6.5.1 Three lines of defense
Three lines of defense
The Group follows “Three Lines of Defense Model” to provide a simple and effective way to enhance communication on ORM and control by clarifying essential roles and duties. The model provides a fresh look at operations, helping to assure the ongoing success of ORM initiatives
The three lines of defense are summarized below:
The first line of defense owns the risks and is responsible for identifying, recording, reporting and managing them, and ensuring that the right controls and assessments are in place to mitigate them.
The second line of defense sets the policy and guidelines for managing specific risk areas, provides advice and guidance in relation to the risk, and monitors the first line of defense on effective risk management.
The third line of defense is the Group’s Internal Audit function, which provides independent and objective assurance of the adequacy of the design and operational effectiveness of the Group’s risk management framework and control governance process.