The Three Lines of Defence for GRC: A Silver Bullet for Challenges in Risk Management

In twenty-first century businesses, it’s often the case that professionals from different teams work together to help their organizations manage risk. Be it internal auditors, quality inspectors, or compliance officers, all of these specialists come together to provide an effective and efficient GRC system to their enterprises. Due to their specific area of expertise, each of these professionals offer a unique perspective and a valuable skill set, which is why joining forces, and more importantly coordinating them effectively, is essential in order to assure that risk and control processes operate as intended.

More often than not, the duties revolving around risk and control management tend to be split across multiple departments or divisions. As such, their existence in isolation from one another is what eventually results in the so-called “management islands” or management silos in the enterprise. And that’s exactly why it is crucial that clear responsibilities are defined and coordinated carefully, in order to close the ‘gaps’ in control and reduce the unnecessary multiplication of efforts.

Now, you could be thinking ‘how hard could it really be for a couple of teams to work together effectively?’, but simple as it may sound, this is exactly where most organizations who struggle with risk management fail. The stakes can be quite high, which is what makes it all the more important to allocate and use the limited risk and control resources effectively, not to leave significant risks unidentified and not managed properly. Luckily, various practices have emerged over the years that address this very issue, and help organizations delegate and coordinate their risk and control duties more productively.

One particular method has distinguished itself and became the predominant choice of many companies to this day. Many refer to it as the panacea, or the silver bullet for challenges in risk management and compliance — the ‘Three Lines of Defence’ model is a sound practice that offers a simple, yet effective approach to improving the communication, and clarifying the essential roles and duties of GRC employees. It provides a fresh look at the operations and helps assure continuous success of risk management initiatives, regardless of organizations’ size or complexity.

An Intro to The Three Lines of Defence Model

The Three Lines of Defence model has become a standard method in managing uncertainty and mitigating the downside of risks. In a nutshell, the model divides an organization along three lines and describes risk management based on three different groups, which are:

• Functions that manage and own risks
• Functions that oversee risks
• Functions that provide independent advice and assurance

The main argument here, is that risk management frameworks are pretty capable of effectively identifying the types of risks that modern-day enterprises must keep at bay, but they are largely silent on how specific duties should be delegated and coordinated within the organization. And so, if we split an organization across three layers, outline where boundaries of each group of responsibles lie, and how their position fits into the overall risk and control structure, we can more easily ensure effective risk management and success in GRC.

“No one can whistle a symphony. It takes a whole orchestra to play it.” – H.E. Luccock

And in business, the Three Lines of Defence model works on similar principles, by allowing your organization to identify, control and manage risks through splitting the responsibilities and coordinating them with an integrated and synergetic approach.

So, let’s dive deeper and have a look at what each of the lines stand for.

The 1st Line of Defence: Operational Management

Operational management is at the very core of the 1st Line of Defence. From an organizational structure perspective, this line typically consists of department heads or managers who own one, or several risks in the organization. Their responsibility is to identify, address, control and eliminate risks, as well as ensure that internal procedures and policies are continuously implemented and maintained. They also ensure that all activities being performed are in line and consistent with the organization’s goals and objectives.

Collectively, this group of responsibles should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk control. This naturally requires a good understanding of the company, its objectives, the environment it operates in, as well as the risks it faces, in order to be able to pinpoint unexpected events, control breakdowns or inefficient processes.

The 2nd Line of Defence: GRC Functions

Now, in a perfect setting, one line of defence would’ve been enough to ensure the organization’s full protection. In the real world, however, having a single line of defence is simply not enough — which is why the second line steps in to provide oversight and support with regards to risk and compliance.

Therefore, the second line of defence is characterized by the risk and compliance specialists, or the so called ‘guardians of the system’. As the name suggests, this layer is made up of stakeholders from the various specialized disciplines, who provide their expertise and utilize methods to ensure that the first line of defence is properly designed, in place and doing its job adequately.

These disciplines include:

• Process Management
• Risk Management
• Internal Control System
• Compliance Management
• Corporate Security Management
• Data Protection (GDPR)
• Quality Management
• Environmental Protection
• Occupational Safety

The 3rd Line of Defence

The third, and the last line of defence consists of internal and external audits that provide thorough, objective and independent assurance. The third line is mainly focused on ensuring that the first two are operating effectively, and advising them on how they can further improve and grow. The internal audit’s role can essentially be described as ‘detective & corrective’, and by that meaning that it is used to detect control weaknesses or breakdowns, and suggest suitable improvements or remedial action. Therefore, the third line of defence, although sitting outside the risk management processes of the first two lines, still plays an important role in ensuring the effectiveness of the governance and control system as whole.

Teamwork makes the dream work

By applying the three lines of defence approach, you can help different parts of the organization to work collaboratively and cohesively, and address uncertainty and risks head-on. More importantly, using this method will help ensure that clear responsibilities, accountability and oversight of risks and controls are present at all levels of the organization. But because every organization is unique in its own way, there is no universal secret sauce to coordinating the three lines of defence. Nevertheless, there are a few things to keep in mind, that will help you fully benefit from this approach.

To yield the most favourable results, the three lines, although separate, should never operate in isolation from one another. By breaking down these barriers and carefully managing the relationship between them, you allow for your organization’s security to be elevated to the next level, as well as facilitate the smooth flow of organizational business processes. That way, you are free to achieve your business goals and continue thriving in your respective market without any restraints, knowing that the effective, efficient and agile GRC security of your enterprise is assured.

Interested in learning more about the Three Lines of Defence and the tools that can help you leverage the many benefits of this approach?
Check out the following article!

1. BOC Group. (2019). 1+1=3 — With the “Three Lines of Defence” Towards an Integrated GRC. Retrieved from https://ie.boc-group.com/grc-three-lines-of-defence

2. Raza F. (2018, November 5). Influencive. The Three Lines of Defense for GRC. Retrieved from https://www.influencive.com/the-three-lines-of-defense-for-grc/

3. The Insitute of Internal Auditors. (2013). The Thee Lines of Defense in Effective Risk Management and Control. Retrieved from https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf