The ECIIA endorses the three lines of defence model for internal governance

The three lines of defence model has been increasingly applied over recent years. The ECIIA finds that it is a useful tool to explain and demonstrate the different roles in internal governance and the interplay between them. It also forms the basis of a recent paper, jointly issued by ECIIA and the Federation of European Risk Management Associations (FERMA), on “Guidance for boards and audit committees on the implementation of Art 41.2 of the 8th EU Directive”.

The 3LoD - model can be illustrated as follows:

• As a first line of defence, the organisation’s operational management has ownership, responsibility and accountability for assessing, controlling and mitigating risks.
• As a second line of defence, the risk management function (and also other supporting functions like compliance, quality) facilitates and monitors the implementation of effective risk management practices by operational management and assist the risk owners in reporting adequate risk related information up and down the organisation.
• As a third line of defence, the internal auditing function will, through a risk based approach, provide assurance to the organisation’s board and senior management, on how effective the organisation assesses and manages its risks, including the manner in which the first and second lines of defence operate. This assurance task covers all elements of an organisation’s risk management framework: i.e. from risk identification, risk assessment and - response to communication of risk related information.