Most likely, if you work in the areas of governance, risk management, or compliance, you are already familiar with the “three lines of defense” model that describes risk management in three layers. It’s a good model for understanding how risk is, at some level, everyone’s responsibility, but the discussion needs to go further than most of what I have seen so far.
Risk Management Three Lines of Defense
The risk management “three lines of defense” model begins with the first line of business operations owning and directly managing risk. The second line is a risk, control, and compliance team that provides monitoring and support. And the third line consisting of internal audit that provides independent assurance about risk management to the board.