Three Lines of Defense

A model for organizing risk management responsibilities within an organization:

- First line: Business units that own and manage risks in their operations

- Second line: Risk management and compliance functions that oversee risk frameworks and challenge first-line activities

- Third line: Internal audit that provides independent assurance on risk management effectiveness

In RBPM, the three lines model is complemented by the RACI governance approach to create clear accountability for risk management while promoting appropriate challenge and oversight throughout the organization.