Reporting On The Three Lines Of Defense: The Problem With Truisms

Bruce McCuaig

“The delay in boarding your flight is caused by the late arrival of the incoming flight.

We’ve all heard this announcement in our travels. There’s a name for a statement like this; it’s called a truism. A truism is a statement that is both unquestionably true, and useless. It is a common phenomenon in the world of GRC, and the Three Lines of Defense must solve it.

What would it take to make this announcement useful? I would like to know why the incoming flight was delayed. Did the pilot sleep in? Was the incoming flight delayed by the late arrival of another flight? Was there a mechanical failure? Bad weather? How often has this occurred with this airline, with this aircraft, on this route?

Knowing this information would not change my predicament as a traveler. However, next time I might choose a different airline or itinerary. Prevention is better than cure.

What I really need to know is when my flight will board, when it will depart, when it will arrive, and whether I will miss my connection or my meeting. I need to know what alternate arrangements I can make or if I should cancel my trip or reschedule it.

Truisms do not tell us anything. They provide no insight, no basis for action, and no solution. But they are irrefutable.

Truisms flourish in GRC, where they usually pass for wisdom. Like the announcement made by the passenger agent, we report truisms and let management scramble to find an answer.

3 fundamental truisms in governance, risk, and compliance

  1. Deficiencies are caused by ineffective controls
  2. Unmitigated risks may result in a loss
  3. Segregation of duties prevents fraud

These are oversimplified, but they are all truisms most of us see or report daily. In the world of GRC, we tend to dress them up a little. We color-code ineffective controls red and place risks in a heat map. Rarely, if ever, do we provide any substantial information that would lead to insight, a basis for action, or a solution. We find and report truisms.

Here is what I need to know to make this information useful:

  1. If a control is ineffective, I need to know why. I need to know the nature of the ineffective control, preferably classified by its COSO category, and the root cause of its failure. How many times did the control fail and how many times did I plan for it to fail? I need to know the qualitative and quantitative impact on my business performance of that failed control. I need to know how to manage the specific control and others like it, and how to monitor the performance of the control. (By the way, I need this same information if the control is deemed effective.)
  2. If a risk is unmitigated, I need much of the same information. What is the nature of the risk, what causes the risk, how often has it occurred, what have the consequences been, how does it affect performance? What was my expected loss and what did I actually lose? What are some mitigation options, and how effective are they and what do they cost?
  3. Segregation of duties in and of itself is a truism. I am a big fan of segregation of duties when properly applied. Technology vastly improves the ability to assign roles and automate segregation of duties. I am a big fan of that technology. However, what is the cost to my business? How does unnecessary segregation of duties influence operating cost? Who is trying to defraud me and how can I identify and deal with before they do? Are there other ways to get the same benefit? Could I get a better result if I managed compliance with the code of conduct and integrity better?

Truisms block knowledge

Many of my colleagues and I have struggled to understand why customers have failed to adopt technology that would automate monitoring of risk and control in the face of its proven ability to drive efficiency and performance. Similarly, we are now trying to design useful reports on the activities and results from the Three Lines of Defense and finding it difficult.

The problem is that if we rely on truisms, we do not need knowledge. We manage each risk, each control deficiency, each issue, each audit one at a time. Strategic management and decision making with GRC is impossible. How do you put a truism on a dashboard? How do you aggregate and synthesize truisms? How many truisms does it take to create knowledge?

Technology and truisms

Technology gives us the ability to answer, analyze, and report everything we need to know to improve the performance of our GRC processes, including the Three Lines of Defense. It is possible to:

  • Discover and map cause/effect relationships
  • Classify GRC information using taxonomical structures that exist now
  • Understand the effect of GRC information on business performance to predict future performance

In short, it is possible to replace truisms with knowledge and manage GRC like any other element of the business. We have financial management systems, customer management system, human resource management systems and many other management systems.

Systems of evidence vs. systems of knowledge

Much of what we report in the world of GRC are also truisms.

A few months ago I wrote a blog on Systems of Evidence vs. Systems of Knowledge. The Three Lines of Defense must lead the way to better reporting. We have systems of evidence for documenting truisms. We need systems of knowledge for managing GRC.

I’m interested to find how technology can help add value in reporting and looking for examples of good reporting and truisms. Please let me know if you have any suggestions.

Read the other blogs in this series.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.