CHAPTER 8The Three Lines of Defense

INTRODUCTION

Nations have armies, diplomats, and border patrols to protect their citizens. Football teams have offensive lines to protect their quarterback, and defensive tackles, linebackers, and safeties to prevent the other team from scoring. The fact is that no entity can depend on a single line of defense to protect itself. Rather, a tiered approach is the most effective and efficient, and enterprise risk management is no exception.

Each of the structures I describe above has internal and external defense structures that can be viewed as a pyramid, the base of which are the “front lines,” which thwart the most obvious attacks. The next level both oversees that broad base and captures more elusive threats, and at the top, a highly refined cadre manages and monitors the lower levels while combating the threats that have penetrated the other lines. Take the human immune system, which has three lines of defense:

  1. External defenses: These are a combination of physical and chemical barriers—skin, mucus membranes, and fluids such as tears and sweat—that prevent many foreign agents from penetrating the outer layer of the body. These defenses are nonspecific, meaning that they are designed to thwart a variety of threats.
  2. White blood cells: Leukocytes (white blood cells) circulate throughout the body. If a pathogen penetrates the first line of defense, these nonspecific defense mechanisms encounter them and attempt to abolish them by engulfing ...

Get Implementing Enterprise Risk Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.