Skip to main content

Three Lines of Defense

The three lines of defense approach to risk management begins with the principle that everyone ‒ no matter their role in the organization ‒ is a risk manager. By adhering to this principle and following the organization’s risk management policies and procedures, DTCC is best positioned to execute on its strategy and meet its objectives while staying within established risk tolerances, and when necessary, to quickly address and mitigate risk if any tolerance is breached.

  • Front Line, Control & Assurance

    Managing Risk Overview: Governance Structure

  • The First Line of Defense

    The first line of defense is comprised of the various business lines and supporting functional units including Product Management, Operations, Information Technology and other areas critical to DTCC’s daily operations and functioning. Their mandate is to manage risk proactively on a day-to-day basis.

  • The Second Line of Defense

    The second line of defense is comprised of DTCC’s control functions, including the General Counsel’s Office, Privacy Office, Compliance and areas that fall within the Group Chief Risk Office. Their mandate is to provide advice and guidance to the first line of defense for adhering to established risk standards and/or to monitor compliance with those standards.

  • The Third Line of Defense

    The third line of defense is the Internal Audit Department (IAD). IAD provides an independent and objective view to assist in the organization’s maintenance of effective risk management and control practices. IAD’s mission is to challenge the adequacy of the organization’s control environment.

Three Lines of Defense Thumbnail
dtccdotcom