What is the Three Lines of Defense model (3LoD)?

The first line of defense (1st LoD) is operational management, consisting of front-line managers responsible for day-to-day risk management activities. These managers supervise employees as they work within business systems and applications, ensuring that proper risk-management procedures are being followed. They are also responsible for implementing corrective measures in the event that process and control deficiencies arise.

Essentially, business operational management is mandated to maintain adequate internal controls, execute risk procedures, identify and assess risks, guide and implement internal policies, and ensure that all activities support established goals—all on a daily basis. The overall purpose of this first line of defense is ongoing compliance, and the ability to quickly identify any control breakdowns, inadequate processes, or emergent events.

Every-day activities play a crucial role in operational risk. As such, this first line of defense is absolutely critical, and must be supported by internal mechanisms, such as reliable management controls and internal control measures. These are developed and implemented with strong oversight from operational management, and should be regularly tested for functionality and effectiveness.

The third line of defense (3rd LoD) in the 3LoD model is the internal auditor. Auditors are responsible for reviewing all risk management processes, procedures, and frameworks, providing comprehensive assurance of the effectiveness of governance and internal controls. This line of defense supports the two previous lines, but must be capable of operating completely independently, taking an objective stance and reporting directly to senior management and any higher governing body, board, or audit committee.

As the final line of defense, internal audits must be capable of supporting a range of objectives related to operational efficiency and effectiveness, reporting reliability, regulatory compliance, and more.

Although the third line of defense is primarily associated with internal audits, external audits may also be brought in to further supplement this line and add another layer of assurance. In fact, in some cases (such as when obtaining SOC1 or SOC2 compliance, creating a PCI report, or documenting SOX-404 control effectiveness) an external auditor may be a mandatory requirement.

The Three Lines of Defense model is a tried-and-true approach to risk management. But just as continuity and resilience plans should be regularly updated to better account for changing situations, 3LoD has seen a number of revisions since it was first introduced.

Recently, the Basel Committee on Banking Supervision (BCBS) released Revisions to the Principles for the Sound Management of Operational Risk. Although these revisions to the 3LoD model are intended specifically for banks and related organizations, they can just as easily be applied to non-banking companies to further improve their risk management profiles.

Basel 3LoD updates include:

• Increased emphasis on the role of senior management in the execution of operational risk management activities.
• Clearer descriptions of other roles within the Three Lines of Defense model.
• Greater articulation of emergent risk sources.
• A separate focus on operational resilience.

As risks become more diverse, the Three Lines of Defense model must also continue to adapt. This truth may relate most directly to the third line: internal audits. Internal auditors and their associated processes must become more agile and forward thinking, promoting positive change throughout the rest of the 3LoD model. In the future, auditors will be expected to play a much more active role in advising and anticipating, as well as educating stakeholders at all levels.

Beyond internal audits, other advances will continue to shape the 3LoD model. New innovations—including automation, machine learning, and AI implementation—will allow for easier identification and remediation of risks. Likewise, organizations will increase focus on the human element of the Three Lines of Defense, working to improve coordination, communication, and methodologies throughout teams and departments

Managing operational risk is a vital aspect of modern business. The 3LoD model exists to provide redundant layers of protection to offer increased security against a range of possible threats. But by itself, 3LoD may not be enough to fully shield organizations from evolving dangers. ServiceNow, the industry leader in IT management, provides the solution.

Operational Risk Management from ServiceNow empowers organizations with the ability to apply continuous monitoring, incorporate relevant data insights from across the entire enterprise, and prioritize and respond to emergent risks faster than would otherwise be possible. The Operational Risk Management GRC application includes tools for risk self-assessment, control assurance, testing, incident and loss capture, and automated monitoring. Backed by advanced analytics and reporting, integrated predictive-intelligence enhanced issue management, and more, Operational Risk Management offers the increased defences that today’s organizations depend on to survive and thrive.

Reduce operational losses. Build resilience and reliability. Reduce costs and improve productivity. And through it all, enjoy complete, real-time visibility of all risk and control tolerances. Operational Risk Management from ServiceNow makes it all possible.