Aligning The Three Lines Of Defense: The Enemy Is Us

Bruce McCuaig

In two of my recent blogs on the Three Lines of Defense (TLoD), I explained why I thought it would transform governance, risk management, and compliance (GRC) (Understanding the Three 20 Jul 2012 --- Hikers checking direction with compass. --- Image by © Hero/CorbisLines of Defense: Why It will Transform GRC), and I outlined our SAP interpretation of the concept (Understanding the Three Lines of Defense: It’s Not About Defense).

In this blog, I’d like to discuss a very simple concept: Specifically, how should the TLoD align themselves? What should the organizing principle be to drive that alignment? Unfortunately, I concluded long ago that the enemy is us.

Doing the wrong thing right – a fragmented approach

“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter.”  –Russell Ackoff

If the problem was that if GRC teams were all looking for risks in the same wrong places, we could address it easily. At least that suggests alignment, even if it’s the wrong alignment.

A more accurate statement of the problem is that GRC teams are all looking for risks in different places, almost all of which are the wrong different places. If GRC professionals all agreed on the places to look and it was the wrong place, that problem could be solved quickly.

Aligning on value

I suggest these three value questions as a starting point for discussion among GRC professionals on achieving alignment. These are not new. I have been promoting these three value questions for several years. But they have never been so important.


Doing the right thing wrong

Whenever I present this concept, I am usually challenged to clarify it. “What do you mean by value?” “Value is so subjective. No one understand it.” “It means different things to different people.”

To me, it means simply differentiating between how your company makes money and the activities to support those money-making activities and to achieve compliance.

Today, both my experience and the literature suggests that the focus of GRC groups is overwhelmingly on supporting activities, and almost completely absent from money-making activities. The result is GRC activities that are misaligned, ineffective, inefficient, and irrelevant to the business.

I think the simplicity of the concept could lead to underestimating the difficulty in aligning GRC professionals on the answers. It’s also true that the right answers will change over time as business models and strategies evolve. It’s likely, and even desirable, that any given company will to do the right thing wrong to begin with. But that would be a huge improvement, and that’s one of the reasons the TLoD can be so transformative. It’s better to do the right thing wrong. At least you get better by correcting it. As Russell Ackoff said, doing the wrong thing righter makes it wronger.

Without alignment there, the Three Lines of Defense will do the wrong thing.

My questions for you are these:

  • Can you explain in simple terms your business model?
  • Can you explain how you or your GRC teams align with that business model?
  • Can you estimate the proportion of the time spent directly on the business model activities, rather than activities supporting the business model but not value adding in themselves?

Explore the TLoD further. Join my colleagues and me in our TLoD workshop at the Financial Planning, Consolidation and Controls conference, November 10 and 11 in Las Vegas, Nevada.

Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.