Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Since the three lines of defense model was first explored in a 2013 Institute of Internal Auditors (IIA) position paper,
many different interpretations of how the model could best be implemented have been released—some of which misunderstand the purpose of the second line. This piece explains why it is necessary to first understand how the lines work in the real
world and then show how to use a framework to more practically allocate work among them.
There are two problematic tendencies in business with respect to the three lines of defense. The first problem arises when people take the three lines of defense model and apply it to existing practices, effectively turning the model into a paperwork
exercise but without driving any fundamental change.
The second problem occurs when people attempt to make changes and wind up creating an environment of distrust, where the first line views the second line as constantly trying to catch them in mistakes, while the second views the third line in the same
Before any work can be allocated across the lines, it is imperative to develop some consensus around what the three lines are expected to do. As originally conceived:
Unfortunately, this approach does not align well to how most organizations are structured.
In practice, the first line generally involves day-to-day business practices, although there is disagreement about how far this line stretches – with some focusing just on operations with inherent risk and others extending to all operations, including
internal administrative work and all customer-facing work, such as sales and marketing. The third line is also well understood, focusing largely on what most organizations would term “internal audit.”
The second line is tricky, though, with a fuzzy mission around “overseeing risks.” The original paper openly recognizes the specific duties of this line will vary between organizations and that the second line is “independent-ish”
from the first line, but not as independent as the third line. It is often unclear where the monitoring of day-to-day operations shifts from first line to second line. Similarly, it is unclear where oversight duties of the second line begin to blend
with the oversight duties carried out by the third line.
Three factors further complicate this simplified view of risk management:
READ: How to Set Up a Strong GRC Program
As can be seen in the literature, the first and third lines are reasonably well-defined, with the second line largely taking on the work that doesn’t cleanly fit in the other two lines. Such tasks can be highly variant and dependent on business
culture, structure, and politics.
To simplify the allocation of work across the lines, it can help to look at how the work is typically done across the lines:
Looking at the actual duties of the second line, it is clear the original diagram from 2013 is flawed (see Figure 1).
It works better to re-conceive the role of the second line as a translation and consultation service that streamlines work between the first and third lines of defense, as well as senior management and external factors (see Figure 2).
In this clarification, you can see how senior management and the board work to determine goals and communicate strategy to the third line of defense. The third line can audit against this strategy and communicate the results to the board. However, to
remain independent, the third line cannot determine how the strategy is to be implemented tactically—nor is it in a position to provide guidance for how the organization should handle external factors. Similarly, the first line must be allowed
focus to complete the day-to-day business requirements.
The second line is what makes the entire process function, taking in data about changes to the external compliance and threat ecosystems and how vendors can help address those changes. It works with the third line and senior management to determine strategy
and consult with the first line on how that strategy is best implemented tactically, but it leaves the operational details to be determined by the first line.
With this conception, it becomes much easier to determine how work is to be allocated between the lines. For example, consider the NIST Cyber Security Framework (CSF) “protect” requirement, PR.IP-4. It states, “Backups of information
are conducted, maintained and tested.” In the three lines of defense model, the first line would be responsible for implementing the technology to meet the required recovery time objective (RTO) and recovery point objective (RPO). The second
line would work with senior management to define specific RTO/RPO requirements and lead the internal testing processes, while the third would be charged with verifying the backup process meets internal requirements.
Reviewing the literature released since 2013, it is clear the three-line model has been challenging for a great many businesses, particularly around the fuzziness in the definition of the second line, which provides oversight, consultation, communication
and (in some cases) monitoring services. However, by refocusing the second line on strictly consultation and translation services, it is easier to allocate work in an appropriate manner.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.