Managing inherent, operational, and other types of risk at a company is a complex process that’s difficult to handle for a single person or department. That’s why many businesses use a multi-layered approach to risk management called the Three Lines of Defense.
This model delegates different aspects of the compliance risk management process to specific employees and divisions within the organization. That allows for a more coordinated risk management approach: it clearly defines three groups of roles and responsibilities, as well as how they are to support each other.
So what are the Three Lines of Defense, and how does each one of them support an organization’s overall risk management strategy? We’ll explain below.
What are the Three Lines of Defense?
The Three Lines of Defense (3LOD) is a governance model aimed at optimizing an organization’s risk management strategy. It seeks to clarify roles for actors inside (and sometimes outside) the organization – as well as define their responsibilities – as they relate to risk management.
The lines of defense are as follows:
- Management: Owns risk & compliance and develops controls for an organization’s day-to-day risk management operations.
- Risk & Compliance: Identifies emerging risks to an organization and develops systems to deal with them, including complying with applicable laws and regulations.
- Assurance: Independently conducts internal and external audits to assess how effectively the organization’s overall risk management program is working.
We’ll now explain more about each of the 1st, 2nd, and 3rd lines of defense in detail.
1. First Line of Defense
The First Line of Defense is where most of the practical compliance work happens in a business. It’s about a business identifying operational risks in its day-to-day activities, and putting controls in place so that it can function efficiently while avoiding as many of those risks as possible.
What is the First Line of Defense?
The First Line of Defense may be described as risk management in an organization’s daily operations. It starts with managers identifying and being ultimately accountable for everyday risks, then extends to front-line employees and teams following internal controls in order to minimize these risks.
Smaller companies tend to be very invested in the First Line of Defense. This is because they often don’t have well-developed AML and regulatory compliance divisions yet. As such, their owners and upper management are usually very active in their daily operations, including their risk management and compliance efforts.
First Line of Defense Risk Management: AML Roles and Responsibilities
Many First Line of Defense responsibilities fall on business managers who train and supervise employees, as well as employees who interact with clients, partners, and the general public. Some of their AML-related tasks include:
- Setting goals for the organization, and identifying potential obstacles to those objectives
- Creating a code of ethics for proper employee conduct
- Establishing a chain of command for dealing with risk-related issues
- Training employees on proper operating procedures and how to spot money laundering
- Verifying and authenticating the identities of clients, partners, and potential hires
- Client risk assessment functions, such as sanctions list and PEP screening
- Securing the business’s property and IT framework against theft or attack
Next, we’ll talk about the role of the Second Line of Defense in compliance.
2. Second Line of Defense
In AML, the First Line of Defense is responsible for carrying out a business’s risk management program in practice. The job of the Second Line of Defense is to take a bigger-picture approach to risk management for the business. This includes monitoring how well the first line’s activities are mitigating risk, as well as advising the first line on risks it may be overlooking.
What is the Second Line of Defense?
The Second Line of Defense refers to an organization’s specialized risk management and regulatory compliance functions. Its job is to guide and oversee controls on an organization’s front line operations, in order to ensure they adhere to any applicable regulations and effectively minimize risk.
As companies grow larger—especially if they choose to allow public investment—they tend to face more diverse risks and stricter regulations. So they tend to rely more heavily on the Second Line of Defense for compliance.
Second Line of Defense Risk Management: AML Roles and Responsibilities
The Second Line of Defense in risk management is responsible for studying the current (and emerging) risk and regulation landscape. Based on its findings, its duty is then to develop risk management and regulatory compliance standards for the business. Then it communicates with the first line to ensure a company’s day-to-day operations are meeting or exceeding these standards.
To break this down, some Second Line of Defense responsibilities include:
- Studying and staying up-to-date with regulatory requirements the business must follow
- Investigating current and emerging trends in risk (general and industry/business-specific)
- Developing big-picture frameworks to address risk beyond a company’s daily operations
- Evaluating a company’s risk management strategy (both in certain areas and overall)
- Advising and directing the first line on specific sectors of risk management to focus on
Lastly, we’ll talk about the Third Line of Defense: audit.
3. Third Line of Defense
Though the Second Line of Defense involves some audit functions, it isn’t ideal for this role. That’s because its duties are mainly to create risk & compliance standards for the company and to oversee day-to-day business operations to ensure these standards are being followed. In other words, the second line can have difficulty judging the effectiveness of its own standards when it’s busy just developing them and getting them adopted by the first line.
That’s why a company often needs a group that isn’t directly involved in the company’s risk management operations at all. This allows the group to have an even broader, more independent view of how effective the company’s risk & compliance efforts are. This is the Third Line of Defense.
What is the Third Line of Defense?
The Third Line of Defense refers to internal and external auditing. Groups not directly connected to an organization’s operations evaluate how effective the organization’s risk management policies and procedures are, both at minimizing risk and complying with relevant regulatory obligations.
Third Line of Defense Risk Management: AML Roles and Responsibilities
The Third Line of Defense isn’t actively involved in the rest of an organization’s activities, including its risk management and compliance operations. Instead, it’s accountable directly to the organization’s owners and other primary stakeholders. This allows it to more objectively focus on the overall risk and compliance environment in an industry, and judge how well the organization’s other lines of defense are functioning in comparison.
More specifically, the Third Line of Defense in risk management is responsible for tasks such as:
- Evaluating a company’s risk & compliance efforts in light of the organization’s goals
- Reporting to an organization’s owners on the effectiveness of the company’s risk ops
- Providing recommendations for continually improving a company’s risk management
- Establishing safeguards for auditing objectivity, and reporting any interference with them
- Showing regulators that a company’s risk ops are performing up to standards
Sometimes, the Third Line of Defense includes external auditors. Regulatory agencies or third-party auditing firms may conduct their own evaluations of a company’s risk management controls, or assess the level of independence a company’s internal auditors actually have.
Which Line of Defense Owns the AML Risk?
Typically, in terms of AML, the Second Line of Defense is responsible for risks. A company’s risk and compliance professionals have to become familiar with applicable industry regulations, including for AML. And these are often more complex than the risks a company is trying to mitigate in its daily operations. So it also falls on the second line to ensure the first line’s risk management efforts are also taking any relevant regulatory requirements into account.
Of course, there can be exceptions depending on the size and structure of an organization. For example, a smaller business without many dedicated compliance operatives may put ultimate responsibility for AML compliance risk as the First Line of Defense. However, this will usually be governed by the company’s senior management, as opposed to its front-line employees.
Reinforce the Three Lines of Defense Model with Unit21’s AML Tools
The second line in the Three Lines of Defense model is critical for ensuring compliance with regulatory requirements around AML, CFT, and stopping other types of financial crime. These are things that management and front-line employees may not always pay close attention to when trying to mitigate the most immediate risks in daily operations.
That’s why it’s important for risk management teams to integrate the right tools into an organization’s day-to-day workflows: to make compliance as simple and intuitive as possible. Unit21’s infrastructure for risk and compliance has activity monitoring and case management tools to make compliance management a snap. See them in action by booking a demo today.