GRC Tuesdays: Three Lines of Defense – Who’s on First?
While the Three Lines of Defense is gaining ground as a broad framework for implementing best practices in governance, risk and compliance, detractors believe it is old school and already in place in many companies. I think they are badly underestimating what’s required. It’s a deceptively simple concept with profound implications. Look beneath the surface.
Is Everything Under Control?
Any chief auditor who has ever sat in front of an audit committee has been asked this question. Of course it’s expected, and the typical answer is “Yes” with a few qualifications, depending on the wisdom or courage of the chief auditor.
But in the Three Lines of Defense, the correct answer from a chief auditor is, “Don’t ask me. That’s not my job!”
In the Three Lines of Defense framework, operating management is responsible for managing risks in their business.
- If they’re really responsible for managing risks in their operations, they surely must be accountable for certifying that risks are managed and controls are effective.
- If they can’t or won’t, a chief auditor who does it for them is a fool.
- If the chief auditor is willing to answer that question, then he/she becomes the First Line of Defense.
As a chief auditor, I did in fact answer the question. But I soon learned I had absolutely no grounds for doing so and developed tools to promote risk and control self-assessment by the business.
How Do Operating Managers Know?
The knowledge, skills, and tools for assessing risk and control should be coordinated by the Second Line of Defense. It’s their job to make sure the information produced is consistent across the organization and complete. Operating managers must follow a standard, reliable methodology. If operating managers don’t know the business wants them to assess and report on risk and control management, the business doesn’t have a second line of defense.
Actually, I found that they probably already use a quality, safety, or sustainability framework and know what to do in order to apply those frameworks and tools to other operational risk, compliance, and controls. But it’s the job of the Second Line of Defense to instruct and advise in order to achieve quality and consistency across the organization and to aggregate the information.
In my experience, operating managers know in far more detail than any auditor the nuances of risks and controls in their operations. And they will tell you if you ask.
If they don’t know, or are unwilling to disclose the status issues, concerns and incidents about their risks and controls, you don’t have effective risk and control management. The quality of the first line of defense is entirely based on the quality and completeness of their disclosures. There is no other answer.
What to Ask the Chief Auditor
Acting as the Third Line of Defense, the chief auditor has a critical role. It’s just not to opine on risk and control directly. The question they should be asked is this, “Is the information we (the Board or senior management) are getting from Lines One and Two complete, relevant, and reliable? How do you know? Do you have additional insights you can share?
It’s actually the same kind of question external auditors are asked about the financial statements.
If your chief auditor can’t answer that question, you don’t have a Third Line of Defense. It’s as simple as that.
Learn More at SapphireNow in Orlando and GRC2016 in Vienna
For more on the Three Lines of Defense, read the other blogs in the series, and join me at SAPPHIRENOW Orlando May 17-19:
- May 17-19: Demo station will be open during show floor hours
- Thursday, May 19: Interactive session, “Apply “Three Lines of Defense” to Bolster your Strategy Success”
I’ll also be speaking at SAPinsider GRC2016 Vienna this June 20-22. Register by May 6th for an Early Bird discount.