First line is your people, more specifically, the business owners, charged to identify and treat risk

Functions may include:

• Risk Management Lifecycle
• Risk Identification and assessments execution
• Establish separate, and integrated risk related activities as part of a mature risk
• process

Second line of defense is an organizations' Governance/Oversight, Compliance and Legal entities responsible for enacting policies and procedures to govern the first line resources (business owners)

Functions may include:

• Identifying and creating policies and procedures
• Security related activities, Risk Management, extended from First Line of Defense

Third line are independent bodies / entities that report to the board and serve in roles such as both internal/external auditors/compliance committee (separate from the second line function) and may also have a Chief Risk/Privacy Officer

Functions may include:

• Internal and External Audit program development
• Audit assessment etc