LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the "Three Lines of Defense" governance model and what does each line do?

It splits accountability into three lines: 1st = business operations that own and run controls, 2nd = risk/compliance functions that oversee them, 3rd = internal audit that independently assures — all reporting up to the board.

Stacked: 1st line operations, 2nd risk/compliance, 3rd internal audit, reporting up to board.

* Three Lines of Defense: operations own controls, risk & compliance oversee, internal audit assures — all reporting up to the board. *

Line Who Role
1st Line of Defense Business operations / all business units Own and manage risk: daily risk management, identify/implement controls, ensure product/process/IT compliance, use KPIs
2nd Line of Defense Risk Management, HR, Compliance, IT Security, Legal Oversight: monitor, oversee and report; risk and control self-assessment (RCSA, RCA); track Key Risk Indicators (KRIs)
3rd Line of Defense Internal Audit Independent assurance: periodic review covering all business units, provides assurance to the Board/CEO

Above all three sits Management (accountable to the board) and the Board of Directors (accountable to shareholders for organizational oversight, including board committees on governance, internal control, risk culture, roles/responsibilities).

Go deeper:

From Quiz: ISM / Praktische Anwendung | Updated: Jul 14, 2026