The Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees. Figure 1 below is a simple illustration of how it is supposed to work

Is it working?

The concept s blindingly simple. No one seems to disagree on its merits/ It may come as a shock to some GRC professionals that it is not working, not even a little.

What’s the problem?

Historically GRC professionals have never really collaborated. A vague conceptual framework saying they should was never going to work. Surveys show everyone likes it but no one is doing anything about it.

The problem is the framework did not suggest any performance measures or provide any implementation guidance.

What’s the solution?

At SAP we think the first step is defining some reasonable outcomes.

Figure 2 below is a summary of what we thing management and Boards should expect

What’s needed?
Implementing the Three Lines of Defense means overcoming a number of obstacles and inventing tools and processes for practitioners to follow and use.

The Three Lines of Defense advocates a risk based approach, but which one and how would it work?

What tools and technologies are available and how do they work?

GRC silos have proven impossible to break down, but do they need to be broken down? Can we have specialization without silos?

What reports are necessary and who should get them?

The Three lines of Defense framework does not provide guidance on these or most other implementation requirements.

Finding the answers

We’d like to know your experience in implementing the Three Lines of Defense. Does it work in your business?

Do you agree with the outcomes we have listed above?

“Implementing the Three Lines of Defense: Getting Risk Compliance and Audit to talk to each other” offers some of our ideas and introduces some tools we have developed for the journey.

Join me at SAP GRC Insider. Click the link below to get more information along with a discounted registration.

Bruce McCuaig