Rising risk and regulatory compliance complexity are keeping more and more enterprise CFOs, their boards, and external stakeholders awake at night. Why?
CFOs are already burdened trying to ensure that the risk controls integral to finance are correctly performed and mitigated. In addition, they are responsible for board and C-suite reporting with an accurate, compliant enterprise-wide view; driving change in governance, risk, and compliance (GRC) practices; challenging the high cost of the status quo; and obtaining better, more timely information from finance and GRC professionals.
How to deliver all of these mandates? The answer is to use the “three lines of defense.”
Originating from the European Commission, the three lines of defense is a globally accepted, integrated framework for managing GRC. The framework encompasses operational management (maintaining effective internal controls), risk management (assessing and monitoring risk), and internal audit. But is it working well enough to help the sleep-deprived CFO?
This was the subject of a recent Financial Excellence with Game-Changers Radio episode, on which producer/moderator Bonnie D. Graham addressed these questions to experts from Deloitte, the University of Texas System, and SAP. Listen to the episode.
Good news: Implementing the three lines of defense is basically worthwhile, per a Forrester Research report that states 63% of organizations surveyed are either implementing, planning to implement, or have already implemented the three lines of defense.
But despite this success, there are still problems, according to Bruce McCuaig, director of Solution Marketing for Governance, Risk, and Compliance Solutions at SAP. “There is nothing in the primary concept that tells people how to do it or what’s necessary. Most people have the pieces. But the pieces have to work together, and that’s not happening.”
How can organizations optimize their use of the three lines of defense?
Mark Salamasick, executive director of Audit for the University of Texas System, stated that education is the key. “It’s great in terms of a framework or a model that allows us to educate everybody and use the same terminology and nomenclature. That’s a great place to start because you’ve got to get buy-in from your president, CEO, and your boards, as for any kind of model that’s developed.”
For Elvia Novak, director of Audit and Enterprise Risk Services Practice at Deloitte, success strongly depends on the introduction of a chief risk officer role in the organization. “The job of the chief risk officer is to establish the risk appetite for the company. I think that has led to a lot of transformation over the last couple of years – having these very three distinct functions within a company that focus on different elements of risk.”
And those risk elements are more diverse than ever. “While we have core financial risks that are pretty applicable to any organization, there are specific risks that are associated with the environment and the industry in which you operate,” she continued. “They don’t necessarily have the same appetite or the same risk profile.”
For Bruce McCuaig, strategic risks can be enormous. “If you’re making an acquisition, developing a new product, or drilling a deep-water oil well in some offshore location, the consequences can be pretty severe if things go wrong. You have to understand the risk appetite and say to yourself, ‘Am I willing to accept those risks?’”
All three panelists agreed that one of the biggest areas of confusion with the three lines of defense involve the role assignments – in essence, who should be doing what.
According to Mark Salamasick, “A lot of people are trying to work towards what fits in the box, what’s the first line, second line, third line, and getting their organization to buy into it.”
Elvia Novak agreed. “We all need to understand who has responsibility. Who is accountable? And the roles need to be clearly defined and understood for a successful three-lines-of-defense road map or framework.”
Bruce McCuaig took it one step further. “The three lines of defense have to align with the organization’s objectives and strategies, and all those three lines have to know what they are.”
He gave a real-life example of a dashboard that is helping an SAP customer. “It shows the key performance indicators and risk appetite against the company’s strategies. To me, this is the neatest report I’ve ever seen, linking operating management to a second and third line of defense, and risk appetite and strategies.”
Mark Salamasick commented, “I just loved the example of a very simple dashboard that paints a picture of how the organization is doing.”
What does the future hold for companies that try to adopt this approach?
“I think the percentages that we had from the Forrester report will go up to 90% adoption by 2020,” said Mark Salamasick. “I also think you will find that additional guidance will be provided by numerous professional associations, and everybody will be speaking in the same language.”
Elvia Novak concurred. “In the year 2020, adoption will be pretty high. I think there will still be nuances and differences according to the industry and the risk profile of the company, but I do see the three lines of defense moving forward relatively quickly.”
Bruce McCuaig summed up, “I believe companies will build the capability that’s necessary and provide some insight to the board to help them understand how things are working and what’s going on, and how they can manage the business from a governance perspective.”
- Hear the complete discussion and learn more about successfully implementing the three lines of defense: Listen now.
- Discover the progress companies are making in implementing the three lines of defense. Read the Forrester report.
- View the video of the real-life dashboard example McCuaig gave (Exxaro customer story). View the video.