Staying in line: How to foster operational excellence across risk management

Managing risk effectively across an organization requires collaboration—and the three lines of defense in cybersecurity are designed to facilitate this.

However, not everyone is always clear which line they sit in, who is responsible for what, or how to best share information about risk with each other. Often, ineffective risk assessments and poor collaboration across the three lines of defense impact the operational success of risk management. By gaining a clearer understanding of the roles, responsibilities, and the right approach to risk tools and technology, everyone in the organization can enhance their defenses.

The three lines: a brief overview

The three lines of defense in cybersecurity define distinct roles for managing risk. This structure is primarily designed to maintain the independence of activity and reporting across organizational lines. Often, the board of directors sits above these lines, providing oversight. The lines break down like this:

1. The first line is everyone in the organization, who all bear some risk management responsibility (a simple example: not opening a phishing email).
2. The second line consists of risk management and compliance functions that oversee the first line and ensure that risks are appropriately recognized and assessed.
3. The third line is the internal audit function, providing independent assurance that the other two lines are effectively managing risks.

Sometimes, there is a “1.5” scenario where you put risk resources in the front line, and they take ownership of the risk management and control work. The purpose of this setup is to prioritize control and risk assessment activities that merge business partners and risk partners into a more “risk champion” role, serving as a continuum of defense. There can also be “2.5” configurations where audit functions carry out control activities that the risk function then leverages for its work. The bottom line is that the risk and audit functions are in place to determine how well the business is managing its own risks, not to manage the risks on its behalf.

Common factors inhibiting operational risk management

There are effectively five common challenges in the three-line approach to operational risk management:

1. Lack of first-line engagement
2. Ineffective risk assessments
3. Poor collaboration across the three lines
4. Difficulty in reporting actionable insights
5. Limited executive buy-in

At some point, risk professionals will likely encounter all of these issues. Some of them have a common root cause or even a common, cascading impact. For example, if you have ineffective risk assessments, it results in difficulty in reporting actual insights, which then leads to limited executive buy-in. The real challenge, however, is not being able to demonstrate the value in operational risk management—and that is usually because of ineffective risk assessment processes or poor collaboration across the three lines.

Ineffective risk assessments are actually often more simply “uninteresting” risk assessments. If you conduct a thorough risk assessment, but it doesn't reveal anything new to the business, then it is ineffective because it will not be engaging and does not serve a purpose. If your risk assessment does not join some dots on the risk or add any insight or value beyond just gathering the risks, what's the point?

When it comes to poor collaboration, this is not typically intentional. Instead, it is more that the three lines have each created their own processes and then come back all trying to do the same thing. So, you have a second line with one way of assessing risks, one risk methodology, one risk taxonomy, and one risk register, and then you have a third line with its own. Both present their findings to the first line and the board. The board looks at the duplicative work and asks, “Well, why are they different? Why can't I compare one risk to another? Why are they rated differently? Why have you got this risk and not that risk?”

This is why the three lines must know their roles.

Three tips for the three lines to improve operational risk management

The key to truly fostering operational excellence in risk management is the people. Technology certainly plays its role (as we will discuss below), but it is how humans using it collaborate and understand the value of this work that truly makes a difference.

1. Transparent communication and cooperation: You can ensure everyone stays in their lines by fostering open discussion around who owns what. It goes along with saying, “This risk is yours. Are you happy with the controls?” Then, the second line—risk—can help address specific challenges or share ideas.
2. Simplified awareness programs: Sometimes, this is as simple as discussing with the broader business what risk and audit actually do to help them better understand these functions. At other times, it involves playing back the organization's own risk framework, which often enables the first line to understand the value better.
3. Technology as a tool, not a takeover: Technology makes risk management easier and more efficient—but it's not a shortcut. So if the business still doesn't really know what it's supposed to be doing, if there isn't clear communication and risk ownership, if people don’t know they're the ones who are supposed to use the tool, then the tool is pointless. Technology enables good frameworks to work more quickly and easily, but it's not going to give you the framework.

An important note as we close out: No organization has gotten this 100% right. Everyone has more work to do to manage operational risk effectively. It is always a journey, and it’s never too late to start or restart with the right people, practices, and platforms in place.