Criticism mounts over old risk management frameworks

Risk management in many organizations remains locked into a framework that cannot keep up with the challenges facing most enterprise risk teams. It needs to be modernized.

That’s the verdict that senior analysts Cody Scott and Alla Valente gave in a recent report Forrester Research Blog that criticizes the Three Lines of Defense (3LOD) approach, which is widely used for organizational risk assessment.

“Traditional ways of managing risk have not kept pace with the demands, velocity or pressures that most enterprise risk teams face,” the analysts wrote.

“Worse yet,” they said, “many governance, risk and compliance programs hyperfocus on compliance, ignore risk altogether, and tailor governance to every new emerging risk, technology or threat. The 3LOD model was not built to address this. “

They explained that 3LOD was developed as a corporate governance framework to implement the segregation of duties requirements under the 2002 Sarbanes-Oxley Act (SOX). Then, in 2013, the Institute of Internal Auditors (IIA) promoted it as a solution to enhance risk management. “But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, 3LOD is not a model for risk management,” the analysts wrote.

Rigid framework

The framework is designed to meet compliance requirements set by SOX, not to address business risk, notes Ian Amit, founder and CEO. gombokAutomated cloud infrastructure security solutions provider in New York City.

“It’s not adaptable enough to work for most modern organizations, where reporting lines and hierarchies aren’t as rigid as they were in 2000,” he told TechNewsWorld.

“The 3LOD framework is a fairly old approach that the financial sector used and probably still does,” added Brian Betterton, practice director of risk and strategic services. Guidepoint SecurityA cyber security services provider in Herndon, Va.

“3LOD is not what I would call a modern approach, but some people like it because it creates separation and thus divides risk management into three functions,” he told TechNewsWorld. “To me, 3LOD is more of an audit approach than a risk.”

He also noted that due to the audit nature of its controls, it has a point-in-time focus and not a continuous approach to solutions focusing on business risk.

Consent trumps risk

Many risk management programs hyper-focus on compliance rather than actual risk for a variety of reasons.

“Traditional risk management approaches focus on compliance – passing audits and checking boxes – rather than actual business risk,” said Amit. “These approaches are often taken by organizations with leadership that is more concerned with preserving the status quo than with revenue or innovation.”

“Often risk management programs focus more on compliance because it is tied to clear and distinct goals,” adds CPO Nicole Sundin. AxioA cyber risk management company in New York City.

“Compliance work is usually tied to a business objective or an external need,” he told TechNewsWorld. “In this context, compliance becomes a point-in-time effort aimed at meeting a specific business need, rather than an ongoing process of identifying and mitigating incremental risks.”

Also, most risk management programs are driven by compliance goals, adds Chandrasekhar Bilugu, CTO of SureShieldA security, compliance, and integrity management software company, in Atlanta. “Organizations rarely adopt risk management as an independent process separate from the compliance mandate, as it would lack the necessary executive sponsorship,” he told TechNewsWorld.

Heath Renfro, CISO and co-founder Phoenix24A disaster recovery and recovery firm in Chattanooga, Tenn., insists that compliance-driven risk management programs are nothing more than paper drills without an accurate way for senior executives to measure risk to make risk-based decisions. “You can’t manage risk you don’t understand,” he told TechNewsWorld.

Betterton noted that in less mature organizations, risk management programs focus on compliance over risk. “Less mature organizations are seeing compliance as their main risk and, as a result, are missing all their risks,” he said.

Meeting compliance requirements is easier for many organizations than assessing security needs. “Compliance means you are complying with a rule or regulation that must be followed. There is a clear definition of what to follow,” explains Ira Winkler, CISO CYEA cyber security optimization company in Tel Aviv, Israel

“However, what it means to be protected varies widely,” he told TechNewsWorld. “If you have no idea what security means to your organization, even if you have a clear definition of what it means to be compliant, you’re going to have to achieve compliance first because it’s hard to be secure when you don’t understand exactly. What does that mean.”

Foundations of modern risk management

Scott and Valente mention three pillars for a modern approach to risk management.

The approach must be dynamic and able to address risk at three levels: systemic risk external to the organization and beyond its control; Ecosystem risks external to the organization but within different levels of control, such as third party and supply chain risks; and risks internal to the enterprise organization and directly controllable, such as cyber security and financial risks.

Further, the approach must be continuous as risks and opportunities evolve over time. Point-in-time, static risk assessments do not reflect reality, analysts explained. Instead, teams need a continuous process to identify the risk context, assess it, make decisions, and monitor results as plans and objectives develop.

The approach must recognize that cyber risk is a business risk. Analysts noted that typically, the chief risk officer selects the risk management model, while the CISO must ensure that the model is effective for the organization’s cybersecurity needs. Without working in lockstep, security and risk professionals are stuck living in fear from audit to audit while predictable, preventable risk events materialize over and over again.

“The chief risk officer and chief information security officer need to be on the same page when implementing a risk framework because both are responsible for identifying and addressing different aspects of risk within the organization,” Sanlin observed.

“The CRO typically focuses on overall business and operational risk, while the CISO focuses on cybersecurity risk. However, both roles have overlapping responsibilities in risk management and have important insights across their teams that must be shared to effectively address and mitigate risk.”

“Collaboration between the CRO and CISO ensures a holistic approach to risk management, enabling the organization to proactively identify, assess and resolve potential threats across all domains,” he said. “When their efforts are combined, it creates a unified, comprehensive risk strategy that reduces vulnerability and increases the overall resilience of the business.”

Forrester’s model

Scott and Valente also refer to Forrester’s Continuous Risk Management Model, which they call “a blueprint for holistic risk management.”

Forrester’s approach isn’t entirely new, Amit points out. “It mimics how modern organizations manage risk,” he said.

“The introduction of tools that allow an organization to obtain more frequent data points on its internal controls and processes, as well as external threats, allows for more granular risk management that is more continuous than temporal,” he explains.

He also noted that audit and compliance requirements force organizations to implement more continuous evidence-gathering and controls, which, in turn, allow them to practice clearer risk management on an ongoing basis.

Fundamentally, people need to understand what risk management and security are, Winkler suggests. “The definition of safety is freedom from risk, and you can never be free from all risk.”

“Security professionals need to understand that their job is essentially risk management, which involves making the best decisions to optimize their costs relative to the amount of potential damage,” he continued. “Good decision science and mathematical tools are needed to help with this. It will take their work from art to science.”