Implementing the three lines of defense approach, and more broadly a complete set of governance, risk, and compliance (GRC) solutions, has never been more critical. There are several reasons for this, from regulatory pressure with continuously evolving obligations and legal requirements to the spread of risks such as fraud, threat on reputation, third-party and cyber risk, and so on. In parallel, CFOs are concerned more than ever with the costs associated with these requirements, as reactive approaches to compliance and scattered responses to the diverse types of risks have generated silos and duplications.
Establishing a strong, automated three-lines-of-defense platform
At SAP, we’ve recently commissioned research to better understand and measure these challenges and how companies are planning to solve them going forward. For example, last summer we published with Forrester Research a Technology Adoption Profile on the three lines of defense.
To break silos and improve performance, more and more companies seek to re-centralize GRC information and automate GRC processes. This is also important to gain consistency—with increased efficiency and effective responses to risks and compliance needs—and improve assurance.
This often translates into opting for a three lines of defense approach, supported by a robust, integrated technology platform. This is key to allowing organizations to share critical GRC information (such as info on risks, controls, and issues) and ensure that stakeholders in each line (operations, central functions, internal audit) collaborate effectively, and efficiently.
But there’s more
The automation and integration brought by GRC technology to better monitor risk and controls has created the need to go further and check for deeper, hidden issues that might expose companies to fraud and financial losses, negative impacts on their brand and reputation, or compliance fines. Technology innovation around Big Data capabilities, predictive analytics, and cloud has brought opportunities to develop solutions that can:
- Tackle these less visible risks and issues
- Better predict their occurrence
- Improve even further the high level of protection already delivered by a strong, integrated three line of defense platform
In this way, they very effectively complement the risk and compliance core, providing an extra layer of protection and helping improve business integrity in key processes like finance, procurement, treasury, tax, and so on.
One of the first areas where these innovative complementary solutions have been developed is in the fight against fraud. This is a logical response given the growing concern it represents for companies in all industries, and their increased exposure to this type of risk in a more connected world and fast digitizing economy.
In the same way, companies also develop their business network and partner with more and more third parties to grow their business (suppliers, sub-contractors, service providers), and they seek to connect and interact faster and more efficiently with their customers. All this also de-multiplies the level of their risk. Their need to screen and monitor these third parties also calls for specialized solutions to complement existing control and risk oversight processes.
Lastly, the notion of business integrity extends to the protection against any types of anomalies or issues that require deeper analytical capabilities—misuse, errors, waste, compliance misses, wrong tax postings, and so on. The need for these additional solutions that can identify and help remediate these issues is expanding rapidly in the world of live business (digitization, networks, business velocity, and so on).
The forensic approach: a useful analogy
The requirement to chase for potential fraud, anomalies, or waste and abuse in business transactions—which often is like looking for the needle in a haystack—can be compared to what police and specialized investigators do when searching for clues after a crime. They need to look deep into all the information, relationships, and evidence they can find while also relying on a level of intelligence, methodology, and experience to conduct their investigation.
Business integrity solutions developed to complement the GRC core around the three lines of defense also need these capabilities:
- Analyze deep into the data
- Rely on detection rules and strategies
- Leverage predictive analytics
- Continuously improve based on earlier findings in similar patterns
And if we think about fraud as an example, patterns are elements that these solutions look for to identify potential cases, just like a forensic investigator would do.
In both cases, there is also a predictive dimension, and looking at historical data and patterns makes it easier to predict and anticipate a fraud case or other anomaly, just like police investigators learn from experience.
With this sum of similar characteristics, we could designate these fraud detection and investigation, third-party screening, compliance checking, and other anomaly-scanning capabilities under a term like “forensic solutions.” As part of GRC, they powerfully help manage a set of risks and compliance needs.
To learn more on how to manage risk proactively by enhancing the “three lines of defense” model, please attend this presentation at SAPPHIRE NOW, Heighten GRC Maturity by Embedding Control in Related Business Processes, Thursday, May 18, 1 p.m. EDT by Bob Crochetiere, executive solutions advisor at SAP.
- Read the Technology Adoption Profile on the three lines of defense.
- Read our other Three Lines of Defense blogs.
- Read the GRC Tuesday series of blogs.
This article, GRC Tuesdays: Using New Forensic Applications in GRC to Strengthen the Three Lines of Defense, originally appeared on the SAP BusinessObjects Analytics blog and has been republished with permission.