3LOD Is Threat Administration’s Single Greatest Bottleneck
It’s not you; it’s the mannequin! The three traces of protection (3LOD) idea was initially developed as a company governance framework to implement segregation of duties necessities below the 2002 Sarbanes-Oxley Act. And in 2013, the Institute of Inside Auditors (IIA) promoted it as an answer to boost danger administration. However as anybody who has tried to implement it as a basis for enterprise danger administration will inform you, the 3LOD is just not a mannequin for managing danger. As a substitute, it defines, with ample rigidity, the roles required to adjust to segregation of duties necessities. This division is conceptually easy however doesn’t match the working mannequin at most organizations. For instance, the primary and second traces get blurred resulting from advanced administration buildings that perpetuate silos, misalign incentives, and switch “danger administration” right into a compliance overview gate.
Cease Turning RISK Into A Soiled 4-Letter Phrase
Standard technique of managing danger haven’t saved tempo with the demand, velocity, or stress that almost all enterprise danger groups face. Worse but, many governance, danger, and compliance applications hyperfocus on compliance, fully ignore danger, and scramble to face up governance for each new rising danger, expertise, or risk. The 3LOD mannequin is just not constructed to resolve this. Among the high the explanation why we want a contemporary strategy are that:
- Threat is dynamic. Threat is intrinsically linked to each resolution we make, but it’s troublesome to foretell as a result of it’s unsure and interconnected. Threat originates in three dimensions: 1) Systemic danger is exterior to the group and past its management (e.g., local weather, geopolitics); 2) ecosystem danger is exterior to the group however inside various levels of management (e.g., third events, provide chain); and three) enterprise danger is inner to the group and straight controllable (e.g., cybersecurity, monetary danger).
- Threat is steady. Dangers and alternatives evolve over time. Level-in-time, static danger assessments don’t mirror actuality. As a substitute, groups require a steady course of to establish danger context, assess it as plans and goals develop, make selections, and monitor the outcomes.
- Cyber danger is enterprise danger. As we speak, expertise powers each enterprise course of, which makes cyber danger a enterprise danger. Usually, the chief danger officer and/or enterprise danger perform selects the chance administration mannequin, whereas the CISO wants to make sure that the mannequin is purposeful for the group’s cybersecurity wants. With out working in lockstep, safety and danger execs are caught residing in concern from audit to audit whereas foreseeable, preventable danger occasions materialize repeatedly.
Introducing Forrester’s Steady Threat Administration Mannequin
Many orgs at present do points of danger administration — similar to conducting assessments, implementing controls, remediating gaps, and/or reporting on progress — however they lack an outlined lifecycle strategy. This leads to piecemeal duties that create a false sense of assurance, poor stakeholder engagement, misused assets, and missed alternatives. The Forrester Steady Threat Administration Mannequin is a blueprint for holistic danger administration. Drawing on finest practices in danger, technique, and undertaking administration, the mannequin outlines eight sequential phases (4 pertaining to strategic planning and 4 associated to enterprise efficiency) that combine key stakeholders, processes, information, and suggestions for a value-based danger administration strategy. Forrester’s mannequin equips groups with a framework to formalize their present danger administration work, establish enhancements, and chart a path to maturity, as a result of it:
- Bridges the hole between danger technique and enterprise efficiency. Technique and efficiency are important elements of danger administration, however danger groups wrestle to combine them. Why? They’re advanced, context-sensitive, and require dedication throughout a number of layers of the enterprise. But with out them, enterprise leaders lack the best insights and might’t ensure that they may meet their goals, whereas danger and operations groups wrestle to fulfill altering operational priorities.
- Is domain-agnostic, creating constant danger administration throughout the org. Threat execs can apply it inside any space that requires danger and compliance administration, similar to info safety, operational, third-party, and rising dangers. It offers a foundation for standardization and consistency within the danger administration course of in addition to for a typical danger taxonomy throughout all danger administration capabilities.
- Anchors itself to the pursuit of worth. Threat administration should take into account the upside, not solely the draw back danger. Forrester’s mannequin allows danger execs to speed up their group’s pursuit of worth by establishing the suitable context, evaluating trade-offs, and supporting decision-making that accelerates, relatively than impedes, development, innovation, and resilience.
- Creates on- and offramps for strategic selections. Strategic selections don’t all the time observe a linear path. In truth, alternative or tragedy is simply as a lot part of timing as circumstance. In Forrester’s mannequin, the chance resolution is the preliminary approval, and the change administration resolution accounts for ongoing suggestions and creates an onramp and offramp for investments and initiatives earlier than they go horribly fallacious or earlier than the chance passes by.
For an in-depth have a look at the mannequin, Forrester purchasers can take a look at our report, No Extra Blurred Strains: Introducing Steady Threat Administration, and schedule an inquiry or steering session with us to debate how steady danger administration will profit you.
Be taught Extra At The Safety & Threat Summit
If you wish to study extra about steady danger administration and our new mannequin, take a look at the agenda for our upcoming Safety & Threat Summit, December 9–11 in Baltimore. Alla and I might be copresenting a keynote entitled “The Steady Threat Revolution Is Right here. Down With The Three Strains Of Protection!” See the agenda for extra particulars, and we hope to see you in Baltimore.
