The third line of defense is usually internal audit, and its role is to provide independent assurance to stakeholders such as the board of directors, investors and regulators about the robustness of the organization’s operational risk program. A best practice independent review should:

  • Evaluate the design and implementation of the operational risk management program in the first two lines of defense.
  • Analyze validation processes to make sure they are independent and correctly implemented.
  • Ensure that the quantification approaches are robust, including what goes into the models and the models themselves, and that the models accurately reflect reality.
  • Confirm that that the business units are gathering data on operational risks and controls and reporting this upward within the organization.
  • Evaluate the overall completeness, appropriateness and adequacy of the operational risk framework and program, both for the successful operation of the business and for regulatory compliance.


Some firms may consider external audit as part of the third line of defense.

Popular resources

You may be interested in

View all resources
New Generation Operational Risk Europe Summit 2023
Event
March 9, 2023

Join us at the New Generation Operational Risk Europe Summit

Industry
British Bank Awards 2023
News
2 mins reading time

Vote for us as RegTech Partner of the Year in the British Bank Awards 2023

Industry
Accenture FinTech Innovation Lab 2023 Accelerator Program
News
January 12, 2023

Accenture FinTech Innovation Lab 2023 Accelerator Program

Industry

Discover more

Get in touch