Three Lines Of Defense In The Public Sector

Bruce McCuaig

What we now know as the three lines of defense originated in the public sector.

Risk management frameworks and risk-based approaches proliferate in the public sector. In the U.S., OMB Circular A-123 is the best-known example. If memory serves, this originated in the mid-1980s. But in most OECD member countries, risk management frameworks exist at least at the federal level, and the OECD itself offers its own risk management framework.

In fact, look to COSO ERM or ISO 31000 for guidance and insight, where the public sector offers highly advanced and detailed guidance. The U.K. Australia, Canada, and South Africa, to name just a few, have long-established and comprehensive risk management frameworks.

We may smugly consider the public sector to be less advanced in practices than the private sector. But telling the public sector they need “three lines of defense” is preaching to the converted. They started it and should continue to lead the way.

Where does the three lines of defense model fit in the public sector?

In the private sector, we produce and sell goods and services to customers to earn a profit or add value. Our approach to governance, risk, and compliance is focused on operational, and to a lesser extent, on strategic risks. To some extent, business performance is a measure of risk management.

In the public sector, our governments create and deliver programs involving massive expenditures of our tax dollars. There is no income statement with net profit or a bottom line that provides a benchmark for assessing performance. Of course the public sector faces operational risks in managing the business of government. But the success of government lies in its ability to provide the programs its legislators approve and to achieve the intended benefits.

For example, governments may decide to implement and subsidize green energy programs, healthcare initiatives, infrastructure projects, trade agreements, farm subsidies, or any number of other regulations and programs. These programs span many years and typically cost millions or billions of dollars.

What can go wrong? Just about anything can and does go wrong, and we see both soaring successes and catastrophic failures

The three lines of defense in the public sector should provide an overarching framework and standards, assign accountability for identifying and managing risk, and provide for independent assurance. To varying degrees, the frameworks mentioned above provide for all of these things.

What’s the problem?

The public sector invented the three lines of defense and has promulgated the concept internationally – working to implement it in the most challenging environment imaginable. If there is a problem, and there are enough massive policy failures to suggest there is, it is because of the staggering complexity and magnitude of risks facing the public sector.

In many cases what’s missing is integrated, enabling technology that provides the technology capabilities needed.

three lines of defense

Research conducted by Forrester for SAP suggests that the private sector is turning to the use of technology to support the three lines of defense. In my mind, the public sector has led the way so far in implementing this framework. Now, organizations need to maintain that lead by demonstrating how technology can be used to identify, assess, and respond to the risks they face. I suspect we will be able to learn a great deal from their success.

To continue the discussion on the three lines of defense, please join me on December 8, 2016 for our webinar, A Case Study in Going Beyond Three Lines of Defense to Create Stakeholder Value – embedding integrated thinking at Exxaro.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.