Recommendation 7

The three lines of defence model of risk management, widely used in the private sector, sets out what the Orange Book characterises as a “simple and effective way to help delegate and coordinate risk management roles and responsibilities within and across the organisation”.8 Under the first line of defence, management has primary ownership, responsibility and accountability for identifying, assessing and managing risks. The second line of defence consists of functions, such as organisations’ risk and compliance teams, that monitor and facilitate the implementation of effective risk management practices and facilitate risk reporting. Internal audit forms the third line of defence. The Cabinet Office expressed support for the three lines of defence model and told us that it plans to carry out a pilot in 2022 to strengthen the third line of defence by introducing audits or assessments of departments’ planning for emergencies.9