< What It Means

Home > What It Means > Finally, An Alternative To 3LOD: Meet Continuous Risk Management

Finally, An Alternative To 3LOD: Meet Continuous Risk Management

Mar 13 2025

For more than a decade, risk managers have been trying to use the three lines of defense (3LOD) framework for enterprise risk management. But it was never meant for that. In this episode, Senior Analysts Alla Valente and Cody Scott walk through the new Forrester Continuous Risk Management Model, a more holistic and business-centric risk management approach.

Featuring:

Alla Valente, Senior Analyst and Cody Scott, Senior Analysts

Show Notes:

The three lines of defense (3LOD) framework was developed for a very specific purpose: to help banks define roles and implement segregation-of-duties requirements in the wake of a major financial crisis. It was never meant to be a framework for enterprise risk management processes. Then why is it still used as one?

In this episode, Senior Analysts Alla Valente and Cody Scott walk through the new Forrester Continuous Risk Management Model that is designed to provide risk leaders with what they have always wanted: a blueprint for a holistic risk management process.

The episode starts with a short history of how 3LOD came to be used as a risk management framework and how some critical gaps prevent organizations from fully addressing risks across the enterprise. “If compliance does not equal risk management, then we should be using a model that’s actually meant and purpose-built for the purpose of managing risk and not just ensuring that you are meeting a set of requirements from two decades ago,” Valente says. Scott adds that 3LOD “says nothing about how capable an organization is in anticipating risks or aligning mitigation strategies with their goals.”

Later in the episode, the analysts review the new Forrester Continuous Risk Management Model, which was developed specifically to address the limitations of 3LOD. According to Scott, “We define risk as being three things: It’s dynamic, it’s shared, and it’s continuous.” As such, businesses need risk processes that evolve alongside these realities, he says, adding that this is how the new model was developed. From there, Scott walks through the structure of the eight-part model, providing details and examples of its benefits along the way.

The episode closes with a short discussion about how to implement the new model, with Scott emphasizing that it does not take a full transformation. In fact, Valente points out that it can coexist with 3LOD in a broader risk management strategy. “This is the question that we get very often,” she says. “How do we organize a risk management function that uses the three lines of defense but still enables us to manage risk holistically and make sure that we’re agile and supporting the business goals of the organization?” Finally, there is an answer to that challenge.

Get The Insights At Work Newsletter

Country*

Yes, I’d like to receive Forrester’s Insights At Work newsletter and receive occasional survey invitations and marketing communications.

Thanks for signing up.

Stay tuned for updates from the Forrester blogs.

Featuring:

Show Notes:

Related Links

Categories

2025 Tech Predictions: Your Must-Have Guide

From AI’s impact to cloud evolution and smarter workflows for the SDLC and AIOps, 2025 is set to be a big year for tech. Download our Predictions guide to see if you’re on track to make the most of these changes.

Encore Presentation: Get Your AI Aligned

Taming B2B Buying Mayhem

Get The Insights At Work Newsletter

Thanks for signing up.