Organizations have made significant progress in technology and cybersecurity over the past years, as reflected by the drop of 27% in the number of successful breaches in 2021, but cyber threats are growing in complexity and precision in attacks, with $5.85 million as the average total cost of a data breach in financial sector in 2022.
Accenture’s Global Risk Study of 2021 found that risk leaders within the insurance sector today recognize that complex, interconnected new risks are emerging at a more rapid pace than ever before.
Key risks that are front and center for all Risk Leaders globally with only 30% of the leaders being satisfied with progress in proactively identifying and defining new risks:
- Operational risks prevalent in organizations (e.g., cyber-attacks, processes, people, systems, external events, project risks, etc.).
- Pandemics and infectious diseases.
- Disruptive technology risk (i.e., Cloud/Microservices, Blockchain, integrating AI, internet of things, quantum computing, etc.).
- Strategic risks (i.e., disruptive market entrants/business models e.g., crypto currencies, insurtech, DeFi etc.).
- Data/privacy breach (including ransomware)
On a parallel track, Global Regulatory landscape is continuously evolving for organizations especially in the banking sector with OCC (The Office of Comptroller of Currency) and Federal agencies, i.e., FFIEC (Federal Financial Institutions Examination Council) adding additional scrutiny for Technology and Cyber risk management areas. Similar actions are also underway for Insurance, Healthcare, Hi-Tech and Consumer Product organizations with EIOPA’s (European Insurance and Occupational Pensions Authority) Security & ICT (Information & Communication Technology) risk management, DORA (DevOps Risk Assessment) Framework, pressuring organizations to accelerate their journey toward cyber resiliency.
After years of investments in the consolidation of the First Line of Defense, organizations are now turning their focus to the Second Line to seek risk’s optimal role in cyber risk management.
But, let’s first understand the connotation of the three lines of defense model – it was introduced in 2008-10 timeframe by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) and was quickly adopted by the Federal Reserve Bank in the United States of America to manage the risks and compliance requirements for systemically important financial institutions and the conceptual framework was soon followed and adopted by the other industry verticals, esp. Insurance, Healthcare, Lifesciences, Consumer Products, etc.
While the 3LOD (Lines of Defense) framework is widely acknowledged and understood by a range of industries as the preferred governance model for risk management, its implementation varies in form and maturity across the spectrum. Today, a lot of organizations across various industry verticals such as Insurance, Energy, Consumer Business, Healthcare, etc. have in some way of manner implemented a similar model within their respective organizations to better clarify accountabilities for technology/cyber risk management and compliance requirements – with the first line or Business units taking the accountability of business processes, products, applicable risks and compliance requirements including the shared services functions such as Technology, Cybersecurity and Cloud; the second line or the enterprise risk management function becoming the governance, oversight, review and credible challenge function for the first line of defense; and, finally the third line becoming an independent audit function to verify and validate both first and second lines of defense.
With changing regulatory landscape and the organizational growth trajectories, the responsibilities, and accountabilities for the first line of defense (business units/tech/cyber) are fast becoming overbearing at all levels including governance, process, procedures, talent/skills, metrics, reporting, etc. In addition, we can witness that the risks related to technology, cyber security domains, cloud, and to some extent operational resiliencies are transforming in real-time to address these changes, with more advanced and sophisticated attacks plaguing organizations including the current predicament in Ukraine. As a result, the reliance on better risk telemetry and control effectiveness is becoming effervescent. Thereby giving rise to a ‘new’ independent line of defense segment inserted between first and second lines of defense organizations, specifically for independently managing risks related Technology, Cyber and Cloud (refer Figure #1 below).
Retroactively, some organizations are re-branding the re-positioning their Independent or Operational Risk Management (IRM) function from the Second line of defense to this new line of defense for effective and efficient management of technology risks.
At an outset, it may seem a trivial change for cost re-allocations; but let’s take a closer look at the drivers and trends:
- Effective Challenge Function to the Second line of defense: under normal circumstances, we tend to think that the Third line of defense, the Independent Audit function would play that role. Guess what – advisory and consultative services are not in their memorandum, they can only conduct an audit and provide a list of audit observations. This ‘new’ line of defense segment provides that opportunity to Second line of defense to be the ‘true’ review and challenge function.
- Talent and skills: There have been instances of internal poaching of talent and skills between the First and Second lines of defense. Undoubtedly, the skills and talent are a perennial problem; as a temporary respite – this new line of defense segment provides, subject and topic specific centers of excellence models for managing technology, cloud, cyber risks and controls.
- Fostering the technology and business growth: as organizations continue to grow both in size and scale, new risks are introduced and sometimes are missed by the Second line of defense due to proximity of the change. This new segment provides that coverage being partners to the business and supporting them in the journey.
- Cost management: balancing the strategy, workloads, and backlogs with a heavily centralized Second line of defense is always challenging. This new segment brings in the streamlined setup to re-prioritize cost allocations between the First and Second lines of defense and provides better clarity and management.
Moving on to ‘what’ is defined as a part of the accountabilities for this new segment? The answer is simple yet complex, let’s consider a setup where there are shared centers of excellence for risk and controls management across various product lines, business process, technology, cyber, cloud, blockchain, De-Fi, etc. working within the boundaries defined by the Second line of defense and as partners to the First line of defense for business growth and acceleration. With the third line playing a completely independent function to perform audits and validate the efficacy, efficiency and effectiveness of the risk management process, operational controls, and compliance regimes.
Is it easy? Short answer is ‘depends’, organizations need to follow a well-defined strategy and plan to make this happen, some of the considerations are as follows:
- Identify and Analyze: Conduct an analysis to understand the coverage of roles, responsibilities, accountabilities within the three lines of defense model especially within the tech, cyber, cloud risk and compliance areas and identify the need for talent, skills, processes, standards, tools, and other requirements. Followed by consolidation of Authoritative Sources and Requirements based on the organization’s global footprint and country-specific presence (examples: For USA: FFIEC, GLBA, SOX, NIST, PCI-DSS, etc., For EU: GDPR, FADP – Switzerland, CNIL-France, DND-Germany, ENS-Spain, etc.)
- Align and Map: Align with existing models, rationalize, and harmonize and develop a hypothesis based on the requirements, existing roles and responsibilities and coverage across cybersecurity, technology operations, Independent, Operational and Enterprise Risk Management (IRM/ORM/ERM). Define risk appetite and thresholds for each distinct technology or cyber risk areas including cloud and emerging risks. Though some thresholds can be defined and designed over time as improvements.
- Strategize: Develop a strategic plan for implementation and address the requirements over time by selecting the select the right ‘fit’ operating model (i.e., Federated, Decentralized, Centralized or even Hybrid). Identify the capability areas that can be moved from current Second and First line of defense into this new segment based on skill, talent, and budgetary requirements
- Implement and Sustain: Implement the model in stages and test the hypothesis; if successful, initiate organizational change management processes to implement and operationalize the selected model/framework
To conclude, there is no “one size fits all” solution – multiple variables should be considered when establishing new operating model structure and scope of responsibilities (e.g., dependent on organization’s size, processes, products, complexity, etc.). There are dependencies and considerations as the concept of independence, allowing the first line to have the appropriate authority while being able to demonstrate there is strong independent check and challenge. The balance between the first and second lines is a critical success factor along with: Transparent and consistent governance and decision making around technology and cybersecurity risk management needs to be demonstrated through well-defined policies, procedures, controls, metrics, monitoring, testing, and reporting.
It is important to note that an operating model is a ‘way of life’ and business value needs to be ascertained prior to embarking on this journey especially how the alignment of talent/headcount is going to take shape, how are we saving costs, what is the standardized risk profile/taxonomies, how do we continuously mature the program, what would be the common working or interaction models and how should we plan to roll-out the core capabilities for risk & compliance management, controls management and operational reliability including any rewards/recognition program for proactive risk and controls management.
- 2021 Accenture Global Risk Study (https://www.accenture.com/us-en/insights/strategy/2021-global-risk-study)
- The State of Risk Governance and the 3 Lines of Defense, Gartner 2021 (https://www.gartner.com/en/documents/3997253/the-state-of-risk-governance-and-the-3-lines-of-defense)
- Why the New 3 Lines Model Doesn’t Go Far Enough, Gartner 2020 (https://www.gartner.com/en/documents/3989869/why-the-new-3-lines-model-doesn-t-go-far-enough)
- Rethinking Risk Governance: Is the Three Lines of Defense Model Obsolete? Gartner, 2019 (https://www.gartner.com/en/documents/3913685/rethinking-risk-governance-is-the-three-lines-of-defense)
- Governance, Risk Management and Compliance, TechTarget (https://searchcompliance.techtarget.com/definition/Governance-Risk-and-Compliance-GRC)
- Enterprise Risk Pros Pivot from Compliance To Driving Faster, Better Decisions, Forrester, 2022 (https://www.forrester.com/blogs/enterprise-risk-pros-pivot-from-compliance-to-driving-faster-better-decisions/)