The ‘Three Lines of Defence’ within risk management

Boosting protection & efficiency across your organisation

Enhance your risk policy & reporting

Original content provided by 

BDO Belgium

In earlier articles of our BDO Risk Blueprint, we showed you how a strong framework, a clear risk appetite and the right taxonomies set the foundation for success. Now, you will see how your organisation can bring these elements to life through the Three Lines of Defence model. This proven approach helps you create clear accountability while ensuring comprehensive risk management across your organisation.  

The Three Lines of Defence are like your organisation's risk management sports team, where different players have distinct yet complementary roles. When these players (or departments) work together effectively, they create a robust defence that protects your organisation while also enabling growth. Read on to find out how you can make this model work for you. 

Discover our risk blueprint video's

First line: business operations & risk owners

Your first line of defence consists of your business units – the teams directly managing your day-to-day operations. Those are your front-line risk managers. They are closest to the action, making them ideally positioned to identify and manage risks as they emerge. 

A short practical example: in a retail banking operation, your branch staff and relationship managers form part of your first line. They are the ones who might notice unusual transaction patterns or identify potential fraud risks during customer interactions.  

Their role includes: 

  • Identifying and assessing the materiality of operational risks 
  • Establishing and implementing appropriate controls 
  • Reporting issues and control gaps 
  • Monitoring and reporting on their risk profile 

The key here is proportionality – your first line should focus on material risks rather than trying to manage every minor issue. For instance, a small processing error might need simple documentation, while a potential fraud pattern requires immediate action and escalation. 

Second line: methodology & framework guardians 

While often called the “risk management function”, your second line serves as your methodology experts. They are like the coaches and trainers of your risk management team, providing the frameworks, tools, and guidance that help the first line succeed. 

Their responsibilities include: 

  • Developing an independent view on risk materiality 
  • Challenging first line activities when needed  
  • Creating and maintaining measurement standards and policies 
  • Providing operational risk training 

For example, when a business unit reports a new type of operational risk, your second line helps evaluate its significance, suggests appropriate controls, and ensures it fits within your overall risk appetite framework. 

Third line: internal auditors

Your internal audit function serves as your third line of defence, providing independent oversight of your entire risk management framework. Think of them as the referees in our team sport analogy – they ensure everyone plays by the rules and the game runs fairly. 

Their independence is crucial. While the first and second lines work closely together, your third line maintains objective distance, allowing them to provide unbiased assurance that your risk management system works effectively. 

Common risk reporting elements to create value

Risk reporting should be about more than producing documents that gather dust – it is about driving meaningful action across your organisation. Through years of industry experience, we've learned that the most valuable risk reports combine several essential elements that tell your risk management story.

Down below is a list of the most common risk reporting elements with some further explanation on each one of these crucial aspects. 

  1. Incidents and near misses 
  2. Action plans & follow-up 
  3. Risk appetite KRI
  4. KRI’s & issue monitoring 
  5. Top risks 
  6. Emerging risks – Horizon Scanning 

Start with what is happening on the ground: document both incidents and near misses (1), but do not stop at mere description. The real value comes from drawing up action plans and tracking (2) how your organisation responds. For instance, when an incident occurs in your payment processing system, your report should capture not just what went wrong, but what allowed incident and how you can strengthen or set up better protective factors. 

Your risk appetite monitoring (3) forms another crucial chapter in this story. We have seen organisations transform their risk management by carefully tracking key risk indicators (4) against their defined tolerances. For example, the head of a risk function shared how comparative reporting revolutionised their approach. When departments could see their risk metrics alongside their peers, it sparked productive discussions about best practices and areas for improvement. 

When it comes to top risks (5), experience shows that boards and executives particularly care about the biggest threats that could jeopardise the organisation's continuity. They need clear, decision-focused information about these types of risks. This does not mean overwhelming them with data – instead, provide concise insights about your top ten risks and emerging threats (6). 

The “Tiered Cake” approach

Effective risk reporting follows what we like to call the “tiered cake” approach, with three distinct layers serving different needs: 

  1. Base Layer: All you need to know to monitor” 
    • Comprehensive information for risk management and middle management 
    • Detailed incident reports and metrics 
    • Complete control testing results 
  2. Middle Layer: “All you need to know to act” 
    • Action-oriented information for senior management & department heads 
    • Key risk indicators and trends 
    • Control effectiveness summaries 
  3. Top Layer: “All you need to know to decide”  
    • Strategic insights for the board and executive level 
    • Material risk exposures 
    • Major control gaps requiring investment 

This structure ensures each level receives the information they need in the format most useful to them. For instance, while your risk management team needs detailed incident data, your board focuses on strategic risks that could affect your organisation's continuity. 


The Reporting Cake


The Three Lines of Defence model provides a robust framework for managing risk across your organisation. By clearly defining roles and responsibilities, implementing effective reporting structures, and fostering collaboration while maintaining independence, you create a resilient risk management system that supports your organisation's success.
Ariane ChapelleBDO Risk management

Bringing it all together: making the model effective

The success of your Three Lines of Defence model ultimately depends on how well these components work together in practice. Organisations can transform their risk management effectiveness by focusing on several key areas. 

  1. First, consider how information flows through your organisation. The most successful implementations create natural channels for risk-related communication. This might mean regular cross-functional meetings where first- and second-line teams can discuss emerging risks, or structured feedback sessions where audit findings are translated into practical improvements.
  2. The human element proves crucial here. While frameworks and procedures matter, relationships between teams often determine success. Organisations improve their risk management significantly when they nurture a community of risk champions across the different departments. These individuals served as bridges between the lines of defence, helping translate risk concepts into practical actions and provide specific risk management support to the business. 
  3. When it comes to independence, finding the right balance requires careful thought. Your third line needs enough separation to provide objective assurance, but not so much distance that they lose touch with operational realities. You can achieve this through clear protocols for interaction – maintaining professional scepticism while fostering constructive dialogue. 

Golden Rules Of Reporting

Risk governance: defining roles & responsibilities of the three lines of defence for an international bank

Read our case study

Do you want to make your organisation future proof by creating a resilient risk management system?

Feel free to contact our experts for more information.