Three Lines of Defence Policy¶
| Code | GOV-003 |
| Domain | Governance & Accountability |
| Owner | Chief Risk Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD10 |
| Review date | 2027-03-25 |
Regulations: APS 510 · DTA Governance Standard¶
Purpose¶
Govern the platform's three lines of defence model — defining the responsibilities, independence requirements, and reporting obligations of each line across NZ and AU operations.
Scope¶
All staff, functions, and systems of the platform in NZ and AU that bear risk ownership, risk oversight, or independent assurance responsibilities.
Policy statements¶
The platform SHALL operate a three lines of defence model. The first line comprises all business and operational functions that own and manage risk as part of their day-to-day activities. The second line comprises the risk management and compliance functions that provide oversight, challenge, and policy. The third line is the internal audit function, providing independent assurance to the Board.
Each first-line function SHALL maintain documented risk ownership for the risks arising from its activities. First-line risk owners SHALL implement and operate controls in accordance with second-line policies and standards, and SHALL escalate control failures promptly.
The second line SHALL be independent of the first line in reporting structure. The Chief Risk Officer and Chief Compliance Officer SHALL not report to a first-line business leader. The second line SHALL have the authority to challenge and escalate first-line risk management decisions.
The second line SHALL maintain risk policies, standards, and frameworks that define the minimum control requirements for each material risk domain. First-line functions SHALL comply with these requirements and seek second-line approval before material departures.
The third line (internal audit) SHALL be independent of both the first and second lines in reporting structure. The Head of Internal Audit SHALL report functionally to the Board Audit Committee. Internal audit SHALL have unrestricted access to all functions, systems, and records.
Material risk events that breach the risk appetite SHALL be escalated from the first line to the second line immediately on detection. The second line SHALL assess the breach, initiate remediation, and escalate to the Board Risk Committee as required by the Risk Appetite Statement Policy (GOV-002).
The three lines of defence model SHALL be assessed for effectiveness annually by the CRO and reviewed by the Board Risk Committee. The assessment SHALL include evaluation of independence, resourcing, and capability gaps.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-063 | Notification orchestration | LOG |
All customer communications are logged with content, channel, timestamp, and delivery status for audit purposes. |
| MOD-168 | Maker-checker enforcement engine | CHECKER |
The enforcement engine is the platform-wide implementation of the three-lines-of-defence second-line control — every consequential back-office command above TIER-1 requires a second authorised reviewer before execution, with self-approval blocked at the database layer. |
| MOD-177 | SD06 risk dashboard renderer | CHECKER |
Consequential back-office actions (model parameter overrides, change control approvals) are submitted as MOD-168 proposals requiring a second authorised reviewer before execution — self-approval blocked at the database layer. |
Part of Governance & Accountability · Governance overview
Compiled 2026-05-22 from source/entities/policies/GOV-003.yaml