Context
Understanding organisational structures is vital for career progression. If you are moving from an operational role into a governance, oversight, or more senior management position, grasping the distinction between executing controls and overseeing them is essential.
Definition
Within the standard governance model, the second line of defence consists of the functions responsible for defining risk management frameworks and compliance standards. Typical second-line functions include Risk Management, Compliance, and Legal departments.
Unlike the first line, they do not own the operational risk itself. Instead, their primary role is oversight. They monitor the first line’s adherence to established frameworks and challenge their reporting and assumptions regarding risk exposure.
There is often confusion regarding how a function can set policy while maintaining this oversight role. These activities are, in fact, complementary. Effective oversight requires a clear standard against which performance can be measured. The second line defines that standard through policies and risk frameworks — essentially setting the rules of the road. By establishing how risks should be managed without actually executing the day-to-day controls, they maintain the necessary objectivity to monitor whether the first line is adhering to those rules.
They provide a layer of assessment — distinct from the independent assurance of internal audit (the third line) — to management regarding how effectively risks are being handled operationally.