The third line of defense is usually internal audit, and its role is to provide independent assurance to stakeholders such as the board of directors, investors and regulators about the robustness of the organization’s operational risk program. A best practice independent review should:

  • Evaluate the design and implementation of the operational risk management program in the first two lines of defense.
  • Analyze validation processes to make sure they are independent and correctly implemented.
  • Ensure that the quantification approaches are robust, including what goes into the models and the models themselves, and that the models accurately reflect reality.
  • Confirm that that the business units are gathering data on operational risks and controls and reporting this upward within the organization.
  • Evaluate the overall completeness, appropriateness and adequacy of the operational risk framework and program, both for the successful operation of the business and for regulatory compliance.


Some firms may consider external audit as part of the third line of defense.

Popular resources

You may be interested in

News
3 mins reading time

Acin adds Kate Joicey-Cecil, Chief Client Officer, to the management team to further develop long-term, trusted client partnerships. 

News
March 27, 2023

Acin named as finalist for RegTech Partner of the Year at the British Banking Awards 2023

Acin named Best Operational Risk Management Partner by CFI
News
March 21, 2023

Acin named Best Operational Risk Management Partner by CFI

Discover more