Nations have armies, diplomats, and border patrols to protect their citizens. Football teams have offensive lines to protect their quarterback, and defensive tackles, linebackers, and safeties to prevent the other team from scoring. The fact is that no entity can depend on a single line of defense to protect itself. Rather, a tiered approach is the most effective and efficient, and enterprise risk management is no exception.
Each of the structures I describe above has internal and external defense structures that can be viewed as a pyramid, the base of which are the “front lines,” which thwart the most obvious attacks. The next level both oversees that broad base and captures more elusive threats, and at the top, a highly refined cadre manages and monitors the lower levels while combating the threats that have penetrated the other lines. Take the human immune system, which has three lines of defense: