Explain the three lines of defense model and its role in risk management.
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
The three lines of defense model is a governance framework that clarifies roles in risk management. The first line is operational management, owning and managing risks. The second line includes risk and compliance functions, overseeing and challenging the first line. The third line is internal audit, providing independent assurance. This model ensures clear accountability, avoids conflicts of interest, and strengthens the control environment by segregating risk-taking from oversight and independent review.
WHAT INTERVIEWERS LISTEN FOR
- ✓First line: operational management owns risks
- ✓Second line: risk/compliance oversight and challenge
- ✓Third line: internal audit independent assurance
- ✓Purpose: clear accountability and control segregation
COMMON MISTAKES
- ✗Confusing first and second line roles
- ✗Omitting internal audit as third line
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- Explain the COSO ERM framework.
- Explain risk appetite versus risk tolerance.
- What is the primary purpose of the ICAAP under Basel?
- What is the purpose of the ICAAP under Basel?
- What is the difference between a risk appetite statement and a risk limit?
- What is the difference between the LCR and the NSFR, and what does each one protect against?