Skip to Content
Business Trends
Author's profile photo Thomas Frenehard

GRC Tuesdays—So, What’s New in the World of Three Lines of Defense?

Recently, when I’ve mentioned “Three Lines of Defense” on Twitter or LinkedIn, I seem to instantaneously receive comments replying that it’s dead! Without more content or justification than this simple statement though. Allow me to strongly challenge this perception. As a matter of fact, the SAP Conference on Internal Controls, Compliance and Risk Management that took place earlier this year and the presentations delivered by our customers clearly indicate that this is not the case everywhere… if even anywhere. As a result, I thought I’d try to list—from my perspective at least, what has changed in the world of Three Lines of Defense in the last few years to illustrate why this framework continues to be adopted by organizations.

Automation of the 1st line

The first thing that I can think of is that more and more organizations are automating the work of the 1st line and using the results— and most importantly, the discrepancies in results, as a feed for the 3rd line’s work.

I think there were two factors that jointly made this successful: the increased maturity of organizations, and the evolution in technology itself. Tools for control automation, for instance, have been in the market for a while of course but, in most cases, the definition of the automated rule was cumbersome and business owners often relied on IT for its delivery.

With a more intuitive object-based approach, business owners have been empowered to create these rules themselves. Furthermore, they can even simulate the rules and analyse the types of exceptions raised before rolling them out on a set frequency. This has therefore also enabled many organizations to shift from a detective approach where controls would only “catch” issues after the fact, to a more proactive situation by leveraging detection patterns to identify negative trends and correct situations more rapidly.

Integration and Recognition by the Business

Another major difference is a deeper integration into the business. Previously, control, risk, and audit departments were operating in somewhat of a silo. Yes, they could rely on correspondents embedded in the operations but they were rarely perceived as a true business partner. More and more do I hear of business heads reaching out to control, risk, and audit teams to help them improve their processes. To me, this is a recognition of their added value.

One of the factors that could have triggered this change of behaviour is a new tone at the top: many executives now request live enterprise risk information in the reports they use on a daily basis to steer the business. The days of the 6-months-old heatmap are gone. Executives want—and use—interactive information on the exposure of their organization and what is being done to mitigate the risks. Even for non-board relevant or critical threats.

Shift to the Cloud

I don’t count the number of times that I have been told that enterprise risks were too critical of an information to be put in the Cloud. Now that we are seeing an increase in Cloud adoption with companies putting their entire systems (including enterprise resource planning) in the Cloud, this though seems to be fading as well.

Undeniably, organizations are adopting Cloud solutions for Three Lines of Defense and they are doing so for a few reasons, including to:

  • Leverage best practices from the market
  • Accelerate adoption of new innovations while reducing upgrade efforts
  • Lower total cost of ownership meaning a faster time to value
  • Benefit from subscription-based pricing. This last point is important because it means that companies are not only shifting to operational expenditure and therefore reduced upfront investment, but also that they can scale their licensing to follow closely the adoption of the tool. If the tool delivers on its promises, then organizations can more easily increase the number of subsidiaries, departments, countries, users, etc. in scope of the implementation.

I certainly don’t assert that this list is exhaustive, but I simply wanted to share with you my feeling that Three Lines of Defense is not “dead,” but very much alive and kicking, and wanted to provide a few examples supporting this thought.

But what about you? Are there other aspects of the Three Lines of Defense framework that you are seeing evolve? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

Learn More

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Long ago, when things first got out-of-hand; the three Lines of Defence model was created by consultants and sold-off as the magic that will make it work. This model is now outdated and drives the wrong mindset. There is nothing to defend against, Risk equals Reward, if you do not attack, you are the target. You are either at the table or on the menu. Your time in the trench is wasted; you do not even know what is on the battlefield of business. The 3LoD model contributes nothing to you getting more reward.

      It is also devastating to see so many people and organisations still cling to the 3LoD concept and are now even promoting 4LoD, trying to dig even more trenches. I think we must move beyond all the defences and we must forget about external assurance by third parties to tell you how great the 3LoD works. Firstly these “providers” have to be paid for that service and the best assurances will go to the highest payers and nobody will take any accountability; secondly, nobody can “certify” a risk management practice in any shape or form. There are just too many “moving parts”, so you can be perfectly “certified” today and with the dynamics of change overnight have a completely different risk profile by tomorrow morning; as such any kind of assurance or certification is only valid for the moment at which it is given and promotes a false sense of security that things are okay; sounds like a complete waste of time and effort to me!

      Risk decision-making has always been on the front-line! The problem is that the 3LoD model started driving the wrong mindset that there are 2 more levels of "defence" and added to that is the fact that the front-line people were never trained; not even in basic risk management skills. Risk Culture Building is the only way forward and claiming it is good to move risk decision-making around between different parts of the same business is absurd. All people must manage risk at all levels. Sadly, as I said earlier; in my experience most organisations claiming to use the (outdated) 3LoD model never trained anyone on the first line in any aspect of risk management.

      Using the 3/4/5 Lines of Defense-model is just Large Organic Debris that will result in the Lords of Destruction, the Lords of Darkness and the Legion of Doom taking your business to the Legacy of Darkness that guarantees the Loss of Data, dumping you in the Land of Devastation where it is all about Live or Die. There you will get a Letter of Destruction that will put a Look of Disapproval on the faces of your stakeholders and draw the final Line of Demolition to achieve a full Level of Destruction

      Wake up, #Kill3LoD- this is reality and there is no reset button!