Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, external events, people or systems. Not long ago, the responsibility for managing operational risk within a company often rested squarely on the shoulders of individual tenured experts. Relying on their own experience and limited internal-audit functions, they would work to identify any obvious weaknesses or oversights that might open the business up to unnecessary risk. The auditor was the only real line of defence standing between the organisation and a host of encroaching dangers.
Today, the number and complexity of business risks is growing. To match and mitigate those risks, many businesses are adopting a different governance model: Three Lines of Defence (3LoD).
As the name suggests, the risk management Three Lines of Defence model consists of three different levels of protection. These are designed to provide redundant risk-management support and to help ensure that dangers are identified and addressed before they can negatively impact operations. At the same time, the most current version of the 3LoD model stresses collaboration alignment, accountability and a focus on objectives, making it an important framework not only for defence, but also for recognising and seizing opportunities as they arise.
Here, we take a closer look at each of the Three Lines of Defence in risk, how 3LoD relates to operational resilience and what we can expect from the three-line approach in the years to come.