Businessmen Looking at Computer MonitorsThe first time I heard of the Three Lines of Defense concept I dismissed it out of hand. I was not alone. I believed that GRC professionals could add value, not just provide a defense.

Looking at it again, several years later, I think the Three Lines of Defense is an act of genius.

It’s not about Defense

The first thing to realize is that it’s not about defense at all. It’s about integration and collaboration, two attributes that are absolutely essential for integrated GRC. Operating management, GRC professionals, and auditors need to collaborate to make the Three Lines of Defense work. Today they simply don’t.

It’s about Alignment

A recent article in the Harvard Business Review, Looking for Risks in All the Wrong Places, noted that there is an extreme mismatch between where auditors, risk managers, and operating management spend their time. The Three Lines of Defense will demand alignment of priorities.

It’s about Communication

Today the Three Lines of Defense don’t talk to each other. That’s not a problem, it’s a symptom. They don’t talk to each other because they don’t have a common language. That is going to have to change.

It’s about Meaningful Reporting

Reporting by the individual lines of defense is abysmal. Little insight is provided. Comparison is not possible. The reason reporting is so bad is that the Three Lines of Defense, taken individually, have nothing to say.

A Three Lines of Defense approach will force a common reporting framework. That reporting framework must be on explaining, predicting and improving business performance. No other common denominator exists.

It’s about Consistency

The Three Lines of Defense sets out what is necessary. It does not explain –

  • How do we decide where to focus our efforts?
  • How do we decide what’s important to the business?
  • How do we develop a consistent assessment and evaluation methodology?
  • What controls work best?
  • How many are enough?
  • What risks can we live with?

These questions and many other methodology questions need answers and those driving to a Three Lines of Defense model will begin to provide some of those answers.

It’s about Measuring GRC Performance

For as long as I have been in the GRC business, the value of GRC has yet to be proven. That will change. The Three Lines of Defense will provide a strategic basis for assessing the value of GRC and for allocating resources to integrated GRC.

It’s about the Adoption of Technology

GRC professionals are notoriously slow adopters of technology. Because there are few requirements for alignment, collaboration, reporting, consistency, or measurable performance, technology is not really needed. That too will change.

At SAP we are committed to the Three Lines of Defense model and excited about its possibilities.

Over the next few weeks I will expand on each of the areas discussed here and provide some specific examples and practical advice. I’ll ask my GRC colleagues at SAP to chip in as well.

So interspersed with our regular GRC Tuesday blogs, you will see the Three Lines of Defense topics appear repeatedly. I hope you enjoy them.

What experiences have you had implementing the Three Lines of Defense model?