How CFOs Can Manage Risk With Three Lines Of Defense

Chris Grundy

Can you assure that your company proactively and effectively manages risk while meeting an ever-growing number of technological challenges? During an SAP Game-Changers radiocast, panelists Ganesh Ram, lead of the PricewaterhouseCoopers governance, risk, and, compliance (GRC) team; Kevin D. Heckel, director of the cyber-risk services area at Deloitte & Touche LLP; and Jérôme Pugnet, senior director of product marketing for GRC solutions from SAP, discussed how technology can enhance the “three lines of defense” model.

Protect your business from becoming obsolete

Ram challenged companies to consider complex third-party relationships that keep their suppliers and consumers interconnected in a massive technology-driven ecosystem. He stated that the three-lines model helps ensure that a business can sustain all challenges it faces. So what do the lines look like?

  1. Operational management teams that run the business from the front lines
  1. Risk management and compliance functions to implement and monitor effective risk management practices and robust internal controls
  1. An internal audit or oversight function that ensures that the management team is performing its job properly

These are supplemented by external auditors, who provide advisory support as experts with fresh eyes and no bias (sometimes qualified as “the fourth line of defense”).

According to Ram, most companies place too much importance on the first line and not enough on the second two. “It’s worth reflecting on whether your focus is on what really matters from a risk management perspective – and if investments in risk management and lines of defense give you the return that you plan for,” he said.

Manage risk for the right reasons

Heckel mused on how risk management has evolved from a necessary evil to a major business driver at the board level. However, he cautioned, “It’s not a value. It’s a cost to the overall compliant agency. What are you doing and why are you doing it? Are you doing it for the right reasons?”

Pugnet explored these questions, citing social media as a prime reason for expanding a business’s outlook on what risk really means. A company’s reputation can suffer serious damage in just minutes if a negative post goes viral.

The challenge, according to Heckel, is to be resilient and respond quickly and appropriately to such situations. You want to do whatever it takes to keep customers or avoid ending up in the headlines for the wrong reasons.

Achieve balance

Ram thinks it’s important to treat governance, risk, and compliance as a balancing act, and to use the three-lines model as a strategic advantage instead of a crutch or a reason to avoid any risk at all.

Such balance is most critical when expanding your business, according to Pugnet. If you acquire a new company, you need to cover the requirements across the three lines of defense. This necessitates bringing this company into the overall compliance system – a challenging endeavor. You might find that existing systems are not scaling very well, which creates additional work without available resources. That’s when it’s important to turn to those second and third lines of defense – which can include technology that streamlines processes and catches oversights before they become massive issues.

Finally, the panelists agreed that risk and control are often approached as separate silos with a significant amount of overlap. By working collaboratively across those lines of defense to reduce redundancy, you can cut your overall compliance cost. To learn more about the three lines of defense, listen to the full radiocast.

For more information about how finance executives can empower themselves with tools for risk management, read this report.


Chris Grundy

About Chris Grundy

Chris Grundy is the Director of Product Marketing at SAP. His specialties include lead generation, product management, business analytic and marketing management.