Do you have a second line of defense team? What frameworks do they cover - SOX only or more? Where does this team report in the organization (i.e. CFO, Accounting, Legal, Chief Compliance Officer, CEO, CAE, etc.)?

Security & GRC
643 views2 Upvotes3 Comments
Sort By:
Oldest
Vice President - Internal Audit and Enterprise Risk Management in Healthcare and Biotech6 months ago
Our Ethics & Compliance program reports up to our Chief Compliance Officer, who in turn reports to our Chief Legal and Risk Officer.  We also have an IT-centric second line function (reporting to our CISO) that provides security and control guidance to the organization.  They cover multiple frameworks, including NIST and HITRUST, as well as the controls frameworks utilized for our SOC1 and SOC2, plus any regulatory driven control requirements.
2
Chief Financial Officer6 months ago
I have a very active and integrated second line of defense who do, ERM (including hosting a cross functional risk committee), SOX and IA. They report to CFO, accountable to Audit Committee.

They have very good connections across the whole company, they add a lot of value.
1
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
VP of Legal in Energy and Utilities5 months ago
We're in the process of scaling our Compliance team to perform second line of defense control testing; our current frameworks are OSHA, SOX, and some bespoke regulatory requirements specific to our business.  Compliance reports to our Chief Growth Officer as we are in the process of building out an in-house Legal function.
1

Content you might like

Is someone using CRISAM as a GRC tool? If yes, what are your experiences? 

Security & GRC
VP of Legal in Energy and Utilities5 months ago
Haven't used but will be following as we are just starting to look into GRC tool vendors. 
114 views1 Comment

The internet browser I use at work is:

Strategy & ArchitectureEnd-User Services & CollaborationPeople & Leadership+9 more

Mandatory27%

Recommended55%

Discretionary15%

Other (comment below)1%

View Results
2.6k views1 Upvote

Question for the federal agency community on Risk Management:  Where in the institutional hierarchy does your Chief Risk Officer sit? Our agency is working to create a CRO position, but struggling to identify the level and reporting structure for that individual.  For other agencies,  1. Is your CRO or head of ERM a political appointee, SES, or Division leader? 2. Who does the CRO report to? (CFO, Controller, Head of Agency, etc.) 3. Is the CRO an advisory role or does it include staff that perform the functions associated with risk management? 4.  Any challenges with the hierarchical position of the CRO? 

Security & GRC
320 views

Where is your company on the innovation adoption spectrum?

Applications & PlatformsSecurity & GRCDisruptive & Emerging Technologies+12 more

Innovators - we're the first to try anything new13%

Early adopters - few positive testimonials will convince us to try it45%

Early majority - when the hype begins, we want to join before our competitors26%

Late majority - we'll adopt it only if competitors already have11%

Laggards - we stick to legacy solutions more strongly than competition4%

View Results
3.4k views4 Upvotes