Three Lines of Defence Model
Convention and regulatory expectations is that there is a 3-lines of defence model in financial institutions. Within those institutions the model is typically represented as follows: The first Line of Defence (1LoD) refers to the majority of the Bank. Individuals in the 1st Line are responsible for managing the day-to-day operations of the Bank. These individuals and departments generate risk and are responsible for implementing effective mechanisms to control it The second Line of Defence (2LoD) contains the Risk Function. The Risk Function will perform check and challenge on the First Line, co-ordinate Bank-Wide assessments and independently generate MI for stakeholders. It is usual for the 2LoD to also contain functions such as Compliance Advisory about regulatory change, Surveillance & Investigations, etc. The third Line of Defence (3LoD) contains the internal audit function. Internal audit can be expected to provide independent assessment on the robustness of the risk management frameworks, test internal controls and conduct bespoke investigations on behalf of the Board / Non-Executive Directors. It is important to understand that all employees have a duty to effectively manage risks. Typically, in a Bank Treasury there is sometimes a cultural resistance to employee understanding that as a first-line function, they “own” the processes and controls used to mitigate risk to an acceptable level. For some employees, regulation such as the Individual Accountability Regime makes individuals legally accountable for the adequate management of risk.