Three Lines of Defense: A Window For GRC In The Digital Boardroom

Bruce McCuaig

My colleagues and I have been blogging frequently about the three lines of defense. Surveys show that most of our customers around the world have implemented (or are planning to do so) the three lines of defense framework. 

What is not fully appreciated by most is that the three lines of defense is not an end result in and of itself. Implementing the framework is merely the stepping stone to a seat for governance, risk, and compliance (GRC) in the digital boardroom.

  • The three lines of defense has no purpose other than to build reliable information
  • GRC has no purpose but to provide a lens to manage the business

But two problems persist.

Problem #1: The three lines of defense don’t talk to each other

GRC professionals’ unspoken goal is to make GRC a manageable dimension of the business. Today, GRC professionals produce numerous varieties of exception reports, but all are in silos:

  • Heat maps illustrate risk but not the impact of risks on business performance
  • Reports on control effectiveness are silent on the risks they relate to
  • Audits are planned based on risks that are irrelevant to the business
  • None of the three pillars of the three lines of defense talk to each other, nor is there any attempt to reconcile their views or to ensure coverage is complete and accurate

The first step in making GRC a manageable dimension of the business is to create a reliable database of reliable information. That’s the job of the three lines of defense framework.

Problem #2: GRC data isn’t aggregated for reporting to management and the board

Management and boards deal in business strategy and performance. Traditional approaches to GRC don’t link to business objectives or the risks and controls that impact performance.

The second step in making GRC a manageable dimension of the business is to use technology to aggregate and integrate the data and provide a basis for managing GRC strategically.

Two proofs of concept

In the last few weeks, my colleagues in solution management, solution experience, and products have achieved breakthroughs. They have developed proofs of concept for reporting among the three lines of defense in our demo environment.

Our three lines of defense reports allow each line to review its contributions for quality and completeness and hand off their data for review, assurance, and reporting using standard reporting tools.

GRC in the digital boardroom

My colleagues have also demonstrated how the data created by the three lines of defense can be extracted and viewed. These two developments are true breakthroughs. But this blog is not the best medium to explain and illustrate the power of these proofs of concept. You need to see them in person.

They will be demonstrated at SAPinsider GRC2017 in Las Vegas, March 21-24. If you aren’t already planning to attend, these presentations by my colleagues are sufficient reason to register. I hope to see you there.

Learn more at GRC2017 in Las Vegas. Register here for SAPinsider GRC2017.

This article originally appeared on SAP BusinessObjects Analytics. It is republished by permission.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.