The Three Lines of Defense

The Three Lines of Defense

DORA article 5 on ICT risk management framework calls for financial entities to structure ICT risk management according to the three lines of defense model, or similar internal risk management and control model.

Appropriate segregation of duties;

  1. ICT management, responsible for implementation of the management system and business advisory
  2. Control and oversight of ICT risks, responsible for governance model, management system and compliance including reporting to the board
  3. Internal audit of ICT risk-related matters

For most banks, credit institutions and insurance companies managing risk control according to the three lines of defense model is nothing new. With the introduction of ICT risk-specific guidelines by their respective supervisory authorities, EBA and EIOPA, financial organisations have had to adapt their ICT risk management accordingly. For an extended group of financial entities, such as crypto companies and third-party providers, who have previously been untouched by similar in-depth regulations, separating ICT risk management organizationally may be a whole new ball game.

These companies are now facing the challenge of finding a way to introduce a risk management and control model which segregates duties appropriately while still being proportionate to their organization, size and business model.  

Advisense has listed the most important factors to consider

  • Ensure ICT risk competence in all lines of defense (including ICT auditors) 
  • Ensure ICT risk is integrated in control function’s agenda and internal audit plans 
  • Ensure responsibility for ICT risk control is segregated from ICT operations 
  • Ensure direct and independent board reporting by control and internal audit functions 

Fredrik Ohlsson

Managing Director, Cyber & Digital Risk

Want to find out how Advisense can help you?