3LOD Is Risk Management’s Single Biggest Bottleneck

It’s not you; it’s the model! The three lines of defense (3LOD) concept was initially developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act. And in 2013, the Institute of Internal Auditors (IIA) promoted it as a solution to enhance risk management. But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk. Instead, it defines, with ample rigidity, the roles required to comply with segregation of duties requirements. This division is conceptually simple but does not match the operating model at most organizations. For example, the first and second lines get blurred due to complex management structures that perpetuate silos, misalign incentives, and turn “risk management” into a compliance review gate.

Stop Turning RISK Into A Dirty Four-Letter Word

Conventional means of managing risk haven’t kept pace with the demand, velocity, or pressure that most enterprise risk teams face. Worse yet, many governance, risk, and compliance programs hyperfocus on compliance, completely ignore risk, and scramble to stand up governance for every new emerging risk, technology, or threat. The 3LOD model is not built to solve this. Some of the top reasons why we need a modern approach are that:

  • Risk is dynamic. Risk is intrinsically linked to every decision we make, yet it’s difficult to predict because it’s uncertain and interconnected. Risk originates in three dimensions: 1) Systemic risk is external to the organization and beyond its control (e.g., climate, geopolitics); 2) ecosystem risk is external to the organization but within varying degrees of control (e.g., third parties, supply chain); and 3) enterprise risk is internal to the organization and directly controllable (e.g., cybersecurity, financial risk).
  • Risk is continuous. Risks and opportunities evolve over time. Point-in-time, static risk assessments don’t reflect reality. Instead, teams require a continuous process to identify risk context, assess it as plans and objectives develop, make decisions, and monitor the results.
  • Cyber risk is business risk. Today, technology powers every business process, which makes cyber risk a business risk. Typically, the chief risk officer and/or enterprise risk function selects the risk management model, while the CISO needs to ensure that the model is functional for the organization’s cybersecurity needs. Without working in lockstep, security and risk pros are stuck living in fear from audit to audit while foreseeable, preventable risk events materialize repeatedly.

Introducing Forrester’s Continuous Risk Management Model

Many orgs today do aspects of risk management — such as conducting assessments, implementing controls, remediating gaps, and/or reporting on progress — but they lack a defined lifecycle approach. This results in piecemeal tasks that create a false sense of assurance, poor stakeholder engagement, misused resources, and missed opportunities. The Forrester Continuous Risk Management Model is a blueprint for holistic risk management. Drawing on best practices in risk, strategy, and project management, the model outlines eight sequential phases (four pertaining to strategic planning and four related to business performance) that integrate key stakeholders, processes, data, and feedback for a value-based risk management approach. Forrester’s model equips teams with a framework to formalize their current risk management work, identify enhancements, and chart a path to maturity, because it:

  • Bridges the gap between risk strategy and business performance. Strategy and performance are essential components of risk management, but risk teams struggle to integrate them. Why? They’re complex, context-sensitive, and require commitment across multiple layers of the business. Yet without them, business leaders lack the right insights and can’t be sure that they will meet their objectives, while risk and operations teams struggle to meet changing operational priorities.
  • Is domain-agnostic, creating consistent risk management across the org. Risk pros can apply it within any area that requires risk and compliance management, such as information security, operational, third-party, and emerging risks. It provides a basis for standardization and consistency in the risk management process as well as for a common risk taxonomy across all risk management functions.
  • Anchors itself to the pursuit of value. Risk management must consider the upside, not only the downside risk. Forrester’s model enables risk pros to accelerate their organization’s pursuit of value by establishing the appropriate context, evaluating trade-offs, and supporting decision-making that accelerates, rather than impedes, growth, innovation, and resilience.
  • Creates on- and offramps for strategic decisions. Strategic decisions don’t always follow a linear path. In fact, opportunity or tragedy is just as much a part of timing as circumstance. In Forrester’s model, the risk decision is the initial approval, and the change management decision accounts for ongoing feedback and creates an onramp and offramp for investments and initiatives before they go horribly wrong or before the opportunity passes by.

For an in-depth look at the model, Forrester clients can check out our report, No More Blurred Lines: Introducing Continuous Risk Management, and schedule an inquiry or guidance session with us to discuss how continuous risk management will benefit you.

Learn More At The Security & Risk Summit

If you want to learn more about continuous risk management and our new model, check out the agenda for our upcoming Security & Risk Summit, December 9–11 in Baltimore. Alla and I will be copresenting a keynote entitled “The Continuous Risk Revolution Is Here. Down With The Three Lines Of Defense!” See the agenda for more details, and we hope to see you in Baltimore.