The three lines of defense structure clearly defines organizational risk management responsibilities into three functional areas. In 2004, COSO (Committee of Sponsoring Organizations of the Treadway Commission) introduced this triple line of defense system. In practice, some knowledgeable observers suggest modification to the structure to add: an organization’s Governing Board to have an active role in the third lines of defense; and also that corporate management be incorporated into the second line of defense. Some observers view the board as part of the audit line of defense, others have proposed the board as a fourth line. The structure defines risk management roles, internal compliance and control functions and audit roles. The structure consists of: operational or business units; risk and control functions; and internal audit. The lines of defense framework is generally depicted as follows: First Line of Defense: Business units assume ownership and responsibility for the design and application of risk assessment, control and mitigation. These components are embedded into the unit’s decision making and operations at all levels. First line Enterprise Risk Management (ERM), including third party risk management (TPRM), resides here. To ensure that management appropriate to the organization is taking place throughout the vendor lifecycle procurement and an assigned vendor relationship manager should work with other members of the First Line of Defense. Second Line of Defense: Consists of the compliance oversight team, which may employ aspects of other control functions for support. Third Line of Defense: Generally viewed as the internal audit team, a function which must remain independent, and therefore cannot provide direct support to the other lines of defense in the chain. This function may be outsourced, which can add a level of complexity to third party risk management. One of internal audits critical roles is oversight of the first and second defense lines.
