Abstract

Several frameworks have been developed to ensure organizational compliance and resilience amid the increasing complexity of risks in the Information and Communication Technology (ICT) industry. This study explores the risk governance ecosystem of the Philippine ICT sector through the lens of the Three Lines of Defense (3LOD) framework, which comprises operational management, risk oversight, and independent assurance. These components are known for offering a structured approach to risk management and internal control. Using a quantitative research design, data were collected from 225 ICT professionals in the National Capital Region (NCR), including compliance officers, risk managers, financial executives, and internal auditors. The study examined the extent to which risk culture, regulatory environment, and ICT infrastructure influence the implementation of the 3LOD framework. Descriptive findings revealed that all three predictors were perceived to have a “very high effect,” with ICT infrastructure (????̄ = 3.53) ranking highest in its perceived influence. However, inferential analysis showed that ICT infrastructure had the most significant effect across all 3LOD components operation management (β = 0.4861, p = 0.003), risk management and compliance (β = 0.6449, p < .001), and internal audit (β = 0.7715, p < .001). Regulatory environment had a significant impact on operation management (β = 0.4007, p < .001), but its influence on risk and audit functions was statistically non-significant. Despite being rated highly, risk culture exhibited no significant effect on any governance components, suggesting a gap between cultural awareness and operational integration. The study contributes theoretically by reinforcing socio-technical systems theory, emphasizing that technological systems are foundational to risk governance. It challenges traditional views that prioritize risk culture without operational mechanisms and partially validates institutional theory by showing that regulatory influence is more apparent in external-facing functions. The proposed framework highlights ICT infrastructure as the central enabler, regulatory environment as a partial driver, and risk culture as an underutilized foundational element. Ultimately, this research offers empirical support for enhancing the 3LOD framework’s implementation in the ICT industry. It provides insights for refining governance strategies, informing policy formulation, and guiding future research across diverse ICT environments to promote more resilient and adaptive risk management practices in the Philippines.