The risk-management and compliance function in the three-lines-of-defence governance model, sitting between the business units that own and take risk (first line) and internal audit that independently assures the system (third line). It sets policy, monitors limits, and challenges the first line's risk-taking.
How it works
The three-lines-of-defence model partitions accountability: the first line (business/operations) owns risks day-to-day; the second line (risk management, compliance) sets the control framework, defines risk appetite, and independently challenges; the third line (internal audit) provides objective assurance to the board. The second line is advisory and oversight, not risk-owning.
Why it matters now
As banks and asset managers deploy agentic AI and machine-learning systems faster than control frameworks can adapt, the second line is — by its own admission — structurally behind the technology it is meant to govern, creating a widening gap between deployed model risk and the oversight capacity to constrain it.
Example
A global bank rolls out an AI-driven trading workflow built by the front-office (first line). The second line — model-risk management and compliance — is tasked with validating the model, setting usage limits, and monitoring drift. But where the first line ships agentic tooling in weeks and the second line's validation cycle runs months, oversight lags deployment, leaving live exposure that the control function has not yet fully assessed.
Frequently asked
- What is the second line of defence?
- The second line of defence is the risk-management and compliance function within a financial institution's governance model. It sits between the first line (business units that own and take risk) and the third line (internal audit). The second line sets the control framework, defines risk appetite, monitors limits, and independently challenges the first line's risk-taking without owning the underlying risks itself.
- What are the three lines of defence?
- The three lines of defence are a governance model partitioning risk accountability into three layers. The first line is the business and operational units that own and manage risk daily. The second line is risk management and compliance, which sets policy and oversees the first line. The third line is internal audit, providing independent assurance to the board and senior management.
- How does the second line differ from the first line of defence?
- The second line of defence oversees and challenges risk, while the first line owns and takes it. First-line business units make the trades, originate the loans, and run operations that generate risk. The second line — risk and compliance — sets the framework, defines limits, and independently monitors whether the first line is operating within appetite, but does not itself originate the exposures.
- Why does the second line of defence struggle with AI and model risk?
- The second line of defence struggles with AI because validation and oversight cycles run slower than the first line's deployment of machine-learning and agentic systems
Glossary · agentic systems
AI deployments that perceive an environment, set sub-goals, and execute multi-step actions autonomously toward an objective, with limited human intervention between decision and execution. In finance they span agentic trading, research, and operations — distinguished from generative AI by their capacity to act rather than merely produce outputs.
Read more →