What’s New In The World Of Three Lines Of Defense?

Thomas Frenehard

Recently, when I’ve mentioned “Three Lines of Defense” on Twitter or LinkedIn, it seems I instantly receive comments claiming that it’s dead! Those comments provide no more content or justification than this simple statement.

Allow me to strongly challenge this perception. As a matter of fact, the SAP Conference on Internal Controls, Compliance, and Risk Management earlier this year, and the presentations delivered by our customers, clearly indicate that this is not the case everywhere… if even anywhere. As a result, I thought I’d try to list – from my perspective, at least – what has changed in the world of three lines of defense in the last few years to illustrate why organizations continue to adopt this framework.

Automation of the first line

More and more organizations are automating the work of the first line and using the results – and most importantly, the discrepancies in results – as a feed for the third line’s work.

I think there were two factors that jointly made this successful: the increased maturity of organizations and the evolution in technology. Tools for control automation, for instance, have been in the market for a while. But in most cases, the definition of the automated rule was cumbersome, and business owners often relied on IT for its delivery.

With a more intuitive object-based approach, business owners have been empowered to create these rules themselves. Furthermore, they can even simulate the rules and analyze the types of exceptions raised before rolling them out on a set frequency. This has also enabled many organizations to shift from a detective approach, where controls would only “catch” issues after the fact, to a more proactive situation by leveraging detection patterns to identify negative trends and correct situations more rapidly.

Integration and recognition by the business

Another major difference is a deeper integration into the business. Previously, control, risk, and audit departments were operating in somewhat of a silo. Yes, they could rely on correspondents embedded in the operations, but they were rarely perceived as true business partners. More and more, I hear of business heads reaching out to control, risk, and audit teams to help them improve their processes. To me, this is a recognition of their added value.

One of the factors that could have triggered this change of behavior is a new tone at the top: many executives now request live enterprise-risk information in the reports they use on a daily basis to steer the business. The days of the six-month-old heat map are gone. Executives want – and use – interactive information on the exposure of their organization and what is being done to mitigate the risks, even for non-board-relevant or critical threats.

Shift to the cloud

I can’t count the number of times that I have been told that information on enterprise risks was too critical to put in the cloud. Now that we are seeing an increase in cloud adoption with companies putting their entire systems (including enterprise resource planning) in the cloud, this thought seems to be fading as well.

Undeniably, organizations are adopting cloud solutions for three lines of defense, and they are doing so for a few reasons, including to:

  • Leverage best practices from the market
  • Accelerate adoption of new innovations while reducing upgrade efforts
  • Lower total cost of ownership, meaning a faster time to value
  • Benefit from subscription-based pricing

This last point is important because it means companies are not only shifting to operational expenditure and therefore reduced upfront investment, but also that they can scale their licensing to follow closely the tool’s adoption. If the tool delivers on its promises, then organizations can more easily increase the number of subsidiaries, departments, countries, users, etc. in the scope of the implementation.

I certainly don’t assert that this list is exhaustive. I simply want to share with you my belief that three lines of defense is not “dead,” but very much alive and kicking, and to provide a few supporting examples.

But what about you? Are there other aspects of the three lines of defense framework that you are seeing evolve? I look forward to reading your comments on Twitter @TFrenehard

Learn more

This article originally appeared on the SAP Analytics blog and is republished by permission.


Thomas Frenehard

About Thomas Frenehard

Thomas Frénéhard is a director in the Governance, Risk, and Compliance Solution Management team at SAP. His particular responsibility is with SAP Risk Management. Thomas's other functional areas of focus are in internal control and compliance management and audit management. In this role and in constant interactions with SAP’s network of partners, clients, and internal stakeholders, Thomas is responsible for bringing together technology, skills, and products to deliver an always-compelling solution for enterprise risk management.