What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Governance, Risk & Compliance Risk Management

3.2k views3 Comments

Sort by:

Director of Design in Healthcare and Biotech4 months ago

The answer to your question has some generic factors and some industry specific factors. I will reply from a US Healthcare perspective. A good way of thinking about Line 2 functions is to consider their "primary objectives". Are their primary objectives to produce the goods or services the entity offers or are their primary objectives to protect the organization that exists from uncertainty, bad internal choices/acts or external threats. This helps to see value producers and value protectors. Value protectors make up Line 2 risk functions. Some departments play both sides like HR and Legal, sort of landing on the middle of the spectrum.

In US Healthcare clear value protecting functions (on Line 2) include Compliance, Privacy, Information Security, Physical Safety, Clinical Risk, and Insurance (Hazard Risks). Those departments with some Line 2 responsibilities include Human Resources, Legal, Quality and Clinical Safety.

So, looking at Line 2 Risk Functions for US Healthcare, some have Legal and Professional expectations, Compliance and Privacy for example. These expectations define more than 75% of the framework within which they operate. Information Security or Cyber Risk, has traditionally been defined by general Federal standards like NIST leaving all of the more specific practices to related professional bodies, ISACA, etc. However, that is shifting towards more government standards. Insurable hazards, business continuity, etc is usually considered an operational program with heavy financial tones and leading practices. Some government direction. For US Healthcare Clinical Risk is derived from clinical professional associations, quasi government standards and survey organizations. In short each of these functions draws from professional, quasi government, and industry leading practices to define their roles and deliverables.

Enterprise Risk Management, envisions shared risk standards across these bodies which can enable a database of risk from which to set priorities for these functions, executive management and the Board. Some theorize that it ERM when done well can create a set of statements from these entities of equal value to the organization as financial statements.

VP of Information Security4 months ago

Risk partner line 2 means, defense in depth at 2nd level?

It would be great, if you can simplify question OR add some more details like purpose/situation.

Chief Product Officer in Software4 months ago

What is the context of your question? It sounds like you are referring to a piece of research or chart--"Line 2". Could you clarify?

Content you might like

I'm interested in understanding how your organizations estimate the complexity of digital initiatives, particularly as a basis for applying appropriate project management governance. In other words, how do you assess initiative complexity in order to determine the level or type of governance needed?

Seeking insights for research universities regarding CMMC 2.0 adoption and compliance. I'm listing our full question set below, but we would welcome insights on any or all of these:

1. What is the anticipated timeline for CMMC 2.0 adoption by the Federal Government? Any insights on the expected rollout and implementation schedule?

2. From a Higher Ed CIO perspective, what are the key operational differences between each "level" in CMMC 2.0? Are there any specific challenges or considerations especially for research universities?

3. For a research university, which CMMC level would be the most suitable target? Are there any key dates or deadlines that Higher Eds and researchers should be aware of in their compliance journey?

4. What are the most crucial features or elements of CMMC that universities need to achieve compliance? Any recommendations or best practices?

5. Specifically, are there any requirements in CMMC for 7/24/365 "eyes on glass" network and/or endpoint monitoring? If there is an endpoint requirement, does it extend to all servers and laptops issued by the university, or is it limited to hosts involved in research grants? What is expected to demonstrate compliance in this regard?

6. Apart from CMMC compliance, are there other considerations or or strategies to consider when seeking to qualify for/reduce cyber risk insurance costs?

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results

Does anyone have recommendations for risk management background services for a large technology consulting company? The employee count is over 20K.

What are your organization’s drivers for implementing RegTech?

Support future growth36%

Automate manual processes59%

Demonstrate compliance49%

Reduce risk exposure43%

Improve customer experience16%

Reduce costs13%