There’s nothing we like better at the FAIR Institute than challenging the stultifying traditions of cyber risk management. Our recent webinar with Forrester Senior Analyst Cody Scott shattered one time-honored practice, the Three Lines of Defense, and presented a dynamic, risk-based model as an alternative.
Watch the webinar on demand: Dismantle the Three Lines of Defense: The Forrester Continuous Risk Management Model
As Cody made the case, the Three Lines is actually a governance model developed after the financial scandals of the early 2000s that over time morphed into a risk management standard and perpetuated the notion that compliance -- such as establishing first line (doers), second line (overseers) and third-line (auditors) teams -- took care of risk management. “It perpetuates silos” that don’t align with corporate structures, Cody says, and can’t consistently answer a basic question, “Where does cybersecurity sit?”
Cody introduced Forrester’s Continuous Risk Management Model designed to follow the flow of the risk management lifecycle rather than an org chart.
The model’s North Star is “pursuit of value” for the business. “We’re not managing risk for the sake of risk management,” Cody says. The model divides into two phases, Risk Strategy and Business Performance, with multiple steps, each justified with business value.
The first loop hits an inflection point where a risk-based decision is made to go/no go with a project.
The next loop keeps a close leash on the project to ensure it remains on target for business value. Step 7, for instance is “Measure controls effectiveness against expected outcomes” prescribing a risk measurement system and evaluation of controls effectiveness (not just presence).
Cody Scott
The second loop leads to another inflection point, acknowledging that change has likely occurred since you started, so don’t fall into a sunk-cost trap.
Cody ends with advice on how to get started on the Continuous Risk Management model by working within the risk management structure you have (including the Three Lines of Defense).
Look for more development of the model by Forrester this year.
Watch the webinar on demand: Dismantle the Three Lines of Defense: The Forrester Continuous Risk Management Model
Join the FAIR Institute today! A General Membership is free to cyber and operational risk officers, cybersecurity leaders and business executives.
