Three Lines of Defense for Managing Risk
In our continuing quest to improve how companies manage risk, it’s inevitable we’d eventually discuss the three lines of defense. They’re well known and serve as a model for clarifying roles and responsibilities for defending the home turf and operating efficiently.
That said, we see a more dynamic role for the three lines of defense as a catalyst for business. They set you up to not only manage risk but also to go on the offense. You can use this newfound agility to innovate and discover competitive advantages.
Before we can detail the promise of the three lines of defense, we need to get everyone on the same page by defining the roles of the three lines:
1st Line of Defense – The Doers
The first line of defense is represented by the doers—the people on the front lines. They’re managing risk, complying with regulations and standards, and carrying out the company’s defined risk management processes daily.
2nd Line of Defense – The Superintendents
The second line of defense is managerial and is responsible for oversight of the doers. They also develop and implement risk management processes, policies and procedures.
3rd Line of Defense – The Investigators
The third line of defense are the auditors, both internal and external, who independently assess and report on the work of the other two lines.
Clarity meets accountability
Clearly defined roles help everyone know what they’re accountable for in terms of managing risk. It also helps eliminate redundancy of duties across the three lines. Each line knows what it’s accountable for.
The first line is more effective when the second line coordinates their activities. Doers can take pride in owning risk and being accountable, which enhances their ability to lead.
The second line is also in a perfect position to see what’s working and what isn’t, and they have the authority to make changes like adding controls to reduce risk. As they monitor the first line’s activities, the second line can provide input and deliver on the organization’s risk management strategy.
The third line of defense assesses and reports on what it sees from the first and second lines. With this defined role, it’s easier to gather evidence and conduct investigations. Autonomy and authority are enhanced when the first and second lines respect the work of the third.
A GRC platform empowers the three lines
The three lines of defense for risk management brings order to chaos. You have structure and clarity. But add in a GRC technology platform and watch what happens.
The platform streamlines internal processes, which boosts the productivity of first-line business owners. The same platform enables the second line to continuously monitor the first line with dashboards and analytics. Data is recorded and reportable to upper management and the board. The third line uses the platform to streamline audits, everything from collecting evidence and generating audit tasks to creating audit workpapers at the push of a button.
As a strategy for managing risk, the three lines of defense provides clarity and accountability. Get more out of the three lines by incorporating a GRC platform. It will help to streamline risk management activities, facilitate collaboration, and enhance accountability among the three lines. The two together can be a catalyst for business.
Learn about how your organization can be prepared for unexpected disruption to your business activities by looking at five common mistakes.
Learn how the government shutdown affected business and the countermeasures needed to address the risk to remedy the situation.
Let’s continue helping the millions impacted by Hurricanes Harvey and Irma. Let’s also help business prepare for the next disaster with better BC/DR plans.