The third line of defense is usually internal audit, and its role is to provide independent assurance to stakeholders such as the board of directors, investors and regulators about the robustness of the organization’s operational risk program. A best practice independent review should:

• Evaluate the design and implementation of the operational risk management program in the first two lines of defense.
• Analyze validation processes to make sure they are independent and correctly implemented.
• Ensure that the quantification approaches are robust, including what goes into the models and the models themselves, and that the models accurately reflect reality.
• Confirm that that the business units are gathering data on operational risks and controls and reporting this upward within the organization.
• Evaluate the overall completeness, appropriateness and adequacy of the operational risk framework and program, both for the successful operation of the business and for regulatory compliance.

Some firms may consider external audit as part of the third line of defense.