Three Lines of Defence - Cyber Risk RACI Matrix
Governance Control: Three Lines of Defence
1. Purpose
Clearly delineate the roles and responsibilities of each line of defence and key stakeholders for all core cyber risk management activities, ensuring no gaps or unintended overlaps in accountability.
2. Scope
This matrix covers all cyber risk management processes and activities across the three lines of defence (operational management, risk oversight, and independent assurance) as well as Board and executive governance bodies.
3. Matrix Content
3.1 RACI Definitions
R (Responsible): The role that performs the activity or does the work. Multiple roles may share responsibility.
A (Accountable): The single role ultimately answerable for the correct completion of the activity. Only one role is accountable per activity.
C (Consulted): Roles whose input is sought before or during the activity. Two-way communication.
I (Informed): Roles who are notified of the outcome or decision. One-way communication.
3.2 Risk Identification and Assessment
The following RACI applies to risk identification and assessment activities:
| Activity | 1st Line (Operations) | 2nd Line (Risk/Compliance) | 3rd Line (Internal Audit) | Executive/Board |
|---|---|---|---|---|
| Conduct operational risk assessments | R/A | C | I | I |
| Maintain cyber risk register | R | A | I | I |
| Perform threat and vulnerability assessments | R | C/A | I | I |
| Conduct independent risk assessments | C | R/A | I | I |
| Report risk assessment results to governance | C | R/A | I | A |
| Audit risk assessment quality and completeness | I | C | R/A | I |
3.3 Control Implementation and Monitoring
The following RACI applies to control implementation and ongoing monitoring:
| Activity | 1st Line (Operations) | 2nd Line (Risk/Compliance) | 3rd Line (Internal Audit) | Executive/Board |
|---|---|---|---|---|
| Implement security controls | R/A | C | I | I |
| Conduct control self-assessments | R/A | C | I | I |
| Monitor control effectiveness (operational) | R/A | I | I | I |
| Conduct independent control testing | C | R/A | I | I |
| Audit control design and operating effectiveness | C | C | R/A | I |
| Remediate control deficiencies | R/A | C | I | I |
| Track and report remediation progress | R | A | C | I |
3.4 Policy and Framework Governance
The following RACI applies to policy and framework governance activities:
| Activity | 1st Line (Operations) | 2nd Line (Risk/Compliance) | 3rd Line (Internal Audit) | Executive/Board |
|---|---|---|---|---|
| Develop and maintain cyber risk policies | C | R/A | I | A (approval) |
| Implement policy requirements operationally | R/A | C | I | I |
| Monitor policy compliance | R | A | I | I |
| Audit policy compliance | I | C | R/A | I |
| Review and update cyber risk framework | C | R/A | C | A (approval) |
| Report on framework effectiveness | C | R/A | C | I |
3.5 Incident Management
The following RACI applies to cyber incident management:
| Activity | 1st Line (Operations) | 2nd Line (Risk/Compliance) | 3rd Line (Internal Audit) | Executive/Board |
|---|---|---|---|---|
| Detect and triage security events | R/A | I | I | I |
| Execute incident response procedures | R/A | C | I | I (major incidents) |
| Assess incident risk and impact | R | A | I | I (major incidents) |
| Notify regulators and external parties | C | R/A | I | A |
| Conduct post-incident reviews | R | C/A | C | I |
| Audit incident response effectiveness | I | C | R/A | I |
3.6 Risk Reporting and Escalation
The following RACI applies to risk reporting and escalation:
| Activity | 1st Line (Operations) | 2nd Line (Risk/Compliance) | 3rd Line (Internal Audit) | Executive/Board |
|---|---|---|---|---|
| Report operational risk metrics | R/A | I | I | I |
| Produce enterprise cyber risk reports | C | R/A | I | I |
| Escalate material risks to governance | R | A | I | I |
| Provide independent assurance reports | I | I | R/A | I |
| Review and act on risk reports | I | C | I | R/A |
| Approve risk appetite and tolerance changes | I | C | I | R/A |
4. Compliance
Compliance with this matrix is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this matrix must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This matrix shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control