Risk management in many organizations is mired in a framework that can’t keep pace with the challenges that most enterprise risk teams face. It needs to be modernized.
That’s the verdict that senior analysts Cody Scott and Alla Valente handed down in a recent Forrester Research blog that’s critical of the Three Lines of Defense (3LOD) approach, which is widely used to assess organizational risk.
“Conventional means of managing risk haven’t kept pace with the demand, velocity, or pressure that most enterprise risk teams face,” the analysts wrote.
“Worse yet,” they continued, “many governance, risk, and compliance programs hyperfocus on compliance, completely ignore risk, and scramble to stand up governance for every new emerging risk, technology, or threat. The 3LOD model is not built to solve this. “
They explained that 3LOD was developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act (SOX). Then, in 2013, the Institute of Internal Auditors (IIA) promoted it as a solution to enhance risk management. “But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk,” the analysts wrote.
Rigid Framework
The framework is designed to meet the compliance requirements set by SOX, not deal with business risks, noted Ian Amit, founder and CEO of Gomboc, a provider of automated cloud infrastructure security solutions in New York City.
“It’s not adaptive enough to work for most modern organizations, where reporting lines and hierarchy aren’t as rigid as they used to be in 2000,” he told TechNewsWorld.
“The 3LOD framework is a fairly old approach that the financial sector used and likely still does,” added Brian Betterton, practice director for risk and strategic services at GuidePoint Security, a cybersecurity services provider in Herndon, Va.
“3LOD is not what I would call a modern approach, but some like it as it creates separation and thus splits risk management across three functions,” he told TechNewsWorld. “To me, 3LOD is more of an audit approach than a risk one.”
He also pointed out that because of the audit nature of its controls, it has a point-in-time focus and not the continuous approach found in solutions focusing on business risk.
Compliance Trumps Risk
Many risk management programs are hyper-focused on compliance over actual risk for a number of reasons.
“Traditional risk management approaches tend to focus on compliance — passing the audit and checking the boxes — rather than actual business risk,” Amit said. “These approaches are often taken by organizations with leadership more concerned with preserving the current status quo than driving revenues or innovation.”
“Often risk management programs focus more on compliance because it’s tangible and tied to clear goals,” added Nicole Sundin, CPO of Axio, a cyber risk management company in New York City.
“Compliance work is usually linked to a business objective or external requirement,” she told TechNewsWorld. “In this context, compliance becomes a point-in-time effort aimed at meeting a specific business need, rather than an ongoing process of identifying and mitigating evolving risks.”
In addition, most risk management programs are driven by compliance goals, added Chandrasekhar Bilugu, CTO of SureShield, a security, compliance, and integrity management software company, in Atlanta. “Organizations seldom take up risk management as an independent process disconnected from compliance mandates, as it would lack the necessary executive sponsorship,” he told TechNewsWorld.
Heath Renfrow, CISO and co-founder of Fenix24, a disaster recovery and restoration company in Chattanooga, Tenn., asserted that compliance-driven risk management programs are nothing more than paper drills with no sound way of quantifying the risks for senior executives to make risk-based decisions. “You cannot manage risks that you do not understand,” he told TechNewsWorld.
Betterton noted that in less mature organizations, risk management programs tend to focus on compliance over risk. “Less mature organizations are viewing compliance as their main risk and, in turn, missing all of the risks they may have,” he said.
Meeting compliance requirements is also easier for many organizations than assessing security needs. “Compliance means that you are complying with a rule or a regulation that must be followed. There are clear definitions of what must be followed,” explained Ira Winkler, CISO at CYE, a cybersecurity optimization company in Tel Aviv, Israel.
“However, what it means to be secure varies greatly,” he told TechNewsWorld. “If you have no idea what security means for your organization, while you do have a clear definition of what it means to be compliant, you are obviously first going to achieve compliance because it is hard to be secure when you don’t exactly understand what that means.”
Foundation of Modern Risk Management
Scott and Valente cited three pillars for a modern approach to risk management.
The approach must be dynamic and able to deal with risk in three dimensions: systemic risk external to the organization and beyond its control; ecosystem risk external to the organization but within varying degrees of control, such as third-party and supply chain risk; and enterprise risks internal to the organization and directly controllable, such as cybersecurity and financial risk.
Further, the approach must be continuous because risks and opportunities evolve over time. Point-in-time, static risk assessments don’t reflect reality, the analysts explained. Instead, teams require a continuous process to identify risk context, assess it as plans and objectives develop, make decisions, and monitor the results.
The approach must also recognize that cyber risk is business risk. The analysts noted that typically, the chief risk officer selects the risk management model, while the CISO needs to ensure that the model is functional for the organization’s cybersecurity needs. Without working in lockstep, security, and risk pros are stuck living in fear from audit to audit while foreseeable, preventable risk events materialize repeatedly.
“The chief risk officer and chief information security officer need to be on the same page when implementing a risk framework because both are responsible for identifying and addressing different aspects of risk within the organization,” Sundin observed.
“The CRO typically focuses on overall business and operational risks, while the CISO focuses on cybersecurity risks. However, both roles have overlapping responsibilities when it comes to managing risk, and their teams possess crucial insights that must be shared to effectively address and mitigate risks.”
“Collaboration between the CRO and CISO ensures a holistic approach to risk management, enabling the organization to proactively identify, assess, and resolve potential threats across all domains,” she said. “When their efforts are aligned, it fosters a unified, comprehensive risk strategy that reduces vulnerabilities and enhances the overall resilience of the business.”
Forrester’s Model
Scott and Valente also touted Forrester’s continuous risk management model, which they hailed as “a blueprint for holistic risk management.”
Forrester’s approach isn’t completely new, Amit noted. “It mimics how modern organizations manage risk,” he said.
“The introduction of tools that allow an organization to get more frequent data points on its internal controls and processes, as well as external threats, allow for more granular risk management that is more continuous than periodical,” he explained.
He also pointed out that the audit and compliance requirements force organizations to implement more continuous evidence-gathering and controls, which allow them, in turn, to practice more pronounced risk management on an ongoing basis.
Fundamentally, people need to understand what risk management and security are, Winkler advised. “The definition of security is being free from risk, and you can never be free of all risk.”
“Security professionals need to understand that their job is essentially risk management, which involves making the best decisions to optimize their spend compared to the amount of the potential loss,” he continued. “This requires good decision science and mathematical tools to help. This will drive their work from being an art to a science.”