Carnegie Mellon University

Governance Structure - Three Lines of Defense

First Line of Defense

shield 1
The first line of defense owns and manages risks. Contrary to how risk management is perceived, individual risks and the controls that mitigate them are not owned by risk or compliance professionals. Rather, operational management and senior leadership are responsible for ongoing activities that include:
  • Owning and managing risks.
  • Identifying, assessing and mitigating risks.
  • Implementing corrective actions.
  • Implementing and maintaining internal controls.
  • Conducting evaluations of internal controls.
  • Executing risk and control procedures on a daily basis.

Second Line of Defense

shield 2
The second line of defense oversees risks. It is at this line of defense where functions associated with risk are found, including Enterprise Risk Management . Functions of the second line of defense include:
  • Ensuring that operational management and senior leadership are implementing effective risk management practices.
  • Assisting risk owners with risk evaluation by taking into account the institution’s risk appetite.
  • Helping risk owners report risk-related information throughout the institution.
  • Providing updates on the status of risk and resiliency to executive management and the Board of Trustees Audit Committee.

Third Line of Defense

shield 3The third line of defense provides independent assurance. Internal Audit forms the third line of defense, and provides assurance on the effectiveness of governance, risk management, and internal controls. It assesses the effectiveness of the first and second lines of defense in achieving risk management objectives, and the effectiveness of the risk management and internal control framework.