Operational risk is defined as the risk of loss resulting from
inadequate or failed internal processes, external events, people, or
systems. Not long ago, the responsibility for managing operational risk
within a company often rested squarely on the shoulders of individual
tenured experts. Relying on their own experience and limited
internal-audit functions, they would work to identify any obvious
weaknesses or oversights that might open the business up to unnecessary
risk. The auditor was the only real line of defense standing between the
organization and a host of encroaching dangers.
Today, the number and complexity of business risks is growing. To
match and mitigate those risks, many businesses are adopting a different
governance model: Three Lines of Defense (3LoD).
As the name suggests, the risk management Three Lines of Defense
model consists of three different levels of protection. These are
designed to provide redundant risk-management support, and to help
ensure that dangers are identified and addressed before they can
negatively impact operations. At the same time, the most current version
of the 3LoD model stresses collaboration alignment, accountability, and
a focus on objectives, making it an important framework not only for
defense, but also for recognizing and seizing opportunities as they
Here, we take a closer look at each of the Three Lines of Defense in
risk, how 3LoD relates to operational resilience, and what we can expect
from the three-line approach in the years to come.