• Zero Bull$ec
  • Posts
  • 5 things your Risk guys don't tell you about your lines of defence (#3 will shock you)

5 things your Risk guys don't tell you about your lines of defence (#3 will shock you)

Subtitle

Author

Rohan Wickremesinghe
November 22, 2025

Editors note 

3 lines of defence (3LOD) is still a framework and a set of terms that is used today.

You have Line 1 Risk, You have Line 2 Risk, and you have Internal Audit.

Three nicely organised swim lanes with nicely organised roles and responsibilities.

The reality is it barely worked back then.

And it definitely doesn’t work now.

In addition to this we have a series of gaps that exist between the Board, Leadership, Business and Technical teams.

C-suite reports they are happy with how they address tech risk and cyber - but this changes when you speak with Management and operational teams that work with risks daily.

C-Suite are focused on bottom line and strategy, and sometimes tend to be too surface level when it comes to risk and risk tolerance.

I have personally seen a bank remove a red risk from its Board reporting because it was -”inconvenient”.

Should anyone dare to disrupt the status quo or venture out of their pond - they are likely to get eaten.

The eventuality is risk and control is truly not addressed

OR

A lot of money is spent (on useless consultants) and red tape crossed to get somewhere that could have been resolved simply.

I explore 5 things that are not true about your Lines of Defence. Yes my opinion but I have seen it first hand.

Keep reading to find out.

5 Things Risk Guys (and girls) probably won’t say

The 3LOD model whilst potentially effective once upon a time, is far too rigid to be effective in a times where technology is so complex and moving at a rapid speed.

Teams not only need to be collaborative, but they need to be flexible with the ability to move in multiple directions at a time.

Most lack the ability to do this especially if you work within corporate federated models.

Risks are not standing still, rather they are like whack a mole. Plug one, another pops up, and another, and another.

  1. Lines of Defence are like the houses of Hogwarts - In order of the Phoenix (the 5th book) the sorting hat tells the great hall that the houses (Gryffindor, Slytherin, Ravenclaw, and Hufflepuff) that they must work together to fend of the risk of evil to the school.

    But the reality is the houses are in constant competition. Whilst occasionally they will collaborate and share - more often than not they are competing against each other from within. As such risk becomes realisation. In this case Voldemort is able to exploit this chaotic infighting for his own benefit.

    Same with the 3 lines of Defence - they are more often than not competing than working together. Such behaviours almost always create vulnerabilities.

  2. Line 2 Risk is the guy at the party nobody wants to talk to - L2 traditionally has the role of gatekeeper. Policies and procedures and making sure the L1 teams are doing their jobs. L2 should be more involved operationally and strategically. They rarely get their hands dirty (for fear of breach of Segregation of Duties (SOD)).

    L2 should get in there not only to help with headcount, but also help both L1 and L2 learn about the business. I emphasise this - Risk Teams need to learn how the business works - otherwise how can you possibly understand the risks.

    A big issue with L2 is they lack any teeth when it comes to implementation of proper technology controls. They sit back and watch - I know, I used to do it.

  3. Most Tech Risk & Audit guys don’t know much about tech - You have a bachelors of information systems - but you probably can’t use your tv remote at home.

    Tech Risk and audit teams have a bad reputation because they often don’t know what they are talking about. Unfortunately I can’t defend it - as many are not qualified or under skilled when it comes to understanding tech stacks, coding, CICD pipelines, basic architecture rules….etc.

    IT General Controls (ITGC) is dead - please stop relying on this solely as an attestation of controls. Even as support to the financial audit (attestation over controls that support the financials) - this is insane.

    Technology is complex, multi faceted - with multi layered architecture sitting across multiple third parties (at a minimum) - I feel like I am in the Matrix most of the time. If a joker came at me now with an ITGC finding, I would slap them.

    Management Letter Points (MLP) take months sometimes to close. What is the point - risks have moved on. What you reported was yesterdays or last years news.

    However, whilst it is complex there are ways to communicate how things work in an easier fashion. The problem is most of us are too lazy to learn or find out. Not doing the work is an issue.

  4. Data Protection is a lie - you are leaking like a sift - Until everyone is honest about data privacy then we might have an chance in actually plugging some of the gaps.

    Most of the time organisations can’t even tell you where all the data is sitting and what its labelling and classification is.

    If you don’t know where something is how can you possibly protect it?

  5. Training and awareness programs are boring - nobody wants to do them! Make training a periodic exercise and not an annual compliance requirement. Nobody wants to do it (myself included), it takes forever, and everyone is looking for a way around it.

    Incorporate training continuously throughout the year with real life case studies. Make it engaging and more interesting, and maybe people will do it properly.

This weeks myth

“If each line of defence does its job, nothing important will fall through the cracks.”

The 3LOD framework is no longer fit for purpose. The 3LOD model expects risk and control to sit neatly within 3 swim lanes.

The 3 lines Model (3LOM) set in 2020 to replace this hasn’t really been enforced or communicated, as such nobody applies it.

This didn’t really work then and it definitely doesn’t work today.

Interesting Reading

Stuff to think about over coffee

  1. https://thehackernews.com/2025/10/the-cybersecurity-perception-gap-why.html - 45% of C-Suite are confident in their ability to address cyber issues, yet this drops to 19% from Mid level management to operational teams. The gap is only widening. We saw mixed evidence of this in 2024 and 2025.

  2. https://kpmg.com/sg/en/insights/cyber/the-intelligent-age-requires-a-rethink-of-the-three-lines-of-defence-model.html - Interesting in the context that the advisory firms still fail to outline how the 3LOD model should actually operate together as opposed to in silos - which is one of the major issues.

  3. https://www.cerrix.com/en/insights/blog/why-the-three-lines-of-defense-model-is-outdated-what-every-board-should-know-about-the-three-lines-model - Did the change by the IIA to the 3 Lines Model (in 2020) actually make a difference? - The premise is collaboration across the lines, however there is no enforcement or encouragement to follow this regime. Many are still following the 3LOD model.

Thank you for joining our community as we look to share practical and thought provoking topics when it comes to technology and security.

If you haven’t already Click the signup button to subscribe and get the latest newsletter directly to your inbox.

We will do our best to provide well researched and tested theories. Please comment, agree, disagree, or share your own experiences.

We want this to be a safe space to share any opinions with the object of true learning and experiences.

Many thanks

Rohan