Introduction
The stakes are higher than ever for modern organizations operating in a connected environment where they face unprecedented challenges, from rapidly evolving regulatory demands to increasingly sophisticated cyber threats. So how do they stay on course? How do they ensure that every function aligns with broader strategic goals while still managing risk effectively?
The scale of this challenge is reflected in how much organizations are investing in getting risk and compliance right. The global governance, risk, and compliance market alone is expected to grow from $21.04 billion in 2025 to $23.62 billion in 2026, driven by rising regulatory complexity and the need for stronger risk oversight.
The three lines of defense model addresses this need directly. It serves as a foundational framework for risk management, bringing clarity to accountability, strengthening oversight, and ensuring that risk is managed consistently across the organization.
Key Takeaways
The Three Lines of Defense (3LoD) is a structured risk management framework that helps organizations define and allocate risk-related responsibilities. By dividing risk management functions into three distinct lines, it enhances clarity, accountability, and overall effectiveness in managing organizational risks.
- Role Differentiation: It separates the responsibilities of operational management (1st line), risk management and compliance (2nd line), and internal audit (3rd line), ensuring that risks are identified, managed, and independently assessed.
- Purpose: The Three Lines of Defense Model clarifies roles and responsibilities in risk management, ensures independent assurance through internal audit, and facilitates collaboration for effective risk mitigation.
- Challenges: Common challenges that can hinder effective risk management. include balancing independence and collaboration among the lines, role ambiguity, and integrating the model with existing processes.
- Modernization: To modernize the model, organizations should enhance inter-departmental collaboration, adapt to emerging risks like cybersecurity, and implement real-time risk reporting to stay ahead of potential threats.
What is the Three Lines of Defense Model?
The Three Lines of Defense Model is a structured framework designed to enhance the clarity and effectiveness of risk management across an organization. Initially developed to address complexities in the financial sector, the model has since found applications in various industries, from healthcare to technology. This model delineates responsibilities and ensures a comprehensive risk management, compliance, and governance approach.
Breaking Down the Model
First Line of Defense: Operational Management
This line consists of front-line employees and operations managers who own and manage risks. These are the people directly involved in the business's core activities. They implement day-to-day controls and are the first to identify potential risks. Their primary function is to ensure that risks are managed appropriately through effective processes and controls.
Second Line of Defense: Risk Management and Compliance
The second line comprises specialized functions that provide oversight and support to the first line. These include risk management, compliance officers, and other control functions. They develop and monitor the implementation of risk management frameworks and compliance policies. Their role is to ensure that the first line effectively reports and manages risks and adheres to regulatory requirements.
Third Line of Defense: Internal Audit
The third line is internal audit, which provides independent assurance to the organization’s board and senior management. Internal auditors evaluate the effectiveness of governance, risk management, and control processes implemented by the first and second lines. They offer an objective perspective and recommend improvements to enhance overall risk management and governance.
Purpose of the Three Lines of Defense Model
The Three Lines of Defense Model clarifies roles and responsibilities in risk management, provides independent assurance through internal audits, and facilitates communication across departments. It supports compliance with regulations and enhances risk reporting, ensuring a resilient and well-coordinated organization.
Below, we identify a few essential purposes of the 3LoD Model:
Clarifying Roles and Responsibilities
One of the core strengths of the 3LoD model is the clarity it brings to risk management roles and responsibilities. By clearly defining who is responsible for what, the model reduces ambiguity and enhances accountability across the organization.
Providing Assurance
The third line of defense—internal audit—serves as a critical checkpoint to ensure that the risk management processes put in place by the first and second lines are not only operational but also effective. This independent assurance function is vital for maintaining stakeholder confidence and regulatory compliance.
Facilitating Communication and Co-ordination
The 3LoD model promotes a culture of collaboration, where different lines of defense work together to identify, assess, and mitigate risks. This coordinated effort helps in building a more resilient organization.
Supporting Compliance
By implementing structured and well-defined risk management processes, businesses can ensure they adhere to regulatory requirements, thereby avoiding penalties and reputational damage.It also ensures a risk-based approach to compliance.
Streamlining Risk Reporting
The 3LoD model provides a structured framework for reporting risks, ensuring that information flows efficiently from the first line (operational management) to the third line (internal audit). This streamlined reporting process enhances the visibility of risks at all organizational levels, enabling timely and informed decision-making.
Three Lines of Defense vs Modern Risk Models
| Parameter | Three Lines of Defense Model | Modern Risk Models |
| Core concept | Separates risk responsibilities into three distinct lines with defined roles | Integrates risk management across functions with shared ownership |
| Structure | Hierarchical with clearly defined boundaries between lines | Flexible and interconnected with fewer rigid boundaries |
| Collaboration | Limited collaboration, often leading to silos between teams | High collaboration with continuous information sharing across functions |
| Role of business units | First line manages risks within day to day operations | Business units are actively involved in risk aware decision making |
| Role of risk and compliance | Provides oversight and monitoring as a separate function | Acts as an enabler, embedding risk practices into business processes |
| Use of technology | Often relies on manual processes and fragmented systems | Uses integrated platforms, automation, and real time risk insights |
| Adaptability | More structured but slower to respond to change | More agile and responsive to evolving risks and business needs |
What are the Benefits of the Three Lines of Defense Model?
The 3LoD Model provides organizations with a structured and efficient approach to risk management. By clearly defining roles and responsibilities, it enhances accountability and ensures that risks are identified, assessed, and managed effectively. Here are some key benefits of adopting this model:
1. Improved Risk Oversight and Governance
With distinct lines of responsibility, organizations can maintain a clear separation between risk ownership, oversight, and assurance. This strengthens governance by ensuring that risks are managed at the appropriate level while leadership maintains strategic control.
2. Enhanced Accountability and Role Clarity
By assigning specific roles to each line, the model reduces ambiguity in risk management functions. The first line owns and manages risks, the second line provides expertise and oversight, and the third line offers independent assurance. This structure ensures that everyone understands their responsibilities, leading to more effective risk mitigation.
3. Stronger Risk Culture and Compliance
A well-implemented 3LoD Model fosters a culture of proactive risk management. It encourages collaboration between teams, strengthens compliance with regulatory requirements, and ensures that policies and procedures are consistently followed.
4. Increased Efficiency in Decision-Making
With clearly defined responsibilities, decision-makers can rely on structured risk assessments and expert insights. This leads to more informed, data-driven decisions that align with the organization’s objectives while minimizing potential threats.
5. Greater Adaptability to Emerging Risks
As business environments evolve, new risks constantly emerge. The Three Lines Model provides a dynamic framework that allows organizations to adapt quickly by ensuring continuous monitoring, assessment, and response to changing risk landscapes.
By leveraging the 3LoD Model, organizations can create a more resilient and well-coordinated approach to risk management, ultimately improving operational stability and strategic success.
Common Challenges in Implementing the Three Lines of Defense Model
Here are some key obstacles companies might face while implementing the three lines of defense model:
Unclear roles and responsibilities
Organizations often struggle to clearly define what each line owns, which leads to overlaps or gaps in risk management. This lack of clarity can dilute accountability and make it harder to manage risks effectively.
Siloed functions and poor collaboration
Limited communication between business, risk, and audit teams can create fragmented views of risk. Without alignment, important insights may not be shared, reducing the overall effectiveness of the model.
Overdependence on the second line
Business units may rely too heavily on risk and compliance teams instead of managing risks within their own operations. This weakens the intent of the model, where the first line is expected to take primary ownership of risk.
Lack of integration with business strategy
Risk management is sometimes treated as a compliance exercise rather than being embedded into strategic decision making. This disconnect can limit its value and reduce its influence on key business outcomes.
Inconsistent control implementation
Controls may be applied unevenly across departments or regions, leading to gaps in risk coverage. Without standardization, it becomes difficult to assess overall control effectiveness.
Limited use of technology and data
Many organizations still rely on manual processes and disconnected tools, which slows down reporting and reduces visibility into risks. This makes it harder to respond quickly to emerging issues.
Resistance to accountability and cultural barriers
Teams may resist taking ownership of risks, especially in environments where accountability is not clearly reinforced. Building a strong risk culture is often one of the most difficult aspects of implementation.
Common Challenges in Implementing the Three Lines of Defense Model
How to Balance Independence and Collaboration?
The three lines, given the clear demarcation of their responsibilities, often end up working in silos. For instance, the first line, comprising operational management, often views the second and third lines as intrusive and obstructive. Conversely, the second line (risk management and compliance) and the third line (internal audit) sometimes struggle to gain the cooperation they need from the first line to function effectively.
Role Ambiguity and Overlap
When roles are not clearly defined, it can lead to confusion, duplicated efforts, and gaps in risk management. Delineating responsibilities for operational management, risk and compliance oversight, and independent assurance is essential for the model to function effectively.
Inadequate Resources and Expertise
Many organizations struggle with allocating sufficient resources - be it financial, technological, or human capital - to support each line of defense. This inadequacy can lead to insufficient risk assessments and ineffective controls, undermining the integrity of the entire risk management framework.
Integration with Existing Processes
Organizations must ensure that the new model complements rather than creates conflicts with existing governance, risk, and compliance (GRC) processes. Achieving seamless integration requires a thorough review and possible re-engineering of current processes, which can be time-consuming and resource-intensive.
Real-World Examples of the Three Lines of Defense Model
Banking institution
Frontline teams such as operations and customer service manage risks in day to day activities, including transaction processing and fraud detection. The risk and compliance function sets policies, monitors regulatory adherence, and tracks risk exposure across products and regions. Internal audit independently reviews these controls, evaluates gaps, and reports directly to the board or audit committee.
Healthcare organization
Doctors, nurses, and administrative staff handle operational and data related risks while delivering patient care. The compliance team ensures adherence to healthcare regulations, patient privacy requirements, and internal policies. Internal audit assesses whether these controls are working effectively, especially around sensitive patient data and clinical processes.
Technology company
Product and engineering teams manage risks related to system reliability, data security, and software development. The security and risk function establishes cybersecurity standards, monitors vulnerabilities, and oversees compliance with data protection regulations. Internal audit provides independent assurance by reviewing security controls, access management, and governance practices.
Best Practices for Modernizing the Three Lines of Defense Model
Here are some tips to ensure an efficient Three Lines of Defense Model.
Enhancing Inter-Departmental Collaboration
Encouraging inter-departmental meetings, joint risk assessments, and shared objectives can help break down silos and foster a more integrated approach to risk management. This collaborative environment ensures that risks are managed more holistically.
Establishing Clear Metrics and KPIs
These metrics should align with the organization's overall risk management objectives and provide actionable insights into the performance of each line of defense. Regularly reviewing these KPIs can help identify areas for improvement and ensure that the model delivers its intended benefits.
Adapting to Emerging Risks
Modernizing the 3LoD model requires flexibility and adaptability to address emerging risks such as cybersecurity threats, data privacy concerns, and geopolitical uncertainties. Organizations should continuously review and update their risk management practices to ensure they are equipped to handle new and evolving risks.
Enhancing the Independence of the Third Line
To maintain the integrity and objectivity of the third line of defense (internal audit), it is crucial to ensure its independence from the first and second lines. This can be achieved by clearly defining reporting structures, providing direct access to the board or audit committee, and safeguarding the internal audit function from any undue influence.
Fostering Real-Time Risk Reporting
Implementing real-time risk reporting mechanisms allows for quicker responses to emerging risks. By integrating real-time data analytics and monitoring tools into the 3LoD model, organizations can gain immediate insights into their risk landscape.
Conclusion
The success of this model hinges on robust communication and collaboration among all three lines. Each line must understand its role and the roles of others, creating a synergy that amplifies the model's effectiveness.
With the right tools and solutions, organizations can manage risks more effectively, drive value, and competently achieve their strategic goals. MetricStream’s Operational Risk Management and Enterprise Risk Management software, with features such as a centralized risk repository, risk identification and assessment, risk monitoring and reporting, policy and compliance management, and continuous control monitoring can help strengthen and streamline the three lines of defense for effective risk management.
The stakes are higher than ever for modern organizations operating in a connected environment where they face unprecedented challenges, from rapidly evolving regulatory demands to increasingly sophisticated cyber threats. So how do they stay on course? How do they ensure that every function aligns with broader strategic goals while still managing risk effectively?
The scale of this challenge is reflected in how much organizations are investing in getting risk and compliance right. The global governance, risk, and compliance market alone is expected to grow from $21.04 billion in 2025 to $23.62 billion in 2026, driven by rising regulatory complexity and the need for stronger risk oversight.
The three lines of defense model addresses this need directly. It serves as a foundational framework for risk management, bringing clarity to accountability, strengthening oversight, and ensuring that risk is managed consistently across the organization.
The Three Lines of Defense (3LoD) is a structured risk management framework that helps organizations define and allocate risk-related responsibilities. By dividing risk management functions into three distinct lines, it enhances clarity, accountability, and overall effectiveness in managing organizational risks.
- Role Differentiation: It separates the responsibilities of operational management (1st line), risk management and compliance (2nd line), and internal audit (3rd line), ensuring that risks are identified, managed, and independently assessed.
- Purpose: The Three Lines of Defense Model clarifies roles and responsibilities in risk management, ensures independent assurance through internal audit, and facilitates collaboration for effective risk mitigation.
- Challenges: Common challenges that can hinder effective risk management. include balancing independence and collaboration among the lines, role ambiguity, and integrating the model with existing processes.
- Modernization: To modernize the model, organizations should enhance inter-departmental collaboration, adapt to emerging risks like cybersecurity, and implement real-time risk reporting to stay ahead of potential threats.
The Three Lines of Defense Model is a structured framework designed to enhance the clarity and effectiveness of risk management across an organization. Initially developed to address complexities in the financial sector, the model has since found applications in various industries, from healthcare to technology. This model delineates responsibilities and ensures a comprehensive risk management, compliance, and governance approach.
First Line of Defense: Operational Management
This line consists of front-line employees and operations managers who own and manage risks. These are the people directly involved in the business's core activities. They implement day-to-day controls and are the first to identify potential risks. Their primary function is to ensure that risks are managed appropriately through effective processes and controls.
Second Line of Defense: Risk Management and Compliance
The second line comprises specialized functions that provide oversight and support to the first line. These include risk management, compliance officers, and other control functions. They develop and monitor the implementation of risk management frameworks and compliance policies. Their role is to ensure that the first line effectively reports and manages risks and adheres to regulatory requirements.
Third Line of Defense: Internal Audit
The third line is internal audit, which provides independent assurance to the organization’s board and senior management. Internal auditors evaluate the effectiveness of governance, risk management, and control processes implemented by the first and second lines. They offer an objective perspective and recommend improvements to enhance overall risk management and governance.
The Three Lines of Defense Model clarifies roles and responsibilities in risk management, provides independent assurance through internal audits, and facilitates communication across departments. It supports compliance with regulations and enhances risk reporting, ensuring a resilient and well-coordinated organization.
Below, we identify a few essential purposes of the 3LoD Model:
Clarifying Roles and Responsibilities
One of the core strengths of the 3LoD model is the clarity it brings to risk management roles and responsibilities. By clearly defining who is responsible for what, the model reduces ambiguity and enhances accountability across the organization.
Providing Assurance
The third line of defense—internal audit—serves as a critical checkpoint to ensure that the risk management processes put in place by the first and second lines are not only operational but also effective. This independent assurance function is vital for maintaining stakeholder confidence and regulatory compliance.
Facilitating Communication and Co-ordination
The 3LoD model promotes a culture of collaboration, where different lines of defense work together to identify, assess, and mitigate risks. This coordinated effort helps in building a more resilient organization.
Supporting Compliance
By implementing structured and well-defined risk management processes, businesses can ensure they adhere to regulatory requirements, thereby avoiding penalties and reputational damage.It also ensures a risk-based approach to compliance.
Streamlining Risk Reporting
The 3LoD model provides a structured framework for reporting risks, ensuring that information flows efficiently from the first line (operational management) to the third line (internal audit). This streamlined reporting process enhances the visibility of risks at all organizational levels, enabling timely and informed decision-making.
Three Lines of Defense vs Modern Risk Models
| Parameter | Three Lines of Defense Model | Modern Risk Models |
| Core concept | Separates risk responsibilities into three distinct lines with defined roles | Integrates risk management across functions with shared ownership |
| Structure | Hierarchical with clearly defined boundaries between lines | Flexible and interconnected with fewer rigid boundaries |
| Collaboration | Limited collaboration, often leading to silos between teams | High collaboration with continuous information sharing across functions |
| Role of business units | First line manages risks within day to day operations | Business units are actively involved in risk aware decision making |
| Role of risk and compliance | Provides oversight and monitoring as a separate function | Acts as an enabler, embedding risk practices into business processes |
| Use of technology | Often relies on manual processes and fragmented systems | Uses integrated platforms, automation, and real time risk insights |
| Adaptability | More structured but slower to respond to change | More agile and responsive to evolving risks and business needs |
The 3LoD Model provides organizations with a structured and efficient approach to risk management. By clearly defining roles and responsibilities, it enhances accountability and ensures that risks are identified, assessed, and managed effectively. Here are some key benefits of adopting this model:
1. Improved Risk Oversight and Governance
With distinct lines of responsibility, organizations can maintain a clear separation between risk ownership, oversight, and assurance. This strengthens governance by ensuring that risks are managed at the appropriate level while leadership maintains strategic control.
2. Enhanced Accountability and Role Clarity
By assigning specific roles to each line, the model reduces ambiguity in risk management functions. The first line owns and manages risks, the second line provides expertise and oversight, and the third line offers independent assurance. This structure ensures that everyone understands their responsibilities, leading to more effective risk mitigation.
3. Stronger Risk Culture and Compliance
A well-implemented 3LoD Model fosters a culture of proactive risk management. It encourages collaboration between teams, strengthens compliance with regulatory requirements, and ensures that policies and procedures are consistently followed.
4. Increased Efficiency in Decision-Making
With clearly defined responsibilities, decision-makers can rely on structured risk assessments and expert insights. This leads to more informed, data-driven decisions that align with the organization’s objectives while minimizing potential threats.
5. Greater Adaptability to Emerging Risks
As business environments evolve, new risks constantly emerge. The Three Lines Model provides a dynamic framework that allows organizations to adapt quickly by ensuring continuous monitoring, assessment, and response to changing risk landscapes.
By leveraging the 3LoD Model, organizations can create a more resilient and well-coordinated approach to risk management, ultimately improving operational stability and strategic success.
Common Challenges in Implementing the Three Lines of Defense Model
Here are some key obstacles companies might face while implementing the three lines of defense model:
Unclear roles and responsibilities
Organizations often struggle to clearly define what each line owns, which leads to overlaps or gaps in risk management. This lack of clarity can dilute accountability and make it harder to manage risks effectively.
Siloed functions and poor collaboration
Limited communication between business, risk, and audit teams can create fragmented views of risk. Without alignment, important insights may not be shared, reducing the overall effectiveness of the model.
Overdependence on the second line
Business units may rely too heavily on risk and compliance teams instead of managing risks within their own operations. This weakens the intent of the model, where the first line is expected to take primary ownership of risk.
Lack of integration with business strategy
Risk management is sometimes treated as a compliance exercise rather than being embedded into strategic decision making. This disconnect can limit its value and reduce its influence on key business outcomes.
Inconsistent control implementation
Controls may be applied unevenly across departments or regions, leading to gaps in risk coverage. Without standardization, it becomes difficult to assess overall control effectiveness.
Limited use of technology and data
Many organizations still rely on manual processes and disconnected tools, which slows down reporting and reduces visibility into risks. This makes it harder to respond quickly to emerging issues.
Resistance to accountability and cultural barriers
Teams may resist taking ownership of risks, especially in environments where accountability is not clearly reinforced. Building a strong risk culture is often one of the most difficult aspects of implementation.
How to Balance Independence and Collaboration?
The three lines, given the clear demarcation of their responsibilities, often end up working in silos. For instance, the first line, comprising operational management, often views the second and third lines as intrusive and obstructive. Conversely, the second line (risk management and compliance) and the third line (internal audit) sometimes struggle to gain the cooperation they need from the first line to function effectively.
Role Ambiguity and Overlap
When roles are not clearly defined, it can lead to confusion, duplicated efforts, and gaps in risk management. Delineating responsibilities for operational management, risk and compliance oversight, and independent assurance is essential for the model to function effectively.
Inadequate Resources and Expertise
Many organizations struggle with allocating sufficient resources - be it financial, technological, or human capital - to support each line of defense. This inadequacy can lead to insufficient risk assessments and ineffective controls, undermining the integrity of the entire risk management framework.
Integration with Existing Processes
Organizations must ensure that the new model complements rather than creates conflicts with existing governance, risk, and compliance (GRC) processes. Achieving seamless integration requires a thorough review and possible re-engineering of current processes, which can be time-consuming and resource-intensive.
Real-World Examples of the Three Lines of Defense Model
Banking institution
Frontline teams such as operations and customer service manage risks in day to day activities, including transaction processing and fraud detection. The risk and compliance function sets policies, monitors regulatory adherence, and tracks risk exposure across products and regions. Internal audit independently reviews these controls, evaluates gaps, and reports directly to the board or audit committee.
Healthcare organization
Doctors, nurses, and administrative staff handle operational and data related risks while delivering patient care. The compliance team ensures adherence to healthcare regulations, patient privacy requirements, and internal policies. Internal audit assesses whether these controls are working effectively, especially around sensitive patient data and clinical processes.
Technology company
Product and engineering teams manage risks related to system reliability, data security, and software development. The security and risk function establishes cybersecurity standards, monitors vulnerabilities, and oversees compliance with data protection regulations. Internal audit provides independent assurance by reviewing security controls, access management, and governance practices.
Here are some tips to ensure an efficient Three Lines of Defense Model.
Enhancing Inter-Departmental Collaboration
Encouraging inter-departmental meetings, joint risk assessments, and shared objectives can help break down silos and foster a more integrated approach to risk management. This collaborative environment ensures that risks are managed more holistically.
Establishing Clear Metrics and KPIs
These metrics should align with the organization's overall risk management objectives and provide actionable insights into the performance of each line of defense. Regularly reviewing these KPIs can help identify areas for improvement and ensure that the model delivers its intended benefits.
Adapting to Emerging Risks
Modernizing the 3LoD model requires flexibility and adaptability to address emerging risks such as cybersecurity threats, data privacy concerns, and geopolitical uncertainties. Organizations should continuously review and update their risk management practices to ensure they are equipped to handle new and evolving risks.
Enhancing the Independence of the Third Line
To maintain the integrity and objectivity of the third line of defense (internal audit), it is crucial to ensure its independence from the first and second lines. This can be achieved by clearly defining reporting structures, providing direct access to the board or audit committee, and safeguarding the internal audit function from any undue influence.
Fostering Real-Time Risk Reporting
Implementing real-time risk reporting mechanisms allows for quicker responses to emerging risks. By integrating real-time data analytics and monitoring tools into the 3LoD model, organizations can gain immediate insights into their risk landscape.
The success of this model hinges on robust communication and collaboration among all three lines. Each line must understand its role and the roles of others, creating a synergy that amplifies the model's effectiveness.
With the right tools and solutions, organizations can manage risks more effectively, drive value, and competently achieve their strategic goals. MetricStream’s Operational Risk Management and Enterprise Risk Management software, with features such as a centralized risk repository, risk identification and assessment, risk monitoring and reporting, policy and compliance management, and continuous control monitoring can help strengthen and streamline the three lines of defense for effective risk management.
Frequently Asked Questions
The Three Lines of Defense (3LoD) model is a framework for managing risk by clearly defining roles and responsibilities across three distinct levels: operational management, risk management and compliance, and internal audit.
The model distinguishes between risk ownership (handled by the first line, operational management) and risk oversight (managed by the second line, such as risk management and compliance teams), ensuring clear accountability at each level.
The first line consists of business units that own and manage risks, the second line includes risk management and compliance functions that oversee and guide risk practices, and the third line is internal audit, which provides independent assurance on risk controls.
The first line actively manages risks in day-to-day operations, the second line monitors and advises on risk policies, and the third line independently audits and assesses the effectiveness of risk management processes.
An internal audit team conducting an independent review of a bank’s risk management framework to ensure compliance with regulatory standards is an example of the third line of defense.
The model provides clear roles and responsibilities for managing risk, strengthens accountability across functions, improves coordination between teams, and enhances oversight through independent assurance.
Common limitations include siloed operations between lines, lack of collaboration, unclear role definitions in practice, and overreliance on internal audit as the primary assurance function.
Yes, but it has evolved. Organizations now adopt a more integrated and collaborative approach, often referred to as the Three Lines Model, to better reflect modern risk management needs.
It supports ERM by structuring how risks are managed and monitored across the organization, with business units managing risks, risk and compliance functions providing oversight, and internal audit offering independent assurance.
The board provides overall oversight, ensures that risk management frameworks are effective, reviews risk reports, and holds management accountable for managing risks appropriately.
The updated Three Lines Model emphasizes collaboration, integration, and value creation. It removes rigid boundaries between lines and highlights the role of governance and leadership in aligning risk management with organizational objectives.
