Three Lines of Defense for Organizing Risk Management

The three lines of defense model (3LoD) has become a much-talked-about concept for organizing risk ownership and internal control in the financial sector. This chapter discusses an extensive survey of the internal control literature and contacts with leading actors in the Swedish internal control and internal audit communities. It builds extensively on ideas in the literature on management control as defined in Nilsson et al.: 'formalized information-based routines, structures and processes which management uses to formulate and implement strategies by influencing behavior within the organization'. Like Nilsson et al., we believe most issues in control apply to firms as well as governmental operations and NGOs. Associations such as the European chapter of the Institute of Internal Auditors and the Federation of European Risk Management Associations have publicly supported 3LoD. Such design and control involves activities and systems variously called governance, management control, internal control, and risk management.