20 Jul 2012 --- Hikers checking direction with compass. --- Image by © Hero/CorbisIn two of my recent blogs on the Three Lines of Defense (TLoD) I explained why I thought it would transform GRC (Understanding the Three Lines of Defense: Why It will Transform GRC) and I outlined our SAP interpretation of the concept (Understanding the Three Lines of Defense: It’s Not About Defense).

In this blog I’d like to discuss a very simple concept. Specifically how should the TLoD align themselves? What should the organizing principle be to drive that alignment? Unfortunately I concluded long ago that the enemy is us.

Doing the Wrong Thing Right – A Fragmented Approach

“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter”. Russell Ackoff

If the problem was that GRC teams were looking for risks in all the wrong places we could address it easily. At least that suggests alignment, even if it’s the wrong alignment.

A more accurate statement of the problem is that GRC teams are all looking for risks in different places, almost all of which are the wrong different places. If GRC professionals all agreed on the places to look, and it was the wrong place, that problem could be solved quickly.

Aligning on Value

I suggest these three value questions as a starting point for discussion among GRC professionals on achieving alignment. These are not new. I have been promoting these three value questions for several years. But they have never been as important.


Doing the Right Thing Wrong

Whenever I present this concept, I am usually challenged to clarify it. “What do you mean by value?” “Value is so subjective. No one understand it.” “It means different things to different people”.

To me it means simply differentiating between how your company makes money and the activities to support those money making activities and to achieve compliance.

Today both my experience and the literature suggests that the focus of GRC groups is overwhelmingly on supporting activities and almost completely absent from money making activities. The result is GRC activities that are misaligned, ineffective, inefficient, and irrelevant to the business.

I think the simplicity of the concept could lead to underestimating the difficulty in aligning GRC professionals on the answers. It’s also true that the right answers will change over time as business models and strategies evolve. It’s likely, and even desirable that any given company will to do the right thing wrong to begin with. But that would be a huge improvement and that’s one of the reasons the TLoD can be so transformative. It’s better to do the right thing wrong. At least you get better by correcting it. As Russell Ackoff said, doing the wrong thing righter makes it wronger.

Without alignment there, the Three Lines of Defense will do the wrong thing.

My questions for you are these.

  • Can you explain in simple terms your business model?
  • Can you explain how you or your GRC teams align with that business model?
  • Can you estimate the proportion of the time spent directly on the business model activities, rather than activities supporting the business model but not value adding in themselves?

Explore the TLoD

Join my colleagues and I in our TLoD workshop at the Financial Planning, Consolidation and Controls conference, November 10 and 11 in Las Vegas, Nevada.