CHAPTER 9

The Three Lines of Defense Model

The three lines of defense model should be used by all firms as a basis for structuring their risk and control process. At its most basic, it appears as follows:

images

The first line of defense includes anyone that creates transactions, that operates the business that sells or records things. Each of these business units will have a risk register and they will record in those registers the controls that they employ to prevent manifest error or other problems.

The second line of defense includes internal control and consists of is those units that check things as a function. Areas such as compliance and risk ...

Get Enterprise Risk Management in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.