Outdated Risk Management Frameworks Face Growing Criticism
November 19, 2024 – Published on TechNewsWorld
Risk management in many organizations is mired in a framework that can’t keep pace with the challenges that most enterprise risk teams face. It needs to be modernized.
That’s the verdict that senior analysts Cody Scott and Alla Valente handed down in a recent Forrester Research blog that’s critical of the Three Lines of Defense (3LOD) approach, which is widely used to assess organizational risk.
“Conventional means of managing risk haven’t kept pace with the demand, velocity, or pressure that most enterprise risk teams face,” the analysts wrote.
“Worse yet,” they continued, “many governance, risk, and compliance programs hyperfocus on compliance, completely ignore risk, and scramble to stand up governance for every new emerging risk, technology, or threat. The 3LOD model is not built to solve this. “
They explained that 3LOD was developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act (SOX). Then, in 2013, the Institute of Internal Auditors (IIA) promoted it as a solution to enhance risk management. “But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk,” the analysts wrote.
“The 3LOD framework is a fairly old approach that the financial sector used and likely still does,” added Brian Betterton, practice director for risk and strategic services at GuidePoint Security, a cybersecurity services provider in Herndon, Va.
“3LOD is not what I would call a modern approach, but some like it as it creates separation and thus splits risk management across three functions,” he told TechNewsWorld. “To me, 3LOD is more of an audit approach than a risk one.”
He also pointed out that because of the audit nature of its controls, it has a point-in-time focus and not the continuous approach found in solutions focusing on business risk.
Read More HERE.