dreamstime_xs_19455950strategysmallToday’s Reality

Recently my GRC colleagues at SAP and I were discussing the Three Lines of Defense (TLoD) . Many of us come from professional or consulting backgrounds and have implemented initiatives that looked on the surface very much like what the Three Lines of Defense model is advocating today. Suggesting that operating management, risk and compliance professionals, and auditors work together is not new. But it’s not reality today.

What’s Missing from the TLoD?

Three years ago my wife and I began some renovations on our house. One day in October 2012 a team of friendly, highly skilled, and motivated carpenters, electricians, plumbers, tile layers, painters, and others arrived on our doorstep.

The probability that they would spontaneously collaborate and create the renovations we wanted (and achieved) was zero or less.

Good will, skill, hope, and the best of intentions are necessary but totally insufficient, even dangerous. Using skills and tools without a plan will produce a disaster; they needed a vision and a plan and only we could provide it.

In my earlier blogs on the TLoD I stressed the importance of collaboration and alignment. I even suggested a basis for achieving alignment with the Three Value Questions

The chance that the Three Lines of Defense will work without a plan and a strategy is also zero. It has not worked so far for most professionals.

The Role of Management in TLoD

According to the Institute of Internal Auditors’ excellent position paper, The Three Lines of Defense in Effective Risk Management and Control “the Three Lines of Defense model is best implemented with the active support and guidance of the organization’s governing body and senior management.”

Finding a Strategy for your Line of Defense

Frankly, expecting your senior management to provide the three lines of defense with an implementation strategy would be like the electrician and plumber asking me to provide them with a diagram showing him how I wanted the wiring and plumbing done. I hired them because they knew how to do the work. My job was to tell them what I wanted done, not how. That’s the role of management in the TLoD and almost no guidance exists on the subject. My tradesmen led us through a series of discussions outlining issues, options, tradeoffs, and opportunities. Given that information we were able to decide on a plan.

The SAP GRC Strategy Selector App

Successfully implementing the TLoD is complicated. There have been very few sustained successes among many attempts. Many people are involved, many skills are needed, and many tools are available. The right ones must be selected and they must be deployed strategically.GRCAward

At SAP we recognize the need for a strategic approach for the implementation of the TLoD. Our award winning app is available at no charge in the iTunes store. The app has evolved over the last three years and we expect further refinement as it is adopted by users.  Embedded in almost every screen of the app are brief videos with instructions, explanations, examples, and useful links.


  • Identify and assess each risk from three dimensions
  • Identify your existing risk management strategies
  • Explore alternative strategies based on your risk assessment
  • Analyze your GRC information and capability requirements
  • Test our Value Calculators to make a business case for your GRC strategy
  • Align risks with business objectives and processes

You may find this approach different. It’s not for everyone.

We welcome your comments and suggestions – let me know what you think.

If you want to learn more about the app and explore SAP’s approach to the Three Lines of Defense, register for the conference below and sign up for our TLoD workshop.