The ‘third line’ of corporate defence


Chief executive and principal consultant

ATC Financial Advisors & Consultants

AS defined by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in 2004, enterprise risk management (ERM) is a process effected by an entity’s board of directors, management and other personnel. It is applied in a strategy setting across the company, and is designed to identify potential events that may affect the business and manage risk such that it falls within its risk appetite.

ERM is based on the premise that every company exists to provide value for its stakeholders. As such, in 2017, COSO updated its definition of ERM to include the culture, capabilities and practices that are integrated with strategy setting and performance. Companies rely on these to manage risk in creating, preserving and realising value.

In relation to Enterprise Risk Management (ERM), internal audit is known as the third line “of defense or accountability”.

  • Management - The first line is operational managers (risk owners) who own and manage risks day-to-day. They are also responsible for implementing corrective actions to address process and control deficiencies.

  • Risk Management/ compliance - The second line is management, which establishes various risk management and compliance oversight functions to help build and/or monitor the controls implemented by the first line.

  • Internal Audit - The third line is internal audit (the highest level of independence and objectivity within the company), which audits (or reviews) ERM. Internal audit provides the board and senior management with assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the first and second lines achieve risk management and control objectives.

This assurance by internal audit includes assessing the following:

  • Whether the company’s objectives support its mission

  • Whether significant risks are identified and analysed

  • How risk appetite and risks responses (accept, reduce, share, avoid, pursue) are determined

  • Whether risk information (financial, operational, compliance etc.) is captured and communicated in a timely manner throughout the company

  • The potential for fraud, and how the company manages fraud risk

The fourth line is external audit, regulators and other outside bodies that can be considered as additional lines “of defense or accountability”. This line provides assurance to the company’s shareholders, the Board and senior management. Regulators sometimes set requirements intended to strengthen the controls in a company and, on other occasions, perform independent and objective assessments of the first, second and third lines in relation to those requirements.

The Board is considered by some as the fifth line. They have an oversight function in ERM to determine that risk management processes are in place, and are both adequate and effective.

The familiar Three Lines of Defense Model (IIA 2013) was updated to the Three Lines Model (IIA 2020) to clarify and strengthen the underlying principles, widen the scope, and explain how key corporate roles work together to facilitate good corporate governance and risk management.

Management has responsibility for risk management and, within management, the chief executive has ultimate responsibility for risk management and the achievement of strategy and business objectives.


Use the comment form below to begin a discussion about this content.

Sign in to comment