The third line of defense is usually internal audit, and its role is to provide independent assurance to stakeholders such as the board of directors, investors and regulators about the robustness of the organization’s operational risk program. A best practice independent review should:

  • Evaluate the design and implementation of the operational risk management program in the first two lines of defense.
  • Analyze validation processes to make sure they are independent and correctly implemented.
  • Ensure that the quantification approaches are robust, including what goes into the models and the models themselves, and that the models accurately reflect reality.
  • Confirm that that the business units are gathering data on operational risks and controls and reporting this upward within the organization.
  • Evaluate the overall completeness, appropriateness and adequacy of the operational risk framework and program, both for the successful operation of the business and for regulatory compliance.


Some firms may consider external audit as part of the third line of defense.

Popular resources

You may be interested in

Serge De Coster
News
November 7, 2022

Acin adds Chief Client Officer to industry-leading team, as data network continues to expand

Acin announced as the Best ESG risk data provider at the ESG Insight Awards
News
November 1, 2022

Acin announced as the Best ESG risk data provider at the ESG Insight Awards

News
2 mins reading time

Acin wins Risk.net’s OpRisk Innovation of the Year, for second year in a row

Discover more