New Study Highlights Three Lines Of Defense For GRC

Jean Loh

At a time when governance, risk, and compliance (GRC) are a top priority for financial executives worldwide, SAP has commissioned a study to survey strategies major organizations are employing to address this pressing issue.

Conducted by Forrester Consulting in August 2016, Adopt Three Lines of Defense Technology To Manage Governance, Risk and Compliance (GRC), reports on a survey of 231 executives worldwide who are influencers or decision makers on the three lines of defense, a proven operating model for managing GRC. One key recommendation: Board members should have access to real-time data linking risk management to business performance.

The model takes an organization-wide approach, engaging top management as its first line of defense. Risk management, compliance, security, and legal departments comprise its second line of defense, and the independent internal audit function is its third line.

Firms face multiple challenges in meeting GRC priorities

The survey reiterated the importance of developing a broad-based GRC strategy, such as the three lines of defense, with 76% of responders agreeing that it was critical to foster a corporate GRC culture. However, organizations face multiple challenges in meeting GRC priorities, as the following chart indicates:

objectives for governance risk and compliance

Enter: three lines of defense model

Three-quarters of responders said that although they had clear guidelines for all three lines of defense, they continue to be challenged in its implementation across the business. Looking at each line of defense individually, the study highlighted how executives can successfully implement the model.

First line of defense: drive deeper understanding at the top

Boards and top management need to:

  • Assign primary responsibilities for managing specific risks
  • Have board backing to ensure performance of risk and compliance activities
  • Clearly communicate and enforce risk and control policies corporate-wide on an ongoing basis
  • Be able to track and measure risk management performance

Less than 30% of responders were following these guidelines.

Second line of defense: boost standards and practices

To bolster the second line of defense, executives need to:

  • Clearly define frameworks and methodologies for assessing the potential risk of business functions
  • Make these frameworks and methodologies transparent to all lines of defense
  • Share frequent updates on residual risk with the board

Over two-thirds of respondents lack the right tools to ensure that all relevant GRC policies and procedures are shared, integrated, and enforced company-wide.

Third line of defense: enhance auditing functions

GRC leaders need to enhance the capabilities of their auditing team by:

  • Partnering with GRC functions across the other lines of defense so relevant risk information is shared and visible
  • Investing in a platform that allows auditing to clearly communicate findings and provide actionable recommendations
  • Upskill and upgrade auditing’s use of technology

Less than one-third of responders said their independent auditors provide visibility on actions taken to close risk management gaps. Additionally, only a quarter of audit functions are communicating their findings and providing recommendations on controls.

Expanding the role of technology to support the three lines of defense

Responders indicated that their companies are expanding, or planning to expand their use of technology to better support the three lines of defense. The clear majority are looking for greater insights into GRC processes through GRC dashboard and reporting tools, risk management systems, advanced analytics, and IT security management. They are also looking into investing more heavily into control monitoring and audit management tools.

However, efforts are often piecemeal and not yet on target to stretch across the entire organization.

Steps to enable the three lines of defense

The study pointed to important steps executives should take “to build resilience now to anticipate and respond to crises:”

  • Better engage the board: Encourage a top-down approach through active involvement by the board in overseeing the three lines of defense. Board members should be given access to real-time data linking risk management to business performance.
  • Invest in tools that encourage automation: Enhance technology capabilities to automate GRC processes and provide real-time access to data for each line of defense.
  • Consider a technology partner to help close the gap: According to responders, technology partners should offer solutions that support stakeholders across the business (52%), provide insights on risk through analytics (45%), and ensure solutions can be quickly deployed (47%).

To learn more, read the entire report: Adopt Three Lines of Defense Technology To Manage Governance, Risk and Compliance (GRC).

 For more resources on Enterprise Risk and Compliance Management, check out the GRC e-book and the Value Calculator.


Jean Loh

About Jean Loh

Jean Loh is the director, Global Audience Marketing at SAP. She is an experienced marketing and communication professional, currently responsible for developing thought leadership content that is unbiased and audience-led while addressing market challenges to illuminate and solve the unmet needs of CFOs, CIOs, and the wider global finance and IT audience.