The Three Lines of Defense model has become popular in recent years. It began with the Guidance on the 8th EU Company Law Directive published by the Federation of European Risk Management Associations (FERMA).
It now has many versions. I’ve seen Four Lines of Defense and more.
The original FERMA model looks like this:
A few weeks ago, I was in a meeting with a prominent software analyst and she used the phrase “perimeter thinking.” I can’t recall now the precise context of the conversation, although we were discussing audit management software. The phrase grabbed my attention and I immediately thought of the Three Lines of Defense.
Although it has virtues, the model to me represents perimeter thinking. Today’s business environment, we are told, is full of complexity, corruption, catastrophe and hidden perils, as well as opportunity. All of those things seem to stop at the edge of the Three Lines of Defense. I think we need to recognize them.
Three lines of defense: essential but insufficient
Perhaps I’m being cynical, but I can easily imagine the Titanic to be a good model for the Three Lines of Defense. I’m guessing all the elements depicted in the model above, in one way or another, existed in the governance structure of the Titanic.
If not the Titanic, I can give you countless other examples where assurance in what was known – and ignorance of what was unknown – caused blindness and catastrophe.
I’m not arguing against the validity of the Three Lines of Defense. What I am saying is that it is essential, but insufficient. Here is what it’s missing.
Who is looking at the horizon?
Let’s reach beyond the perimeter of the Three Lines of Defense by adding an outward view –
My view is that most practitioners can’t answer the first question. I know for much of my career I didn’t even ask it.
The Titanic might have been an engineering marvel for its time. But its value proposition should have included delivering passengers safely to their destination as a primary focus. Questions two and three were apparently not addressed. There was no doubt aboard.
Is it reasonable to assume that operational management has the capability and accountability to scan the horizon? I don’t think so. Is it reasonable to assume that operational management can aggregate and synthesize the external risks and create appropriate responses? History suggests not.
Tools and best practices
In my last blog, I introduced the 4 Risk Quadrants model. I think it’s a useful model for the Three Lines of Defense.
This is what I think the Three Lines of Defense should look like. Let operational management run the business, primarily with control based approaches and give operational management and their staff responsibility for the human factors of the operations. Let the 2nd Line of Defense look to the horizon and beyond and set the strategic risk responses.
Give internal audit the role of assessing effectiveness, knowing that each quadrant has a different yardstick. And give internal audit a training and consulting role to ensure tools and capabilities are up to standard.
Interested in pursuing these ideas further? Join the SAP GRC team at GRC Insider in Nice. I will be presenting the latest version of the GRC Strategy Selector app as a tool to bringing the Three Lines of Defense to life, as well as presenting an approach to using SAP Audit Management to drive costs down and add value. Register and receive a €300 discount.
You can learn more in the blog, GRC Tuesdays: A New Approach to Risk Oversight: A Lens to Look Through and Levers to Pull.
Want more thought leadership to help your business focus on the future? See Business Networks: The Platforms for Future Innovation.