Understanding The Three Lines Of Defense: It’s Not About Defense

Bruce McCuaig

It’s about collaboration

The first thing to realize is that the Three Lines of Defense (TLoD) framework is not about defense at all. The three lines in question are already defending against risk. But they are doing so in an uncoordinated way. The TLoD is about collaboration and integrating the efforts of groups. Operating management, GRC professionals, and auditors need to work together to make the Three Lines of Defense work. Today they simply don’t work together. In fact they often don’t speak to each other.

Three lines of defense: The way it’s supposed to work

The business line – the first line of defense – “owns” its risk, insofar as it acknowledges and manages the risk it incurs in pursuing its activities. This entails evaluating and monitoring controls.

The risk management function – as part of the second line of defense – is responsible for further identifying, measuring, monitoring, and reporting risk on an enterprise-wide basis independently of the first line of defense.

The control and compliance management function is considered part of the second line of defense.

The internal audit function – the third line of defense – conducts risk-based and general audits and reviews to reassure the board that the overall governance framework, including the risk governance framework, is effective and that policies and processes are in place and consistently applied.

Three lines of defense: today’s reality

To make a simple, smooth, and seamless transition to this Three Lines of Defense model, dramatic changes are necessary.

  1. The three lines need to identify themselves
  2. The three lines need to talk to each other
  3. The three lines need to agree on who owns each risk
  4. The three lines need to agree on basic frameworks and reporting mechanisms

These four items are not standard practice in today’s GRC world. In my years of experience in GRC consulting, training, and advising clients on software implementation, I have visited many of the largest companies in the world. Companies whose products can be found in your home and in your driveway. In a shockingly large number of situations, and this experience has been shared by many of my consulting colleagues, I have been the one who introduces the respective operating, entity level, and assurance executives and staff to each other. Not only are they not in regular communication, they often do not even know each other!

What’s the risk?

Technically, the lack of collaboration and communication is probably not a risk. Risk suggests uncertainty. There is no uncertainty about likelihood or severity of the consequences.

  1. GRC resources today are grossly misallocated and wasted. The Harvard Business Review reports that although 95% of losses are a result of strategic or operational risks, only 6% of audit resources are allocated to those areas
  2. Huge areas of risk are not examined at all by any line of defense
  3. Some areas of risk receive overlapping or duplicate coverage

Can technology help?

Overall, I don’t believe implementing the TLoD model is primarily a technology challenge. We can collaborate and integrate our work without it if necessary. But there is no doubt technology will streamline and enable the TLoD to drive insight and action. The real impediment is bad GRC practices which are proving tough to dislodge.

Next steps

I will be posting additional blogs on this topic over the next few weeks. Specifically, I will be introducing some unique and specific approaches to:

  1. Deciding where the TLoD should focus their resources (and where they should not)
  2. Deciding which line of defense should be responsible for any given risk
  3. Determining the data and technology required to manage different risk types
  4. Providing suggested audit strategies for each risk type.
  5. Measuring performance

Interested in learning more? Would you like to help us innovate?

Join me and my colleagues Jan Gardiner and James Chiu from GRC Solution Management at the SAP Conference for Financial Planning, Consolidation and Control November 10 and 11 in Henderson Nevada for our Three Lines of Defense workshop.

Want more strategies to keep pace with today’s rapidly evolving business environment? See Digital Economy: Connecting More Than Devices.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.