The three lines of defense | KPMG | CA
Share with your friends

The three lines of defense

The three lines of defense

Making the transition to a mature risk management model.


National Leader, Risk Consulting

KPMG in Canada


Related content


Managing risk can be a dramatically different exercise for a company going public. While risk management is practiced in all types of sizes of business at some level, the greater the number of stakeholders involved, the greater the need for a mature and transparent risk management model.

Companies in the entrepreneurial and pre-IPO stages are typically “closely held corporations”[1] which are often well managed and controlled, but have a primary focus on business/financial risk. Since an IPO diversifies the investor community, risk thresholds need to be re-examined and aligned to meet the scrutiny of underwriters and the company’s more diversified shareholders.

IPO companies should have a well-defined system that allows them to continue to make decisions that impact risk related to their changing strategies. A common and widely accepted method is the three lines of defense framework, which evolved after the 1990s (1995 to 2001) when the demise exposed the sheer breadth and depth of the risk landscape. This framework was designed to help organizations clearly identify the roles and responsibilities of the business units; practice ongoing risk management; and sustain risk management activities.

When applied properly, the three lines of defense create dialogue and analysis that prevents companies from overlooking risk factors that could ultimately cause financial disaster; as well as allow them to be proactive in how they manage risk within the organization.


[1] See for more information on the definition of a closely held corporation.

Connect with us


Request for proposal