FCA Begins PEPs Review — Newgate Compliance Offers Dedicated Support

The three lines of defence model is a widely recognised framework used by organisations to manage risk and ensure effective governance and compliance. It establishes clear roles and responsibilities across different functions within an organisation to promote accountability and a strong risk management culture. This model helps firms identify, assess, manage, and monitor risks systematically, providing assurance to stakeholders that controls are working effectively.

The Purpose of the Three Lines of Defence

The primary purpose of the three lines of defence is to create a structured approach to risk management that ensures risks are controlled at appropriate levels within the organisation. It aims to separate duties and establish checks and balances so that no single part of the organisation has unchecked control over risk management. By doing so, the model helps reduce the likelihood of risk events occurring and mitigates their potential impact.

Overview of the Three Lines

The model divides risk management roles into three distinct but interrelated lines:

First Line of Defence

The first line of defence comprises operational management and staff who are responsible for identifying, assessing, and controlling risks in their day-to-day activities. This line owns and manages risks directly as part of business operations. They implement and maintain internal controls and ensure compliance with policies and procedures. Their role includes risk identification, performing risk assessments, monitoring controls, and escalating issues where necessary.

Second Line of Defence

The second line of defence includes functions that oversee risk management and compliance but do not directly manage risks. These functions provide expertise, support, and monitoring to ensure the first line is effectively managing risks. They set frameworks, policies, and guidance, and perform oversight activities such as compliance monitoring, risk management reviews, and provide training. Examples of second-line functions include risk management departments, compliance teams, and financial control functions.

Third Line of Defence

The third line of defence is the internal audit function. Internal audit provides independent assurance on the effectiveness of governance, risk management, and internal controls. It evaluates whether the first and second lines are functioning effectively and whether risks are being managed within the organisation’s risk appetite. The audit function reports findings directly to senior management and the board, providing an objective assessment of risk controls and governance.

How the Three Lines Work Together

The three lines of defence operate collaboratively but with distinct responsibilities to provide a robust risk management system. The first line manages risks in operational processes, the second line monitors and guides risk management activities, and the third line provides independent assurance to senior leaders. This structure ensures that risks are managed proactively and transparently across all levels of the organisation.

Importance of Clear Roles and Communication

Effective implementation of the three lines of defence requires a clear definition of roles and responsibilities within each line. Communication and cooperation between the lines are essential to avoid duplication of efforts or gaps in risk management. Organisations must establish clear reporting lines and escalation procedures to ensure the timely identification and resolution of risks.

Developing the First Line of Defence

The first line of defence plays a critical role in risk management because it is closest to the operational activities of the organisation. This line comprises managers and employees who are directly responsible for executing business processes and managing risks inherent in their day-to-day tasks. Developing a strong first line is fundamental to an organisation’s ability to identify and mitigate risks promptly and effectively.

Operational Management Responsibilities

Operational managers have the primary responsibility for risk identification and control. They must understand the risks relevant to their activities and implement controls to mitigate those risks. This includes adhering to policies, applying procedures consistently, and ensuring staff are adequately trained on risk-related matters.

Managers should also foster a risk-aware culture within their teams. Encouraging open communication about risks and promoting proactive identification of potential issues helps embed risk management in daily operations rather than treating it as an afterthought.

Risk Identification and Assessment

The first line is responsible for ongoing risk identification and assessment as part of operational planning and execution. This involves analysing the environment in which the business operates, understanding customer profiles, market conditions, regulatory requirements, and technological factors that may introduce risks.

Risk assessments should be dynamic and updated regularly to reflect changes in operations or external factors. Operational staff must have access to relevant information and tools to conduct meaningful assessments and escalate risks when they exceed acceptable thresholds.

Control Implementation and Monitoring

Controls are the mechanisms put in place to mitigate identified risks. These may include physical controls, procedural safeguards, system access restrictions, or segregation of duties. The first line must ensure these controls are designed appropriately and operate as intended.

Monitoring controls involve routine checks, validation activities, and exception reporting. Operational teams should document control failures and incidents promptly and take corrective action. This monitoring is essential for maintaining the integrity of business processes and ensuring compliance with internal and external requirements.

Challenges in the First Line

Despite its importance, the first line often faces challenges such as competing business priorities, resource constraints, and insufficient training. Staff may view risk management as secondary to achieving operational targets, which can lead to gaps in risk coverage.

Addressing these challenges requires senior leadership support, clear communication of risk management expectations, and embedding risk responsibilities into performance metrics. Ongoing training and development help maintain awareness and capability within operational teams.

Strengthening the Second Line of Defence

The second line of defence provides oversight, expertise, and challenge to the first line. It is composed of risk management and compliance functions that develop frameworks, policies, and guidance, and monitor the effectiveness of controls implemented by the first line.

Role of Risk Management Functions

Risk management teams establish risk appetite and tolerance levels and design risk frameworks aligned with organisational objectives. They assist the first line by offering tools and methodologies for risk assessment and mitigation.

These functions also monitor emerging risks and changes in regulatory landscapes, advising the organisation on adapting strategies accordingly. Through risk reporting and analytics, the second line provides senior management with insights into the organisation’s risk profile.

Compliance Function Responsibilities

Compliance teams focus on ensuring the organisation adheres to laws, regulations, and internal policies. They conduct compliance risk assessments, perform monitoring activities, and provide guidance on regulatory requirements.

By maintaining relationships with regulators and staying abreast of legal developments, compliance functions help prevent regulatory breaches and associated penalties. They also support training programmes that increase staff understanding of compliance obligations.

Monitoring and Challenge Activities

The second line independently monitors controls and processes implemented by the first line to verify their adequacy and effectiveness. This includes conducting periodic reviews, testing key controls, and evaluating risk mitigation strategies.

A critical aspect of the second line’s role is to challenge the first line constructively. This involves questioning assumptions, testing controls rigorously, and raising concerns when controls are inadequate or risks are not properly managed.

Integration and Coordination

For the second line to be effective, it must coordinate closely with the first line and maintain open communication channels. Feedback loops allow the first line to improve risk management practices based on insights from the second line.

Integration of risk and compliance functions within the second line helps create a holistic approach to managing risks across various domains, including financial, operational, reputational, and compliance risks.

The Role of the Third Line of Defence: Internal Audit

The third line of defence provides independent assurance on the overall effectiveness of governance, risk management, and control processes. The internal audit function is typically responsible for this role, reporting directly to the highest levels of governance, such as the audit committee or board of directors.

Independence and Objectivity

A key feature of the internal audit function is its independence from operational management and second-line functions. This independence allows auditors to provide objective assessments without conflicts of interest.

Internal audit should have unrestricted access to records, personnel, and systems to conduct thorough evaluations. Maintaining professional scepticism and adherence to auditing standards ensures the integrity of audit findings.

Audit Planning and Execution

Internal audit develops an audit plan based on a risk-based approach, focusing on areas of highest risk or strategic importance. The plan is typically approved by the audit committee to ensure alignment with organisational priorities.

Audits involve testing controls, reviewing processes, and assessing compliance with policies and regulations. Auditors document findings, identify control weaknesses, and recommend improvements to enhance risk management.

Reporting and Follow-Up

Audit findings are reported to senior management and the board, providing insight into the organisation’s risk posture. These reports highlight significant risks, control failures, and areas for improvement.

Follow-up procedures ensure management implements agreed-upon recommendations promptly. This continuous feedback loop supports ongoing enhancement of risk controls.

Adding Value through Assurance

Beyond identifying deficiencies, internal audit contributes value by advising on best practices, emerging risks, and innovative control approaches. By providing independent assurance, internal audit increases stakeholder confidence in the organisation’s risk management and governance.

Implementing the Three Lines Model Effectively

Successful implementation of the three lines of defence requires careful planning, clear communication, and ongoing commitment from all levels of the organisation.

Governance and Leadership Support

Strong leadership is essential to embed the three lines model within organisational culture. Boards and senior executives must champion risk management and provide the resources necessary for each line to operate effectively.

Clear governance structures, including defined roles, responsibilities, and accountability frameworks, support consistent application of the model. Leadership must ensure that risk management is seen as a shared responsibility.

Policy Frameworks and Procedures

Developing comprehensive policies and procedures aligned with the three lines model provides a foundation for consistent risk management practices. Policies should articulate expectations for each line and define escalation paths for risk issues.

Procedures must be practical and reflect operational realities. Periodic reviews and updates ensure policies remain relevant in a changing environment.

Training and Awareness

Training programmes tailored to each line’s role are critical to build competence and awareness. The first line needs operational risk management skills, the second line requires expertise in oversight and compliance, and the internal audit must maintain professional auditing capabilities.

Ongoing awareness campaigns reinforce the importance of risk management and encourage a proactive approach across the organisation.

Technology and Tools

Technology plays an important role in supporting the three-line model. Risk management software, compliance monitoring tools, and audit management systems facilitate efficient risk identification, assessment, monitoring, and reporting.

Integration of data sources and analytics enhances risk visibility and enables timely decision-making. Automated controls and workflow systems reduce manual errors and increase consistency.

Challenges in Implementing the Three Lines of Defence Model

Although the three lines of defence model provides a robust framework for managing risk and compliance, organisations often encounter challenges in its practical implementation. Understanding these obstacles and how to overcome them is critical for maximising the effectiveness of the model.

Ambiguity in Roles and Responsibilities

One of the most common challenges is the lack of clarity regarding roles and responsibilities between the three lines. Without clear boundaries, there can be overlap, duplication, or gaps in risk coverage. Confusion may arise over who is accountable for particular risk activities, leading to ineffective risk management.

Organisations must clearly define and communicate the specific duties of each line. Documentation such as charters, policies, and role descriptions can provide guidance and reduce ambiguity. Regular training and awareness sessions help reinforce these distinctions.

Ineffective Communication and Collaboration

The three lines must work in coordination to ensure risks are identified, assessed, and managed comprehensively. However, poor communication channels can hinder the flow of information between lines, delaying risk responses or leaving issues unaddressed.

Establishing formal communication protocols and fostering a culture of collaboration are essential. Regular meetings, reporting mechanisms, and feedback loops ensure that insights and concerns flow freely. Technology platforms can also facilitate real-time information sharing.

Resistance to Change and Cultural Barriers

Embedding a risk-aware culture that supports the three lines model often requires significant cultural change. Staff may resist new risk management processes due to perceived increased workload or fear of accountability.

Leadership commitment to promoting risk awareness and demonstrating its value is vital. Incentivising risk management behaviours and integrating risk objectives into performance evaluations can motivate staff. Training and open dialogue help alleviate fears and encourage acceptance.

Resource Constraints

Effective operation of the three lines demands adequate resources, including skilled personnel, technology, and budget. Organisations may struggle to allocate sufficient resources to second-line oversight functions or internal audit, leading to inadequate risk coverage.

Strategic resource planning aligned with risk priorities is necessary. Leveraging technology to automate routine tasks can improve efficiency. Outsourcing or co-sourcing certain functions may also be considered to supplement internal capabilities.

Overlapping Roles and Duplication of Effort

Without careful coordination, the three lines may inadvertently perform overlapping activities, resulting in duplication of effort and inefficient use of resources. This is particularly common between the second line and internal audit when both conduct reviews or testing in similar areas.

Delineating responsibilities and sharing work plans can reduce overlap. Coordinating audit and compliance schedules ensures complementary coverage and prevents unnecessary repetition. Collaboration tools and joint risk committees can aid alignment.

Maintaining Independence and Objectivity

The third line of defence must maintain independence to provide unbiased assurance. However, pressures to support business units or manage conflicts of interest can compromise the internal audit’s objectivity.

Strong governance frameworks, including direct reporting lines to the audit committee, help safeguard independence. Internal audit charters should explicitly define scope, authority, and independence standards. Rotating auditors and peer reviews also promote objectivity.

Measuring the Effectiveness of the Three Lines of Defence

Evaluating how well the three lines of defence are functioning is crucial to ensure risks are managed effectively and governance objectives are met. Organisations should develop metrics and indicators that provide insight into performance and areas for improvement.

Key Performance Indicators for the First Line

Performance metrics for the first line focus on operational risk management and control effectiveness. These may include the number of risk incidents reported, control testing results, compliance rates, and timeliness of risk escalations.

Tracking training completion rates and employee risk awareness surveys provides insight into the risk culture. Monitoring trends in risk and control failures helps identify areas requiring additional attention or support.

Oversight Effectiveness Metrics for the Second Line

The second line’s effectiveness can be measured through indicators such as the frequency and quality of risk and compliance monitoring activities, the number of policy updates, and responsiveness to emerging risks.

Feedback from the first line on the usefulness of guidance and support provided is also valuable. The timeliness and thoroughness of risk reporting to senior management reflect how well the second line communicates risk information.

Assurance Quality for the Third Line

For the third line, quality is often assessed through audit cycle completion rates, the relevance and impact of audit recommendations, and management’s responsiveness to those recommendations.

Surveys of audit clients and governance bodies provide feedback on the internal audit’s professionalism, independence, and value added. The extent to which internal audit activities align with organisational risk priorities is also an important measure.

Using Risk and Control Self-Assessments

Many organisations use risk and control self-assessments (RCSAs) as a tool to engage all three lines. RCSAs enable business units to evaluate risks and controls while providing data for oversight and audit functions.

Analyzing RCSA results helps identify control gaps, emerging risks, and inconsistencies across business units. It also encourages ownership of risk management within the first line and provides valuable input for the second and third lines.

Enhancing the Model with Technology

Technology continues to play an increasingly important role in enabling and enhancing the three lines of defence model. Digital tools improve efficiency, accuracy, and collaboration across risk management functions.

Risk Management Information Systems

Risk management information systems (RMIS) provide centralised platforms for risk identification, assessment, and reporting. These systems facilitate real-time risk monitoring, documentation, and workflow automation.

RMIS helps integrate risk data from multiple sources, enabling a comprehensive view of the organisation’s risk profile. Dashboards and analytics support decision-making by highlighting key risk indicators and trends.

Compliance Monitoring Tools

Automated compliance monitoring tools continuously scan transactions, activities, and communications for potential violations. These tools enhance the second line’s ability to detect compliance breaches early.

By reducing manual review, these systems allow compliance teams to focus on investigating alerts and improving controls. They also help generate regulatory reports and evidence of compliance activities.

Audit Management Software

Internal audit functions benefit from audit management software that streamlines audit planning, execution, and reporting. These tools improve audit quality by standardising processes, enhancing documentation, and facilitating collaboration.

Audit software enables efficient tracking of audit issues and follow-up actions. Integration with other risk systems fosters coordination between internal audit and the other lines of defence.

Collaboration and Communication Platforms

Effective coordination among the three lines requires seamless communication. Technology platforms that support document sharing, workflow management, and real-time messaging improve collaboration.

These platforms reduce delays in information exchange, provide audit trails of communications, and enable remote working. They are especially valuable for global organisations with distributed risk management teams.

Case Studies and Industry Examples

Examining real-world examples of the three lines of defence model in practice helps illustrate its benefits and challenges. Industry case studies demonstrate how organisations implement, adapt, and optimise the framework to manage evolving risks.

Financial Services Sector

In financial services, the three lines model is a regulatory expectation and a critical component of anti-money laundering (AML) and fraud risk management. Banks and insurers establish dedicated risk and compliance teams to monitor front-line activities and provide independent assurance through internal audit.

High-profile cases of compliance failures have underscored the importance of clear roles, robust monitoring, and independent oversight. Leading institutions invest heavily in technology and training to strengthen all three lines.

Healthcare Industry

Healthcare organisations face unique risks, including patient safety, data privacy, and regulatory compliance. The first line consists of clinical staff and administrators who manage risks in patient care and operations.

Compliance and risk management teams oversee regulatory adherence and quality standards. Internal audit evaluates governance and control processes. Successful healthcare providers integrate risk management into clinical governance frameworks and foster a culture prioritising patient safety.

Manufacturing and Industrial Firms

Manufacturing companies manage operational, safety, and environmental risks alongside financial and compliance issues. The first line involves production managers and frontline workers who implement safety protocols and quality controls.

Risk and compliance functions oversee regulatory compliance and operational risk frameworks. Internal audit assures process integrity and risk controls. Many firms adopt digital tools for real-time monitoring of safety incidents and environmental risks.

Trends and Evolution of the Three Lines of Defence Model

The three lines of defence model has long been a cornerstone of risk management and governance frameworks across industries. However, the rapid pace of technological innovation, regulatory change, and shifting business landscapes requires continuous evolution of the model. This section explores emerging trends shaping the future of the three lines and considerations organisations must address.

Integration with Enterprise Risk Management (ERM)

The traditional three lines of defence model focuses primarily on operational, compliance, and audit functions, but modern organisations increasingly seek to integrate it within a broader enterprise risk management (ERM) framework. ERM promotes a holistic view of risk aligned with strategic objectives and business processes.

Aligning the three lines with ERM enhances risk visibility across all levels, improving the organisation’s ability to anticipate and respond to complex, interconnected risks. This integration encourages collaboration among risk functions and breaks down silos, supporting more agile and comprehensive risk management.

Embracing Risk Culture as a Core Element

Risk culture — the shared values, beliefs, and behaviours regarding risk within an organisation — is gaining recognition as a critical factor influencing the effectiveness of the three lines model. A strong risk culture ensures that risk management is embedded in everyday decision-making rather than being viewed as a compliance burden.

Boards and senior leaders increasingly focus on assessing and strengthening risk culture through surveys, workshops, and leadership development programmes. The three lines model is evolving to incorporate cultural assessments as part of risk oversight, encouraging all employees to take ownership of risk.

Leveraging Advanced Analytics and Artificial Intelligence

Advancements in data analytics and artificial intelligence (AI) present significant opportunities to enhance the three lines of defence. Predictive analytics can identify emerging risks and patterns that might otherwise go unnoticed, enabling proactive risk management.

AI-driven tools can automate routine risk assessments, compliance monitoring, and audit testing, freeing resources for higher-value activities. However, integrating these technologies requires investment in skills and infrastructure as well as addressing ethical and regulatory considerations.

Adapting to Remote Work and Distributed Teams

The rise of remote and hybrid work models has introduced new challenges for risk management and control environments. Distributed teams may face communication barriers, inconsistent application of controls, and difficulties in oversight.

The three lines of defence must adapt by leveraging digital collaboration platforms, revising policies for remote environments, and enhancing training on cybersecurity and remote risk management. Internal audit may need to adopt new audit techniques, such as virtual audit, to maintain assurance quality.

Enhancing Cybersecurity Risk Management

Cybersecurity has emerged as a top risk concern globally, requiring dedicated focus across all three lines. The first line must implement robust technical and operational controls, the second line provides cybersecurity risk oversight and compliance, and the third line audits cybersecurity governance and controls.

Collaboration with IT and security teams is critical to establish effective threat detection, incident response, and resilience capabilities. The three lines model is evolving to incorporate cybersecurity frameworks and standards, reflecting its growing importance.

Practical Steps to Strengthen the Three Lines of Defence

Implementing and continuously improving the three lines of defence model requires deliberate actions across governance, culture, processes, and technology. This section outlines practical steps organisations can take to enhance their three-line framework.

Establish Clear Governance Structures

Define and document roles and responsibilities for each line of defence. This includes developing charters, policies, and procedures that articulate accountability and reporting lines. Ensure that governance frameworks support independence for the second and third lines.

Regularly review and update governance structures to reflect changes in organisational strategy, regulatory requirements, or operational environment. Involve key stakeholders from all three lines in governance committees to foster alignment.

Promote a Risk-Aware Culture

Leadership should visibly endorse the importance of risk management and lead by example. Embed risk management objectives into performance evaluations and reward risk-conscious behaviours.

Provide ongoing training tailored to different roles and levels within the organisation. Encourage open dialogue about risks and near misses without fear of blame to create a culture of continuous learning.

Enhance Communication and Collaboration

Develop formal communication channels and protocols between the three lines, including regular meetings, joint workshops, and integrated reporting mechanisms.

Use technology platforms that facilitate real-time collaboration, document sharing, and workflow management. Foster mutual understanding of each line’s role and challenges to improve cooperation and reduce friction.

Invest in Technology and Automation

Evaluate risk management processes to identify opportunities for automation using tools such as risk management information systems, compliance monitoring software, and audit management platforms.

Integrate data sources to provide comprehensive risk analytics and improve decision-making. Stay informed on emerging technologies and assess their applicability to enhance efficiency and effectiveness.

Focus on Continuous Improvement

Implement regular assessments of the three lines of defence effectiveness using key performance indicators and independent reviews.

Encourage feedback from first-line managers and staff to identify practical issues and improvement opportunities. Update risk frameworks and controls in response to evolving risks and regulatory developments.

The Role of Leadership in the Three Lines of Defence

Effective leadership is essential for the successful operation and evolution of the three lines of defence. Leaders shape the risk culture, allocate resources, and ensure alignment of risk management with organisational objectives.

Board of Directors and Audit Committee Responsibilities

The board holds ultimate accountability for risk governance and oversight of the three lines model. It sets the tone at the top and approves risk appetite and strategy.

The audit committee provides direct oversight of the internal audit function, reviews risk reports, and ensures that management addresses identified issues. It plays a critical role in maintaining the independence and effectiveness of the third line.

Senior Management’s Role

Senior executives are responsible for embedding the three lines within business operations. They allocate resources, define risk management priorities, and facilitate coordination between the lines.

Management teams must ensure first-line managers have the skills and authority needed to manage risks. They also support the second line by encouraging timely escalation and cooperation.

Leadership in the Three Lines of Functions

Leaders within the second and third lines must maintain independence while working collaboratively with operational teams. They champion best practices and advocate for continuous improvement.

These leaders play a vital role in communicating risk insights to executive leadership and the board, helping to shape strategic decisions and risk appetite.

Regulatory Expectations and Industry Standards

Regulators and industry bodies increasingly expect organisations to implement effective three lines of defence frameworks as part of broader governance and compliance programmes.

Financial Services Regulations

In the financial sector, regulators require firms to demonstrate robust risk management frameworks incorporating the three lines. This includes requirements on anti-money laundering, conduct risk, and operational resilience.

Regulators often scrutinise the independence and effectiveness of the second and third lines, expecting clear reporting lines to senior management and the board.

International Standards and Guidance

Standards such as ISO 31000 on risk management and the COSO framework reference principles are aligned with the three lines of defence. These provide best practice guidance on structuring risk management functions and ensuring accountability.

Organisations can leverage these standards to benchmark their risk governance and demonstrate compliance to stakeholders.

Sector-Specific Requirements

Different industries may have tailored expectations. For example, healthcare organisations face specific patient safety and data privacy regulations, while manufacturing firms must comply with occupational health and environmental standards.

Understanding and integrating sector-specific regulatory requirements into the three lines model enhances compliance and reduces risk.

Building Resilience Through the Three Lines of Defence

Beyond managing risks, the three lines of defence model supports organisational resilience — the ability to anticipate, respond to, and recover from disruptions.

Proactive Risk Identification and Response

The first line’s ongoing risk management activities help detect issues early, enabling swift mitigation. The second line provides oversight to ensure that risk responses are appropriate and effective.

Internal audit challenges assumptions and tests controls, identifying weaknesses before they lead to failures.

Crisis Management and Business Continuity

The three lines collaborate to develop and maintain crisis management and business continuity plans. The first line executes response plans, the second line monitors readiness and compliance, and the third line audits preparedness.

Regular testing and updates of these plans build confidence that the organisation can sustain operations during adverse events.

Learning and Adaptation

Post-incident reviews and audits generate insights that feed back into risk management frameworks. This continuous learning loop enhances the organisation’s ability to adapt to changing environments.

Embedding this mindset across all three lines strengthens resilience over time.

Final Thoughts 

The three lines of defence model remains a foundational framework for effective risk management and governance in organisations of all sizes and industries. By clearly defining roles and responsibilities across operational management, risk oversight, and independent assurance, the model helps organisations identify, assess, and mitigate risks in a structured and coordinated manner.

Successful implementation of the model depends on clarity, collaboration, and a strong risk culture. Each line has a distinct but complementary role: the first line owns and manages risk in day-to-day operations; the second line provides oversight, guidance, and compliance monitoring; and the third line delivers independent assurance through objective auditing. Together, they create a comprehensive defence against financial, operational, compliance, and strategic risks.

However, the evolving business environment demands that organisations continually adapt and enhance their three-line frameworks. Integration with enterprise risk management, leveraging emerging technologies such as artificial intelligence, and strengthening risk culture are critical for maintaining effectiveness. Leadership commitment at all levels is essential to promote accountability, ensure resource allocation, and foster open communication.

Regulatory expectations continue to reinforce the importance of robust three lines of defence structures, particularly in highly regulated sectors such as financial services. Adhering to industry standards and incorporating sector-specific requirements enhances compliance and stakeholder confidence.

Finally, the three lines of defence model is not merely about managing risk but building organisational resilience. Through proactive identification, timely response, and continuous learning, organisations can better withstand disruptions and thrive amid uncertainty.

Organisations that embrace the principles of the three lines of defence with dedication and adaptability position themselves to safeguard their assets, reputation, and long-term success. With ongoing focus on governance, culture, and innovation, the model will continue to be a vital tool in navigating today’s complex risk landscape.