf questionnaires and risk frameworks.
Insights
Enterprise risk management: Its unique role in financial market infrastructures
Enterprise risk management (ERM) is a comprehensive, systematic approach to identifying, assessing, managing, and monitoring an organisation’s risks.
Regulating Australian financial services: Meet APRA Standard CPS 234
APRA Standard CPS 234 is a prudential standard created by the Australian Prudential Regulation Authority (APRA).
The three lines of defence model and third-party risk management
The ‘three lines of defence model’ is widely recognised in the world of audit as an effective framework for risk management and internal control.
Understanding inherent risk and residual risk
Knowing the difference between inherent risk and residual risk is key to good risk management processes.