The Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees. Here is a simple illustration of how it is supposed to work:
Is it working?
The concept is blindingly simple. No one seems to disagree on its merits. But it may come as a shock to some governance, risk, and compliance (GRC) professionals that it is not working, not even a little.
What’s the problem?
Historically, GRC professionals have never really collaborated. A vague conceptual framework saying they should was never going to work. Surveys show everyone likes it but no one is doing anything about it.
The problem is the framework did not suggest any performance measures or provide any implementation guidance.
What’s the solution?
The first step is defining some reasonable outcomes. Below is a summary of what we thing management and boards should expect.
Implementing the Three Lines of Defense means overcoming a number of obstacles and inventing tools and processes for practitioners to follow and use:
- The Three Lines of Defense advocates a risk-based approach, but which one and how would it work?
- What tools and technologies are available and how do they work?
- GRC silos have proven impossible to break down, but do they need to be broken down? Can we have specialization without silos?
- What reports are necessary and who should get them?
The Three lines of Defense framework doesn’t provide guidance on these or most other implementation requirements.
Finding the answers
We’d like to know your experience in implementing the Three Lines of Defense. Does it work in your business? Do you agree with the outcomes we have listed above?
Join me at SAPinsider GRC2016 and attend my session, “Implementing the Three Lines of Defense: Getting risk, compliance, and audit to talk to each other,” which offers some of our ideas and introduces some tools we have developed for the journey.