Outdated Risk Management Frameworks Face Growing Criticism - Tech News

Forrester Research challenges the Three Lines of Defence (3LOD) model twenty years on. The research firm writes that the three lines of defence is outdated: built for SoX, 3LOD hasn’t been reconsidered in two decades, and it’s time for a change. The three lines of defense (3LOD) concept was initially developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act. […] But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk. Instead, it defines, with ample rigidity, the roles required to comply with segregation of duties requirements. This division is conceptually simple but does not match the operating model at most organizations. Forrester ...

December 8, 2024 · 1 min · Graeme

NIST Cybersecurity Framework 2.0 was released this year - NIST

The US Government’s National Institute for Standards and Technology, known commonly as NIST, released its updated Cybersecurity framework in February. This was the first new version in 10 years, following the 1.0 version in 2014 that was primarily aimed at protecting US critical infrastructure. The new 2.0 version is international and aimed for broad consumption: drafted in collaboration with experts across 100 countries, it should also be easier to use. Version 2.0 also introduces a new category: Govern, recognising that the world has changed since 2014, with Cyber now an enterprise risk being discussed in the boardroom. ...

December 8, 2024 · 1 min · Graeme

The EU’s Digital Resilience Act - known as DORA - comes into effect next month - ESMA

Security Boulevard notes that firms have less than two months to comply with DORA. With the EU’s Digital Operational Resilience Act (DORA) coming into effect next month, financial services firms in the EU are updating processes, policies and provisions to comply with the new regulation. Meanwhile, PwC highlights in International Banker (PwC) the challenge of updating ICT contracts under DORA’s requirements. As part of TPRM, DORA stipulates that all ICT contracts must contain specific baseline contract terms. There are also more onerous additional requirements for contracts supporting critical or important functions (CIFs). ...

December 8, 2024 · 1 min · Graeme

AI Governance and the Three Lines of Defence

Context For mid-career professionals in risk, audit, or management, the rapid adoption of Artificial Intelligence presents a specific challenge: how to apply established governance principles to a non-deterministic technology. This note outlines where AI sits within the standard Three Lines of Defence model, helping you position your skills and oversight responsibilities effectively. Defining AI Governance AI Governance is simply the framework of accountability, authority, and control that ensures automated systems are used responsibly. It is the mechanism by which an organisation retains meaningful control over its technology. ...

4 min

AI Governance as a Discipline - Career Pathways and Competencies

Context For the mid-career professional in audit, risk, or IT, the rise of artificial intelligence presents a distinct bifurcation in career trajectories. You do not need to become a data scientist to remain relevant, but you cannot afford to remain illiterate in the mechanics of automated decision-making. This article outlines how to pivot existing your ‘Lines of Defence’ experience into the emerging discipline of AI Governance. The Emergence of a Distinct Discipline AI Governance is rapidly decoupling from general IT governance and data protection. While it shares DNA with these fields, it addresses a specific convergence of risks that traditional frameworks struggle to contain: algorithmic bias, non-deterministic outputs, and the opacity of ‘black box’ decision-making. ...

5 min