GRC Tuesdays—So, What’s New in the World of Three Lines of Defense?
Recently, when I’ve mentioned “Three Lines of Defense” on Twitter or LinkedIn, I seem to instantaneously receive comments replying that it’s dead! Without more content or justification than this simple statement though. Allow me to strongly challenge this perception. As a matter of fact, the SAP Conference on Internal Controls, Compliance and Risk Management that took place earlier this year and the presentations delivered by our customers clearly indicate that this is not the case everywhere… if even anywhere. As a result, I thought I’d try to list—from my perspective at least, what has changed in the world of Three Lines of Defense in the last few years to illustrate why this framework continues to be adopted by organizations.
Automation of the 1st line
The first thing that I can think of is that more and more organizations are automating the work of the 1st line and using the results— and most importantly, the discrepancies in results, as a feed for the 3rd line’s work.
I think there were two factors that jointly made this successful: the increased maturity of organizations, and the evolution in technology itself. Tools for control automation, for instance, have been in the market for a while of course but, in most cases, the definition of the automated rule was cumbersome and business owners often relied on IT for its delivery.
With a more intuitive object-based approach, business owners have been empowered to create these rules themselves. Furthermore, they can even simulate the rules and analyse the types of exceptions raised before rolling them out on a set frequency. This has therefore also enabled many organizations to shift from a detective approach where controls would only “catch” issues after the fact, to a more proactive situation by leveraging detection patterns to identify negative trends and correct situations more rapidly.
Integration and Recognition by the Business
Another major difference is a deeper integration into the business. Previously, control, risk, and audit departments were operating in somewhat of a silo. Yes, they could rely on correspondents embedded in the operations but they were rarely perceived as a true business partner. More and more do I hear of business heads reaching out to control, risk, and audit teams to help them improve their processes. To me, this is a recognition of their added value.
One of the factors that could have triggered this change of behaviour is a new tone at the top: many executives now request live enterprise risk information in the reports they use on a daily basis to steer the business. The days of the 6-months-old heatmap are gone. Executives want—and use—interactive information on the exposure of their organization and what is being done to mitigate the risks. Even for non-board relevant or critical threats.
Shift to the Cloud
I don’t count the number of times that I have been told that enterprise risks were too critical of an information to be put in the Cloud. Now that we are seeing an increase in Cloud adoption with companies putting their entire systems (including enterprise resource planning) in the Cloud, this though seems to be fading as well.
Undeniably, organizations are adopting Cloud solutions for Three Lines of Defense and they are doing so for a few reasons, including to:
- Leverage best practices from the market
- Accelerate adoption of new innovations while reducing upgrade efforts
- Lower total cost of ownership meaning a faster time to value
- Benefit from subscription-based pricing. This last point is important because it means that companies are not only shifting to operational expenditure and therefore reduced upfront investment, but also that they can scale their licensing to follow closely the adoption of the tool. If the tool delivers on its promises, then organizations can more easily increase the number of subsidiaries, departments, countries, users, etc. in scope of the implementation.
I certainly don’t assert that this list is exhaustive, but I simply wanted to share with you my feeling that Three Lines of Defense is not “dead,” but very much alive and kicking, and wanted to provide a few examples supporting this thought.
But what about you? Are there other aspects of the Three Lines of Defense framework that you are seeing evolve? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard