Global regulators agree there is a need to strengthen governance in financial firms. The failure of boards and senior management to consider the risks inherent in their pre‐crisis strategies is widely accepted as a crucial factor in the costly meltdown whose consequences continue to be felt. Regulators have tried to strengthen governance mechanisms and, in particular, have recommended a “three lines of defence” model to embed risk management throughout financial firms. Yet while this model is now in use across the financial sector in many countries, its origins are opaque, and its effectiveness untested. Some argue that diffusing the responsibility for risk management in this way in fact reduces accountability and effectiveness. And there is little external validation of the controls firms put in place. Does the three lines of defence system provide a false sense of security? Does it need to be rethought, or can it be enhanced?