The first line of defense has the following objectives;
identify and assess risks,
identify potential losses that can be caused by the threat,
provide risk response to design an effective risk mitigation strategy.
This is followed by the creation of a risk assessment report which helps in designing
a risk mitigation strategy which in turn helps to
reduce the impact of identified threat on the organization.
The second line of defense has the following objectives;
define a risk management strategy that facilitates and
monitors the implementation of effective risk management practices,
a controllership function that monitors
financial risks and financial reporting issues of an organization.
The third line of defense performs operations such
as internal and external audit which provides
insight on the levels of assurance provided by
business operations and risk management functions.
The audit process provides an assurance on
the effectiveness of governance, risk management,
and internal controls, including the manner in which
the first and second lines of defense achieve risk management and objectives.
The cracks of this three lines of defense model is to highlight the need for
higher levels of independence and objectivity as we go from first level to the third.
Hence the third line reports to the governing body.
Also, the primary context here is that each line of defense should be
adequately designed to catch threats undetected by the previous lines of defense.
Therefore, recommended practices for
appropriate risk management in an organization are one;
risk and control processes should be
structured in accordance with the three lines of defense model.
Two, each line of defense should have defined policies and rolls.
Three, there should be proper coordination among
all three lines of defense to enhance efficiency and effectiveness.
Four, risks can control functions operating at different lines should communicate
efficiently to help support different functions to
foster overall efficiency of the risk management process.
Enterprise risk management is a quite in all topic,
but it's very relevant for this course and it will be revisited in the next lesson.
As the final topic of this lesson,
let us briefly review the available standards that will help
create the Information Security Framework for a DMD application.
First, NIST Cyber Security Framework.
In 2013, NIST introduced a framework for improving critical infrastructure security as
a response to President Obama's executive order
to strengthen the resilience of nation's critical infrastructure.
This essentially draws from the practices developed by
the International Organization for Standardization called ISO.
It contains five functions namely; identify, protect,
detect, respond, and recover and has a 40-year risk management framework.
Second; COSO Model, the Committee of
sponsoring organizations of the Treadway Commission called COSO,
issued a joint initiative in 2013 to fight fraud.
It basically provides guidance on enterprise risk management,
internal control and fraud deterence.
The model has five components namely; control environment,
risk assessment, control activities,
information and communication, and monitoring.
ISO 31000; this was issued in
2009 and still provides guidance on risk management for small and medium-sized companies.
However, it can be used by any organization,
regardless of size and type of activity.
The guidelines are quite generic.
GAIT, Guide to the Assessment of IT Risk,
or simply GAIT is the Risk Management Guide issued by the Institute of internal auditors
for assessing the scope of IT in
an organization using a top-down and risk-based methodology.
Like the other tools,
it identifies the risks and recommends mitigation strategies.
Links to the various enterprise risk management models
are available in the resources section of this module.
In the next lesson, my colleague,
Mr. Shriram Wilai Anoor will join us to provide
additional expertise in Operational Technologies and Information Technologies,
and Enterprise Risk Management