i-GRC And The Three Lines Of Defense

Bruce McCuaig

In my last blog, I appropriated the “i” from IDC’s The Rise of Intelligent ERP and, in a different blog, made the case that GRC professionals and standard setters are failing to adapt to the digital revolution.

What is i-GRC, you may ask, and what does it have to do with the three lines of defense framework?

It’s a fair question. Much has been written about the three lines of defense. It is widely acknowledged, but in my experience it’s misunderstood and loosely adopted at best.

To me, the fundamental outcome of a successful three lines of defense implementation is a continuous and self-correcting system to manage risks across the enterprise. Each line works independently but collaboratively to identify and assess risks and self-correct gaps. Without technology, it’s largely a manual process.

The technology required to digitize the three lines of defense is what I referred to as intelligent or “I” GRC. The information needed to manage the three lines of defense as a self-correcting system should be created by i-GRC

i-GRC: self-detecting solutions for a self-correcting system

i-GRC technology should self identify and self manage risks, controls, compliance failures, loss events, issues, and other anomalies or patterns indicating nonconformance to defined standards.

Like i-ERP as envisioned in the IDC article, i-GRC will be distinguished by:

  1. On-demand, not manual, periodic GRC practices
  1. The adoption of machine learning and advanced analytics consuming data from a carefully designed and constructed data set
  1. i-GRC professionals with high levels of digital knowledge and expertise and indifference towards today’s practices
  1. An orientation to the future, not the past, and a drive to contribute to business performance

I was inspired in writing this blog by an article from McKinsey & Company titled “The neglected art of risk detection.”  The premise is that risk detection can be automated. That’s correct: I believe almost all aspects of GRC management can be digitized. The technology required is available today.

Embedding iGRC in the business

Today’s GRC practices won’t survive the digitalization of the business. Digitalization does not mean automating today’s professional practices.

Most of what the business needs to know to manage the three lines of defense is already captured in digital form and can be detected and managed with tools that are rapidly emerging. Professional practices that impose structured manual methodologies aren’t necessary. For example:

  • Technology exists today to detect unusual and unwanted anomalies and patterns. For example, credit card companies use technology to detect and block fraudulent transactions.
  • Predictive tools exist to extrapolate and refine detection. Algorithms that detect anomalies can be tested and improved automatically.
  • Continuous monitoring and alerts are available today. Rule sets can be created to identify issues.
  • In-memory real-time processing is here now. Massive amounts of data can be accessed and processed almost instantly.
  • Machine learning to support self correction is also here now. Incidents can be detected and associated with risks. Controls can be adjusted.
  • Collaborative tools to collect and share knowledge and collective wisdom exist. Risk surveys can penetrate the first line of defense and detect new or emerging risks.
  • Analytical tools to aggregate, report, and visualize are available. A single source of truth is a good start. Now everyone can see everything in visual form at the same time.

Few of these technologies are in use by GRC practitioners today. Few if any professional standards or frameworks recognize their existence, let alone require their adoption.

Ending the inertia

Most practitioners I have spoken with see themselves standing outside the business looking in, with risk identification, control, compliance, and audit practices dictated by the standard-setters and regulators.

Some think digitalization will drive demand for more audits, more risk assessments, more controls, and more testing.

Instead, I suspect that i-GRC technologies will eventually be deeply immersed within the business, creating self-detecting, self-healing capabilities to drive the three lines of defense.

Testing the vision

My colleagues and I have been trying to develop the value proposition for using our technology to perform today’s GRC practices at the speed of light. There is none.

Please share your thoughts

  • Is there such a thing as i-GRC?
  • Will today’s standards and practices survive digitalization?
  • Have you implemented the three lines of defense in your organization?
  • What digital technologies are you using today in your GRC practice?

Learn more:

Follow SAP Finance online: @SAPFinance (Twitter)LinkedIn | FacebookYouTube

This article originally appeared on SAP Analytics.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.