Skip to content
CityLearning
Regulatory & conduct

Three Lines of Defence

The Three Lines of Defence is the governance model used by regulated financial services firms to structure risk management and oversight. The first line (business functions) owns and manages risk; the second line (risk and compliance) provides oversight and challenge; the third line (internal audit) provides independent assurance to the board.

The Three Lines of Defence is the standard governance model in regulated financial services for organising risk management and internal control. It divides responsibilities across three distinct functions so that risk is owned, overseen and independently assessed, rather than managed solely by those who take it.

The three lines

First line: business functions. The front line of the business: product, sales, operations, trading, lending, and other revenue-generating and operational functions. The first line is responsible for identifying, assessing and managing risk as part of day-to-day activity. It owns the risk in the sense that the people running the business are the ones taking it on, and they are accountable for managing it within the firm’s risk appetite.

Second line: risk management and compliance. The risk management function and the compliance function operate as the second line. They set the firm’s risk framework, policies and limits; monitor compliance with those limits; challenge the first line when risks are being taken outside appetite; and provide oversight and reporting to senior management and the board. The compliance function within SM&CR typically holds Prescribed Responsibilities for the firm’s compliance framework.

Third line: internal audit. Internal audit provides independent assurance, to the board and the audit committee, that the first and second lines are functioning as intended. Unlike the second line, internal audit has no day-to-day role in managing or overseeing risk: its independence from those functions is what gives its assurance value. The Chief Internal Auditor typically holds an SMF function at larger firms.

Three Lines of Defence and SM&CR

The model maps directly to SM&CR’s accountability structure. Prescribed Responsibilities for the compliance function, the risk management function, and internal audit are typically held by Senior Managers in the corresponding lines. Where a Senior Manager’s Statement of Responsibilities covers a second-line function, the FCA will assess whether that individual took reasonable steps to ensure effective oversight of the first line.

Training in the Three Lines of Defence model is a standard component of SM&CR senior manager induction and governance training programmes. For the compliance training programme more broadly, see our guide to building a compliance training plan.

Frequently asked questions

What are the Three Lines of Defence?
The Three Lines of Defence is a governance model for risk management. The first line, the business functions, owns and manages risk in day-to-day operations. The second line, risk management and compliance, provides oversight, policy, and challenge. The third line, internal audit, provides independent assurance to the board that the first and second lines are functioning effectively.
Is the Three Lines of Defence model required by the FCA?
The FCA does not mandate a specific governance model, but it expects firms to have robust risk management and internal control frameworks. The Three Lines of Defence model is widely accepted as a standard approach for demonstrating this to the FCA and PRA. SM&CR's accountability framework maps naturally to the model: Senior Managers in the first and second line hold named Prescribed Responsibilities for their areas.

Reviewed by Margaret Hassett

← Back to the compliance glossary

Turn definitions into training

See how CityLearning's UK compliance courses help your team understand terms like this in practice.