Implementing a ‘three lines of defence’ approach to risk management

Practical advice on how to implement a three lines of defence approach to risk management.

Managing risk within the business is a challenging and necessary activity. But when it’s conducted intelligently, it’s also a great way to add value to businesses, departments and projects. The first step is to recognise the need for better risk management and to get people across all departments to collaborate.

Businesses need to take an approach to risk that facilitates an internal discussion based on facts, making sure that decisions can be made on where to accept or reduce risk. A key to this is aggregating risk across the business. It’s often resource intensive, but it’s a critical part of any strategy to reduce the risk of sustaining a loss.

Three lines of defence

There are various strategies to address risk. One of the most effective is the three lines of defence approach. This strategy gives the board and senior management three clear line functions to rely on, to ensure the effectiveness of the organisation’s risk management framework.

The first line of defence (1LOD) includes those that own the risk and control. These are the people who hold a day job within the business and would be considering risk and controls in addition to their other responsibilities.

The second line of defence (2LOD) are those which oversee or specialise in risk management and compliance. These people are dedicated to risk and control and are well trained to facilitate the implementation of effective risk management procedures. They’re also responsible for reporting and aggregating risk from the various sources up and down the business.

The third and final line of defence (3LOD) are the people that provides independent assurance. They’re normally internal auditors that report directly to the board.

>See also: 3 mega trends transforming governance, risk and compliance

Ensuring effective defence

Changing the risk culture in the 1LOD can be challenging. Managers don’t want to burden their staff with these ‘bureaucratic compliance activities’, so they reach out to the 2LOD. This often leads to the 2LOD thinking the first line need help, when it’s actually the managers’ way of freeing up their staff to get on with business.

While there’s no magic solution for organisations, based on my experience with Governance, Risk and Compliance (GRC) implementations, there are some common factors for success.

The common factors for success


It’s critical that the executive level sets the tone for a risk-ready culture, with the leadership teams delivering their message on risk clearly and consistently. Risk must be incorporated into any strategic planning to provide the first line with an idea of how risk aligns with the corporate objectives.


Second, it’s essential that ‘groups’ don’t own risk related initiatives. Instead, organisations should assign tasks to the individual so someone will always be held accountable. To make progress, you should define clear boundaries and make sure the correct people are performing the right procedures. The first line should always be the decision makers.

Training and mentoring

A further success factor is in the training and mentoring of employees. This goes beyond training people on spreadsheets. It’s about providing the relevant training for the risk methodology, irrespective of the technology at hand.

The first line should understand what they’re being asked to do, and what they’re being empowered to do. It’s also essential that the 1LOD are provided access to 2LOD mentors that will help them deploy the training and provide direction.

People, process, technology

Once the training has been covered, it’s time to implement the methodology. You need the right people working on the right processes, which can then be accelerated with the right technology. Leave out the technology until you have the people and processes in place, or you might end up with a failed project.

Define risk appetite

As with all risk methodologies, when using the three lines of defence approach, organisations must define which risks can be taken and which must be avoided. Everyone involved should clearly understand the framework around how risks are measured, assessed and monitored. This should also be communicated clearly to all three lines.

Avoid the cookie cutter

Avoid the easy option of rolling out ‘cookie cutter’ risk libraries for your departments to leverage. Yes, it sometimes works. But more often it fails, especially when it’s used to try and shortcut training. Often, 1LOD users rely too heavily on the content and the exercise becomes simply box ticking.

Ensure ease of use

Finally, organisations should stop using spreadsheets. They’re often built out by people in the business who have no software development experience or understanding of user experience and user interface design.

At over 40-years-old, this software product is often built out by people in the business who have no software development experience or understanding of user experience and user interface design. There are many GRC technology tools which are built specifically for the task. Each have their strengths and weaknesses, but they’re all superior to Excel.

Reducing risk

By following these steps when adopting the three lines of defence approach, organisations will be able to better manage risk across the business. There will be a rich set of risk and control information based upon good and well thought out opinion from those closest to the business. This rich set of information informs decision making and leads better use of the business assets across the organisation with less exposure to uncertainty.

>See also: The governance, risk and compliance landscape is changing

Sourced by Alex Hollis, GRC Solutions Director at SureCloud.

Kayleigh Bateman

Kayleigh Bateman was the Editor of Information Age in 2018. She joined Vitesse Media from WeAreTheCIty where she was the Head of Digital Content and Business Development. During her time at WeAreTheCity...

Related Topics

Risk Management