Forrester Research challenges the Three Lines of Defence (3LOD) model twenty years on. The research firm writes that the three lines of defence is outdated: built for SoX, 3LOD hasn’t been reconsidered in two decades, and it’s time for a change.
The three lines of defense (3LOD) concept was initially developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act. […] But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk. Instead, it defines, with ample rigidity, the roles required to comply with segregation of duties requirements. This division is conceptually simple but does not match the operating model at most organizations. Forrester