A 2.5 line compliance function is an innovative addition to the traditional Three Lines of Defense (3LOD) model in risk management and compliance. This approach positions a dedicated compliance team between the Second Line (oversight functions) and the First Line (operational/business functions), providing additional oversight, guidance, and support.

2.5 line functions are rapidly becoming a must for highly regulated industries such as banking, healthcare, or energy, where compliance is complex and critical and for larger organizations where multiple business units need consistent compliance implementation across geographies.

At this foundational level, risk and compliance management are in their infancy. The organization operates primarily in a reactive mode—addressing issues as they arise rather than proactively identifying and managing them. There is little to no structure in place to systematically handle risks or ensure compliance with laws and regulations, so risk & compliance management become driven by the 2nd line. 

• The primary role of the 2nd line in is infancy stage is to begin creating awareness across the organization. This includes educating key stakeholders about: 
  • The types of risks the organization faces (strategic, operational, legal, reputational, etc.). 
  • The importance of compliance with applicable laws, industry standards, and internal expectations. 
  • The potential consequences of unmanaged risk (e.g., financial loss, regulatory penalties, reputational damage). 
• While largely reactive, this stage involves capturing and analyzing incidents, control failures, or compliance breaches when they occur. These events serve as valuable learning opportunities and can highlight systemic weaknesses. 
• In many cases, risk and compliance efforts are driven by external demands—such as regulators, auditors, or clients. The organization begins to understand that meeting these requirements is not optional and starts building minimal capability to address them. 
• The role of risk and compliance at this level is not to build complex systems, but to lay the groundwork for structured governance. This includes: 
  • Advocating for leadership buy-in. 
  • Establishing minimal policies and internal controls. 
  • Identifying and logging key risks. 
  • Promoting awareness of regulatory obligations. 
  • Preparing the organization to take its first steps toward a defined and repeatable risk and compliance approach (Level 2). 
• All of the above activities are often initiated as a project. As the organisation matures, risk management responsibilities will gradually be embedded into the second line. 

At this level, the organization begins to recognize the importance of structured risk and compliance management. While still largely compliance-driven and operationally focused, there is a noticeable shift from reactive firefighting to basic process definition, role clarity, and policy development. The organization is laying the foundation for a more integrated and proactive approach in the future. 

• Risk and compliance professionals introduce standardized processes for identifying, assessing, and addressing risks. They ensure that policies are not only documented but also communicated and followed. This supports consistency in decision-making and operations across departments. 
• While still in the early stages, one of the key roles of risk & compliance is to raise awareness and embed risk thinking into day-to-day operations. This includes: 
  • Promoting policy adherence. 
  • Delivering basic training. 
  • Encouraging incident reporting and open communication 

• The organization begins to conduct structured risk assessments—usually at the business unit or process level. Risk registers may be introduced, with risks rated by impact and likelihood. While these assessments are not yet integrated into strategic planning, they begin to inform operational decision-making. 
• Risk and compliance play a critical role in preparing for external audits, regulatory reviews, and certifications. Their work ensures the organization has a documented trail of controls and procedures to demonstrate due diligence and control effectiveness. 
• Most risk & compliance activity at this stage is driven by external requirements, such as industry regulations, contractual obligations, or audit recommendations. The focus is on “ticking the box” rather than using risk as a tool to support business performance. 
• However during this stage, compliance management becomes more than a checklist—it evolves into an active effort to monitor adherence to rules and track non-conformities, leading to defined corrective actions and follow-ups. 
• The organization begins to define governance roles—often appointing compliance officers, risk coordinators, or internal control specialists. These roles may not yet sit at the strategic table but start to build awareness across functions. 
• Foundational governance, risk & compliance policies (e.g., anti-fraud, privacy, code of conduct) are developed and disseminated.  
• Key internal controls are documented and communicated, particularly in high-risk areas such as finance, HR, and IT. 
• The risk & compliance function takes on a more advisory role and begins developing an Risk/Compliance charter, Risk & Compliance plan, and test programmes.  
• Risk assessments and compliance checks may occur annually or in response to audits. However, the process is often manual, spreadsheet-driven, and lacking consistency. 
• The role of risk and compliance at this stage is to solidify foundations and prepare for integration into business decision-making. Priorities include: 
  • Strengthening the risk register and beginning to link it with business objectives. 
  • Enhancing the consistency of control documentation and monitoring. 
  • Standardizing compliance reporting and introducing periodic reviews. \
  • Gaining leadership support to elevate risk and compliance into governance and performance discussions. 
  • Exploring automation tools and platforms to reduce manual workload and improve insight quality. 

• Technology can accelerate the achievement of this maturity level, enhance collaboration between the lines, and make the risk management process more efficient. 

At this maturity level, the role of risk and compliance shifts toward strategic enablement, operational alignment, and continuous improvement: 

• Risk and compliance leaders are now embedded in business planning cycles, change initiatives, and investment decisions. They help anticipate future risks, evaluate the risk-return balance of new ventures, and ensure controls are proportionate to objectives. 
• The focus turns to driving process consistency, control effectiveness, and efficiency. Risk and compliance teams help streamline business processes by identifying control redundancies or inefficiencies and using technology and data to optimize compliance efforts. 
• Rather than simply reacting to incidents, the organization builds the capacity to predict and mitigate emerging risks. It uses scenario planning, trend monitoring, and horizon scanning. Cyber risk, ESG risk, and third-party risk become key areas of attention. 
• The risk and compliance culture becomes more visible. Managers at all levels are aware of their responsibilities and take ownership of compliance within their teams. There is an emphasis on ethical behavior, transparency, and proactive issue escalation. 
• The “Three Lines of Defense” model is actively practiced. Risk and compliance functions work closely with internal audit to validate control effectiveness and provide a cohesive picture to leadership. 
• To move toward the highest maturity level, organizations must: 
  • Deepen integration of risk with strategic planning and performance management. 
  • Automate key control monitoring and risk reporting. 
  • Use real-time data and predictive analytics to anticipate and act on risk early. 
  • Strengthen the use of insights from internal audit, compliance testing, and external intelligence. 
  • Foster a learning culture where risks and failures drive innovation and resilience. 

At Maturity Level 4, the organization operates as a highly mature, resilient, and risk-intelligent enterprise. In this environment, the Second Line of Defense—which includes risk management, compliance, internal control, and related functions—evolves far beyond a monitoring or advisory role. It becomes a strategic partner, a real-time enabler of business decision-making, and a central actor in driving performance, integrity, and long-term value creation. 

• The second line at this level functions within a fully integrated governance ecosystem. It works closely with the first line (business units and operations) and the third line (internal audit), supported by technology, real-time data, and a culture of ownership and accountability. 
• Rather than acting as a bottleneck, the second line enables speed with control. It provides guardrails—not roadblocks—so that the organization can move fast without losing sight of regulatory, reputational, and ethical boundaries. 
• The second line advises on risk, compliance, and control at the earliest stages of decision-making—during strategic planning, innovation, investments, and transformation. 
• It brings forward-looking insights to executive discussions, helping leadership evaluate risks associated with new markets, ESG goals, M&A activities, digitalization, and more. 
• This advisory role is data-driven, leveraging predictive analytics, AI tools, and risk simulations to enable better choices—not just safer ones. 
• The second line maintains and continuously improves the enterprise-wide frameworks for: 

risk management, compliance, internal control, policy governance, ethics and integrity programs.These frameworks are no longer static documents. They are digitally enabled, automated where possible, and integrated into operational systems so that compliance and risk responses are part of the daily workflow. 

• Leveraging automated controls, real-time dashboards, and exception alerts, the second line tracks key indicators across the enterprise. 
• It moves from periodic reviews to continuous monitoring, enabling early detection of control breaches, emerging risks, or shifts in risk profiles. 
• Controls are designed to be adaptive, adjusting in response to dynamic business and risk environments. 
• The second line facilitates a risk-aware culture by empowering the first line with tools, training, and support. 
• It provides clear guidance without taking away ownership. In this model, business leaders understand that they are responsible for managing their own risks—with the second line acting as an enabler, coach, and quality assurer. 
• Compliance is no longer something imposed—it is something internalized. 
• One of the most critical functions is consolidating risk intelligence across silos into a coherent enterprise view.The second line synthesizes input from operational units, external sources, internal audit findings, and analytics platforms to present actionable insights to the board, audit committee, and regulators. 
• Reporting is strategic, transparent, and continuous, shifting the dialogue from “What went wrong?” to “Where are we exposed?” and “How can we stay ahead?” 
• The second line acts as a bridge between the board and the business, coordinating among functions such as legal, finance, IT security, procurement, and operations to ensure alignment with risk and compliance expectations. 
• It supports the board’s oversight role with scenario modeling, control assurance, and dynamic risk updates—enabling faster, more confident responses to emerging challenges.