Measuring Performance Of The Three Lines Of Defense

Bruce McCuaig

The Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees. Here is a simple illustration of how it is supposed to work:













Is it working?

The concept is blindingly simple. No one seems to disagree on its merits. But it may come as a shock to some governance, risk, and compliance (GRC) professionals that it is not working, not even a little.

What’s the problem?

Historically, GRC professionals have never really collaborated. A vague conceptual framework saying they should was never going to work. Surveys show everyone likes it but no one is doing anything about it.

The problem is the framework did not suggest any performance measures or provide any implementation guidance.

What’s the solution?

The first step is defining some reasonable outcomes. Below is a summary of what we thing management and boards should expect.

McCuaig blog_measuring_lines_defense_image3

What’s needed?

Implementing the Three Lines of Defense means overcoming a number of obstacles and inventing tools and processes for practitioners to follow and use:

  • The Three Lines of Defense advocates a risk-based approach, but which one and how would it work?
  • What tools and technologies are available and how do they work?
  • GRC silos have proven impossible to break down, but do they need to be broken down? Can we have specialization without silos?
  • What reports are necessary and who should get them?

The Three lines of Defense framework doesn’t provide guidance on these or most other implementation requirements.

Finding the answers

We’d like to know your experience in implementing the Three Lines of Defense. Does it work in your business? Do you agree with the outcomes we have listed above?

Join me at SAPinsider GRC2016 and attend my session, “Implementing the Three Lines of Defense: Getting risk, compliance, and audit to talk to each other,”  which offers some of our ideas and introduces some tools we have developed for the journey.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.