Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > June

The most efficient and effective risk management program “takes a village.” I’m not talking about Hilary Clinton’s book; I’m talking about the need for organizations to robustly embrace the “Three Lines of Defense” model. The Three Lines of Defense (LoD) model characterizes the “people component” of an organization into the three primary functions of an optimized risk management program:


• 1st LoD - Management control withfunctions that own and manage risk (such as business unit managers, operating managers)

• 2nd LoD – Risk management and compliance oversight functions (such as…ERM, ORM, and Corporate Compliance)

• 3rd LoD – Independent assurance functions (such as internal and external auditors)



Regardless of industry or risk type, operational line managers, risk management oversight functions, and internal audit serve important roles in day-to-day management of an organization’s risk. The most effective risk management requires collaboration between these roles.


The LoD model reinforces two important elements of risk management: defined roles and accountability.

• Operating management is responsible for understanding and managing their risks and internal controls.

• Risk management and compliance oversight is responsible for risk management frameworks, training, and challenging 1st LoD risk assessments.

• Internal Audit (typically) is responsible for independently evaluating and reporting on the design and effectiveness of the organization’s overall risk management program.


The origin of the three LoD model is not altogether clear, but it is likely an outgrowth of The 1992 COSO Internal Control – Integrated Framework.  In 2014, the 1992 Framework was updated to include a list of clarifying Principles relevant to the model. Principle 3 states that “management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. ”Principle 5 states that “the organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”


Adoption of the three LoD model is becoming more and more widespread:


• Based on a review of annual filings, Protiviti reported in March 2015 that 80% of companies had adopted the updated COSO Internal Control – Integrated Framework and that 75% of those that had not adopted the new framework were using the original 1992 Framework.


• In January 2013, the Institute of Internal Auditors published a position paper, effectively endorsing the three LoD model as a best practice in Risk Management and Control.


• Financial services organizations have long been exposed to the 3 LoD model via the Principles for the Sound Management of Operational Risk.


Although I’ve met a number of customers and prospects that are unfamiliar with the 3 LoD model, I believe that may be due to a lack of communication within their organization. It’s possible that the people responsible for stating that their organizations follow COSO have not articulated what that means to the different LoD personas, or the internal auditors have not seen the IIA’s position paper. Without exception, financial institutions seem to have heard of, and embrace, the model.


In the next few blogs, I will explore the role of each of the three Lines of Defense and how each contributes to the effectiveness of an organization’s risk and compliance management program.  Stay tuned.

Steve Schlarman

Mind Your Metrics

Posted by Steve Schlarman Employee Jun 29, 2015

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no uniformity and can take a left turn just when you think you know where you are going?   With today’s complex and frankly dangerous technology issues, security is a regular topic that reaches the board level.  All companies represented at the table reported regular board level reporting on information security.   Naturally the discussion started with this challenge of coming up with some measurable, repeatable metrics that provide a view into information security and are tangible and meaningful for the executives.



The discussion was vibrant and meandered over many different aspects of a metrics program.  A certain level of maturity must be attained generally to measure and monitor metrics.   The typical maturity journey around building a program requires processes to be defined, documented and then monitored and measured to drive metrics.  However, many companies begin gathering and reporting metrics early on to drive performance improvements.  So which comes first – maturity or metrics?   Can an ‘immature’ security program sustain a metrics program?   A metric only really gives insight when measured over time.  Measuring something once or twice really doesn’t give an indication of true risk.   But waiting until a metric becomes a true risk indicator may take too long and there could be value in measuring metrics in the short term such as a “surge” in specific risks or internal initiatives.


We also talked about a variety of other topics including the growing conversation CISOs/InfoSec Executives are having regarding the financial impact of both cyber risk and the investment into security technology.  Financial metrics related to security spend and investment can factor into your strategies if you are able to bridge the gap between technology speak and the business context related to security risk.  Reporting metrics should drive better decisions.  Performance optimization – for the business and not just security - is the ultimate output.


Identifying what the key metrics are that help inform on possible incoming risks or on the efficiency and effectiveness of the security program is no easy feat.  The trick is to find metrics that trigger management interest.  Something that informs and educates was a key factor especially on those executives who are just learning to navigate the information security universe.   One of the critical points is to view metrics reporting as storytelling – shaping the perceptions and knowledge of management while building a clearer and clearer picture of what is happening in both the industry and internal efforts.



With a record number of speaker proposals received for consideration for this year's GRC Summit, the Summit Program Committee will no longer be the lone voice in the final Archer selection process.


This year we are pleased to announce the debut of 'Archer Community Selects.' Beginning Monday, June 22 and running through Thursday, July 2, you and your GRC peers will now be able to 'voice your choice' for a session in each track that you believe should be selected for a presentation slot. The session with the most votes for that track will automatically be selected; runners-up will be considered as alternatives, to be invited to present in the event of a cancellation.


The sessions for the 'Archer Community Selects' are only a subset of the speaker proposals we received; submission for all Archer Summit proposals are still under consideration by the Program Committee, and speakers will be notified of final decisions by mid-July.


This is your chance to 'vote your choice' and have a say in this year's Summit Agenda. To vote, simply login to the Archer Community if you're not already, and click on the Proposal Abstracts listed below.


Good luck and happy voting!





  • Push A Button, Get A Report - A Vendor Manager's Dream
  • Third Party Risk Management - Changing Company Culture
  • AIG Vendor Governance - Demystifying Vendor Discovery And Risk Profiling
  • Making Compliance Easy For Your Partners


  • Control Optimization And SOX Automation Through Archer
  • Interconnecting the Compliance Dots Via A Unified Model - Lessons Learned
  • Clarifying Compliance - Data, Design, and Dashboard


  • Employee Performance Review Process Rolled Out To 35 Branches In Archer
  • Building The Nation's Cybersecurity Workforce
  • FISMA Compliance - Leveraging Archer For Ongoing Archer Authorization


  • Skin In The Game: Integrating Business Into IT Risk Management
  • Future State Of Archer
  • From Tools To Intelligence, Operational Cyber Security


  • Establishing Archer Data Retention Policies And Their Enforcement
  • Crossing Eyes For Fun And Profit: A Glimpse Into Archer Content Mapping
  • Multilingual Archer: The Easy Approach


  • Archer ServiceNow Integration: CMDB Devices And Services Desk Ticket Tasks
  • Banking On Archer

Can businesses and organizations be resilient on their own?


By this I mean is it enough for a business organization to build resilient internal processes, IT infrastructure, facilities, and even third party relationships and rest assured they're prepared for the next big event that comes along. To answer this question, I think we have to look at what businesses rely on to operate - both inside and outside of the company.  Of course, there are external needs, like utilities (electric and water), transportation and roads, police and fire support and many others.  However, the one I'm going to focus on are its people.  Specifically, employees and what they need to do to personally prepare for disasters so they can return quickly after a disaster and help your business recover.


Around this topic of people, Business Continuity (BC) disciplines tend to focus on employ safety, ensuring people can do their jobs after a disruption and determining which employees are "critical" to recovery efforts and to operating the company as a whole.  However, I don't think we focus enough on other aspects of employee preparedness that can significantly affect whether employees can and will stick by the company and help it recover in the aftermath of a disruption.  After Hurricane Katrina hit in August 2005, an estimated 300,000 homes were destroyed or otherwise made uninhabitable.  In 2012, Superstorm Sandy plunged Lower Manhattan into darkness, flooded the subway system and left more than 8 million people along the Eastern Seaboard without power.  When the  2003 European heat wave struck, it resulted in a health crisis in several countries as well as a drought which led to crop shortages.  Thousands died, with most casualties resulting from old people in nursing homes or single family homes with no air conditioning systems.


We always focus on the dollar impacts of disasters.  However, these examples highlight real impacts devastating disasters can have on employees and their families outside of work.  My proposition today is that without the personal preparedness of individuals and families, our businesses are vulnerable.  This is a tough topic to handle because most organizations don't know where to start and can barely get their arms around their own resiliency and recover planning.  However, the more a business organization focuses on its people and encouraging their personal preparedness, the better off its business will be.


There's not much our employees can do if the subway is down or power is off across the city, but there are ways they can make at least short term plans, and there are many resources available to your employees to help them build personal preparedness, like support groups, churches, websites, federal and state government resources, and many other groups devoted to emergency preparedness.  What companies can do is incorporate this into their messaging and communications and encourage employees to build personal preparedness.  Companies can and should be supportive and point employees to resources that will teach and help them build personal preparedness.


The better prepared our employees and their loved ones are for disasters, the better able they'll be to get their houses in order and jump back in and help the company recover as well.  For more information or input, email me at

The Risk Management Society (RIMS), just published the results of a Cyber Survey they conducted with their membership.  RIMS is a global not-for-profit organization founded in 1950, representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world with a membership of more than 11,000 risk management professionals located in more than 60 countries.


The results of their May 2015, Cyber Survey produced a lot of interesting statistics.  What I found particularly interesting were the results around cyber insurance:


51% of member organizations have purchased stand-alone cyber insurance policies, and 74% of those without cyber coverage in place are considering procuring coverage within the next two years.  The reported top three cyber exposures were: Reputational harm (79%), Business interruption (78%), and Data breach response and notification (73%).


I guess the wide-spread use of cyber insurance as an information security risk transfer mechanism stems from the never-ending list of companies that have been breached and the fear that no system of internal control is 100% effective – a.k.a., “it’s just a matter of time before we get breached”


Cyber insurance is a relatively new insurance product.  Not so many years ago, a company wishing to cover cyber risk had to propose and negotiate language modifications with their insurance carriers of more “traditional” policies such as general liability, errors and omissions, fidelity, and property/business interruption.  This was a complex process in large part because a company had to understand the threat-source of potential  information security breaches (physical vs. electronic; internal vs. external), the impacted areas (breach of customer and counterparty contracts, loss of current and future business as a result of business interruption, and cost to remediate); and the monetary risk associated with a breach of each one or more of the impacted areas.  This is an extreme example of where good “Risk Intelligence” comes into play.


Some insurance carriers have made the process a lot easier, offering dedicated cyber insurance policies that package together many cyber-related exposures.  Yet, to fully benefit from cyber coverage, organizations still have to understand the amount of their cyber risk. For example, what is the worst case scenario of the monetary cost to rebuild brand damage, to remunerate customers for business interruptions, compromised personal information, and unauthorized transactions?  This information is derived from thorough risk assessments.  Ultimately, you need to know if the coverage limit of the cyber insurance (how much insurance?) and the scope of the insurance is appropriate to your organization's risk profile (does the cyber insurance adequately cover all of the risks that you are exposed to?).


The underwriting process for cyber insurance can be very rigorous, often requiring organizations to complete detailed questionnaires and key personnel interviews about the kind and amount of information handled and the information security governance and internal controls in place. The more it looks like you understand your risk and the better your governance process, the lower your insurance premiums.


For our IT & Security Risk Management customers, the nice thing about Archer is that you can perform the necessary risk assessments to identify needed coverage and coverage limits and you can demonstrate to cyber insurance underwriters that you have a strong information security governance program that warrants a lower cyber insurance premium.


There is other, very interesting information in the RIMS survey including typical limits and premiums, roles involved in cyber response plans, the methods and tools used to identify cyber risk, and the typical amount spent to protect against cyber security exposures.  I encourage you to read the report if you are interested in this kind of thing.

Filter Blog

By date: By tag: