The Three Lines of Defence model helps business leaders to manage risk effectively.
It facilitates a cohesive and coordinated approach, by establishing three independent levels of risk management, segregating key duties and reducing the potential for conflicts of interest.
Among other regulators and organisations, the Three Lines of Defence model is endorsed by:
+44 (0) 208 133 0242
The Three Lines of Defence model was developed in response to the 2007/2008 global financial crisis.
The crisis highlighted that some teams within larger organisations were apparently taking risks that were well beyond the organisation's risk appetite.
The risks were neither adequately identified nor monitored by Senior Management and the Board.
The Three Lines of Defence model is still dependent on the Board and Executive leadership defining appropriate risk appetites and governing risks accordingly. The Board is still accountable for their Governance, Risk management and Compliance (GRC).
As shown on the diagram below, the Three Lines of Defence forms part of the overall organisational design.
In summary:
From a Data Protection perspective, for larger organisations, we typically see:
Also see our article on the relationship between Data Protection, Privacy and Security.
At DataGRC, our specialists have used the Three Lines of Defence in a wide range of industries and organisations
Contact us now, if you would like further advice, training, project support or assurance reviews.