It was during my presentation on the Three Lines of Defense at GRC Insider in Las Vegas last week that I had a sudden revelation.
The first sign of a problem was the title of my presentation, “Three Unified Lines of Defense: Getting Risk, Compliance and Audit to Talk to Each Other.” My team and I had vetted the slides numerous times and we missed a glaring error.
The second clue was this graphic— a collage of the guidance and white papers developed to help enable and guide the Three Lines of Defense.
What’s Wrong with the Title?
Risk and compliance functions are considered Line 2 in the Three Lines of Defense model. Internal audit is Line 3. I completely omitted the 1st Line of Defense where risks are owned and responses are managed. Three Lines of Defense must be a three-way conversation.
And What’s Wrong with the Graphic?
At times in my career I have been a 1st Line of Defense manager. As a GRC professional I have been in the offices of hundreds of other line 1 managers. Frankly, I don’t recall seeing any IIA, COSO, ISACA, FERMA or any other Three Lines of Defense publications in their offices. Not even in their trash cans.
So, What Is “Ownership?”
I decided to put the matter to rest by asking my audience who they thought was responsible for certifying that controls were effective in the Three Lines of Defense concept.
I explained that if operating managers who “own” risks are responsible for managing those risks, they should be able to certify that the risks are being managed.
I explained my logic to the audience. There was a grudging silence. I did not take the silence to be agreement. After all, if managers and risk owners are responsible for telling us that controls (or risk responses generally) are effective, then what are auditors supposed to do? Isn’t that their job?
Do You Have a 1st Line of Defense?
Here is a simple test:
- If your internal audit department is responsible for reporting on the effectiveness of internal controls, then you do not have a 1st Line of Defense. Essentially, your internal audit department has assumed that role.
- If your internal audit department provides assurance on the quality and reliability of the risk and control systems operated by the 1st Line of Defense, then chances are you have a 1st Line of Defense.
What Should the Auditors Look For?
If an internal auditor begins an audit engagement, their first step should be to ask the 1st Line of Defense to summarize the strengths and weaknesses of the internal control system. If the 1st Line of Defense cannot answer that question, you do not have a 1st line of defense, and the existence of the second line is also questionable.
How to Measure Performance and What to Report
The good news is that I was able to solve (in my own mind at least) two problems that I have been puzzling over. One of the problems is measuring the performance of each line of defense. The other problem was what each line should report. The traditional Three Lines of Defense model is silent on both topics.
Here is my answer:
- The measure of performance of the 1st Line of Defense: its willingness and ability to completely and accurately report control documentation residual risk information related to its objectives. Residual risk information in this sense is information such as deficiencies, issues, incidents, test failures, loss events, and so on that would form the basis of an opinion on control effectiveness. Having begun this chapter of my career advocating risk and control self-assessment with precisely this purpose, I have now come full circle.
- The measure of performance of the 2nd Line of Defense: its ability to analyze and aggregate reports from the 1st line of defense and strategically manage governance, risk, and compliance to achieve strategies and objectives.
- The measure of performance of the 3rd Line of Defense: the increase, over time, in the quality and quantity of reliable information on the status of risk and control and the capability and commitment of the first two lines.
Studies show that the Three Lines of Defense concept is widely adopted although not widely considered to be effective.
Actually, I believe it is revolutionary and its promise has not been realized.
What’s your view? Have you implemented the Three Lines of Defense in your organization? Have you seen any drastic change in roles? Have you developed performance measures and reports?
Please share your experience with me.