First line is your people, more specifically, the business owners, charged to identify and treat risk
Functions may include:
- Risk Management Lifecycle
- Risk Identification and assessments execution
- Establish separate, and integrated risk related activities as part of a mature risk
- process
Second line of defense is an organizations' Governance/Oversight, Compliance and Legal entities responsible for enacting policies and procedures to govern the first line resources (business owners)
Functions may include:
- Identifying and creating policies and procedures
- Security related activities, Risk Management, extended from First Line of Defense
Third line are independent bodies / entities that report to the board and serve in roles such as both internal/external auditors/compliance committee (separate from the second line function) and may also have a Chief Risk/Privacy Officer
Functions may include:
- Internal and External Audit program development
- Audit assessment etc