Governance and the Three Lines Model in Operational Risk

Learn how boards, first line, second line and internal audit work together to build a practical three lines model for operational risk.
5 min read time

Governance and the Three Lines Model in Operational Risk

Governance is where operational risk management either becomes real or remains theoretical. Firms can have good templates, detailed registers and polished reports, but if accountability is unclear, oversight is weak and challenge is not independent, the framework will not hold when pressure increases. That is why governance and the three lines model remain central to modern operational risk practice, and why supervisors consistently start their reviews here before they look at anything else.

The reason governance gets this much attention from regulators is straightforward. Every other component of an operational risk framework, the RCSA, the control testing programme, the KRI dashboard, depends on people doing their jobs properly and being held accountable when they don't. Governance is the structure that makes accountability real rather than aspirational. Without it, even a well-designed framework on paper tends to drift, because nobody is genuinely responsible for keeping it alive.

Board ownership begins the framework

The board does not manage day-to-day operational risk, but it does define the environment in which risk is managed. It approves strategy, sets appetite, reviews key reporting and ensures the firm has adequate resources and challenge mechanisms. That "to neat the top" matters because it signals whether risk ownership is an embedded management expectation or a periodic compliance exercise.

In practice, tone at the top shows up in specific, observable ways. It shows up in whether the board asks substantive questions about risk reporting or simply receives it. It shows up in whether resourcing decisions reflect the risk priorities the board has signed off on, or whether risk management is consistently the first budget linecut when commercial pressure rises. It shows up in whether senior managers are genuinely held accountable when controls in their area fail, or whether accountability is diffused so broadly that nobody actually owns the outcome.

Boards must explicitly approve the firm's risk strategy, appetite and tolerance levels while also ensuring adequate resources for risk management. This is not a once-off exercise. Regulatory expectations are that boards review the risk framework, risk appetite statements and related processes at least annually, and more frequently where the business or its operating environment is changing quickly. A board that approved a risk appetite statement three years ago and has not revisited it since is not exercising the kind of active oversight regulators expect, regardless of how well-written that original statement was.

How the three lines model works in practice

The three lines model is the standard architecture for dividing risk ownership, oversight and assurance across an organisation. It is endorsed explicitly by regulators: the Prudential Regulation Authority expects first line risk ownership, with oversight and challenge by independent second and third lines, and the European Banking Authority's guidance notes that business lines acting as the first line should have appropriate processes and controls in place and be subject to monitoring by the independent risk management and compliance function.

First line

The first line owns risk in the flow of work. Business and process owners understand where failures can happen, what controls exist and where trade-offs arise between efficiency and assurance. First-line ownership is not optional; it is the operating centre of the framework.

This is worth stating plainly because it is frequently misunderstood. Risk management is not something the risk function does to the business. It is something the business does, with the risk function providing the framework, the challenge and the independent oversight that keeps first-line assessments honest. A branch manager, an operations lead, a head of customer service: these are the people who know, in granular detail, where their processes are vulnerable, which controls actually get followed under pressure and which get quietly skipped, and where new risks are emerging before they show up in any formal report. A framework that does not give first-line owners genuine accountability for identifying and managing their own risks is missing the most valuable source of risk intelligence the organisation has.

Second line

The second line provides independent oversight, challenge and framework design. It reviews assessments, monitors emerging issues, proposes indicators and checks consistency across the organisation. In smaller firms, this line may be lean, but it still needs enough independence to challenge the business credibly.

The second line's job is not to do the first line's risk management for them. It is to set the methodology everyone uses, to sample and validate first-line assessments rather than simply collecting and filing them, and to push back when a risk rating looks implausible or a control assessment looks more optimistic than the evidence supports. This requires a degree of seniority and a reporting line that genuinely protects independence. A risk officer who reports through the same management chain as the business unit they are meant to be challenging will struggle to provide credible, independent oversight, regardless of their personal competence or integrity. Even small firms should strive for some structural independence here, for example risk officers reporting directly to the board or a board-level risk committee rather than through operational management.

Third line

Internal audit providesindependent assurance over the effectiveness of the first and second lines.That does not mean it repeats their work. It tests whether the overall systemis designed and operating as intended, and it reports its findings to governingbodies in a way that drives improvement.

The distinction between second-line challenge and third-line assurance is important and sometimes blurred in smaller organisations. The second line is embedded in the ongoing management of risk, proposing indicators, reviewing assessments, working alongside the business day to day. The third line stands further back: it periodically tests whether the entire system, including the second line's own effectiveness, is functioning as it should. In smaller firms, this role is frequently outsourced to an external audit or professional services firm, which is entirely appropriate provided the engagement has genuine independence, a clear scope, and a direct reporting line into the risk committee or board rather than into management. Regular audit reports should feed back into the risk committee and board's agenda, not sit in a folder that gets reviewed once a year alongside everything else.

What smaller firms should scale, not skip

Smaller firms frequently combine roles, use external audit partners or run flatter structures. That is workable if it is deliberate and documented. The mistake is not having fewer people. The mistake is leaving responsibilities ambiguous. Boards should document charters, reporting lines, committee mandates and escalation routes so independence is preserved as far as the organisation's size allows.

A useful way to think about proportionality here is to separate the question of headcount from the question of structure. A firm with five people in its risk and compliance function can still operate a credible three lines model, provided the roles, however combined, are explicitly assigned, documented and reported on. What regulators are looking for during a supervisory review is not evidence of a large team. It is evidence that the firm has thought clearly about who owns what, whochallenges what, and who provides independent assurance over the whole system,and that this thinking is captured in documentation rather than existing onlyas informal understanding among a small group of people who happen to know howthings work.

This documentation also mattersfor continuity. Informal understanding about who is responsible for what tendsto break down exactly when it matters most: during a leadership transition, aperiod of rapid growth, or a crisis when the usual people are unavailable. Adocumented governance structure survives those moments. An informal onefrequently does not.

Governance documents worth creating first

Start with five documents: agovernance map, committee terms of reference, role-accountability matrix,reporting calendar and board-approved risk policy. Those documents createstructure around decisions, remove duplication and make it easier to demonstrategovernance maturity to auditors and supervisors.

The governance map should setout, at a glance, how risk decisions flow from board to committee to managementto first-line owners, and where each control function sits in that structure.Committee terms of reference should specify exactly what each committee isresponsible for deciding, how often it meets, and what escalates to the boardversus what is decided at committee level. A role-accountability matrix, oftenbuilt on a simple framework such as RACI, makes explicit who is responsible,accountable, consulted and informed for each major risk activity, which isparticularly valuable in smaller firms where individuals wear multiple hats. Areporting calendar ensures that risk reporting to the board and its committeeshappens on a predictable, regular cycle rather than ad hoc. And aboard-approved risk policy ties the whole structure together, giving theframework formal status rather than leaving it as an informal set of practicesthat happen to be followed.

None of these documents need tobe elaborate. A two-page governance map is more useful than a fifty-pagedocument nobody reads. The value is in the clarity they create and the evidencethey provide, not in their length.

Conclusion

Good governance is notbureaucracy added on top of operational risk. It is the mechanism that makesownership, challenge and assurance visible. If a board wants better operationalresilience, the first question is not "what tool do we need?" It is"who owns what, who challenges what, and who assures the wholesystem?"

Getting this structure right,and keeping it right as the organisation grows and changes, is one of the mostcommon challenges firms raise with us. Our full whitepaper sets out apractical, scaled approach to the three lines model specifically for small andmid-sized financial institutions, with examples of how firms combine roleswithout compromising independence. Download thecomplete Operational Risk whitepaper to see the full governanceframework alongside the rest of the operational risk programme it supports.

Next Steps

Is your three lines model working in practice?