Answers / Risk & Compliance

Explain the three lines of defense model and its role in risk management.

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

The three lines of defense model is a governance framework that clarifies roles in risk management. The first line is operational management, owning and managing risks. The second line includes risk and compliance functions, overseeing and challenging the first line. The third line is internal audit, providing independent assurance. This model ensures clear accountability, avoids conflicts of interest, and strengthens the control environment by segregating risk-taking from oversight and independent review.

WHAT INTERVIEWERS LISTEN FOR

  • First line: operational management owns risks
  • Second line: risk/compliance oversight and challenge
  • Third line: internal audit independent assurance
  • Purpose: clear accountability and control segregation

COMMON MISTAKES

  • Confusing first and second line roles
  • Omitting internal audit as third line

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS