Skip to Content
Business Trends

GRC Tuesdays: Measuring Performance of the Three Lines of Defense

Man_iPadThe Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees.

Here is a simple illustration of how it is supposed to work.

 

McCuaig_blog_measuring_lines_defense_image1

 

 

 

 

 

 

 

 

McCuaig_blog_measuring_lines_defense_image2

Is It Working?

The concept is blindingly simple. No one seems to disagree on its merits. But It may come as a shock to some governance, risk, and compliance (GRC) professionals that it is not working, not even a little.

What’s the Problem?

Historically GRC professionals have never really collaborated. A vague conceptual framework saying they should was never going to work. Surveys show everyone likes it but no one is doing anything about it.

The problem is the framework did not suggest any performance measures or provide any implementation guidance.

What’s the Solution?

At SAP, we think the first step is defining some reasonable outcomes. Below is a summary of what we think management and boards should expect.

McCuaig blog_measuring_lines_defense_image3

What’s Needed?
Implementing the Three Lines of Defense means overcoming a number of obstacles and inventing tools and processes for practitioners to follow and use:

  • The Three Lines of Defense advocates a risk based approach, but which one and how would it work?
  • What tools and technologies are available and how do they work?
  • GRC silos have proven impossible to break down, but do they need to be broken down? Can we have specialization without silos?
  • What reports are necessary and who should get them?

The Three lines of Defense framework doesn’t provide guidance on these or most other implementation requirements.

Finding the Answers

We’d like to know your experience in implementing the Three Lines of Defense. Does it work in your business? Do you agree with the outcomes we have listed above?

Join me at SAPinsder GRC2016 and attend my session, “Implementing the Three Lines of Defense: Getting risk, compliance, and audit to talk to each other”  which offers some of our ideas and introduces some tools we have developed for the journey.

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.