The Three Lines of Defense

The Three Lines of Defense

DORA article 5 on ICT risk management framework calls for financial entities to structure ICT risk management according to the three lines of defense model, or similar internal risk management and control model.

Appropriate segregation of duties;

  1. ICT management, responsible for implementation of the management system and business advisory
  2. Control and oversight of ICT risks, responsible for governance model, management system and compliance including reporting to the board
  3. Internal audit of ICT risk-related matters

For most banks, credit institutions and insurance companies managing risk control according to the three lines of defense model is nothing new. With the introduction of ICT risk-specific guidelines by their respective supervisory authorities, EBA and EIOPA, financial organisations have had adapt their ICT risk management accordingly. For an extended group of financial entities, such as crypto companies and third-party providers, who have previously been untouched by similar in-depth regulations, separating ICT risk management organizationally may be a whole new ball game.

These companies are now facing the challenge of finding a way to introduce a risk management and control model which segregates duties appropriately while still being proportionate to their organization, size and business model.  

FCG has listed the most important factors to consider

  • Ensure ICT risk competence in all lines of defense (including ICT auditors) 
  • Ensure ICT risk is integrated in control function’s agenda and internal audit plans 
  • Ensure responsibility for ICT risk control is segregated from ICT operations 
  • Ensure direct and independent board reporting by control and internal audit functions 

Want to find out how FCG can help you?


Fredrik Ohlsson
Partner Operational risk/ICT


Johan Røthe
Partner & Head of Norway


Timo Tamminen
Partner Operational risk/ICT

This website is using cookies

We use cookies for functionality and analysis.

Read more about cookies
Accept cookies

Cookie settings

Read more about cookies
The Three Lines of Defense The Three Lines of Defense

These cookies are essential and required for this site to work properly. Without them we will not be able to assure that our website and services functions correctly.

The Three Lines of Defense The Three Lines of Defense

Analytical cookies are used by third party web services to measure visitors traffic and helps us to evaluate the performance of this website. The collected data is used for the purpose to improve the visitors experience.