Easy as 1-2-3?

November 29, 2019GRC, internal control, Operational Risk

The three lines of defence model is a ubiquitous concept to anyone involved in audit, internal control or compliance.

In a nutshell, it can be summarised as: –

1^st line of Defence – functions that have ownership, responsibility and accountability for directly assessing, controlling and mitigating risks, i.e. operational management
2^nd line of Defence – functions who support, facilitate, monitor and oversee the risk, control and compliance framework, i.e. Financial Control, Compliance, Risk
3^rd Line of Defence – functions who provide objective and independent assurance on overall design and operating effectiveness, i.e. Internal Audit

Each of these three lines play a distinct but crucial role within the organisation’s wider governance framework.

The model itself makes good sense and the concept usually well understood. However, in practice, businesses struggle to successfully implement it. This creates dysfunctions which severely limit the value the model is designed to bring.

These dysfunctions can take many forms, but usually stem from the same underlying issues:-

Lack of awareness around the roles and motivations of each of the three lines
Poor communication and co-operation
Lack of relevant and timely information flows
Language, terminology and political/cultural/background differences

Collectively, these dynamics create the conditions for suspicion, defiance and distrust to build up at the touch points between each line of defence.

So what can be done about this?

Appropriate policies, guidance and role definitions need to be in place for each line of defence, clearly demonstrating the wider context which each line operates within
Encourage and facilitate meaningful coordination between the three lines of defence
Share knowledge and information in a collegiate manner

This must be a ‘tone from the top’ approach. The board should clearly communicate their expectation that information be shared and activities coordinated. This means that they all need to be committed to the three line of defence from the outset.

With expectations set, management need the right technology to realise these ambitions. Technology that brings all three lines of defence together, actively facilitating the sharing of information, increasing communication and encouraging coordination

This will foster a positive environment that moves us away from the dysfunctional and towards a successful three lines of defence model.

The accompanying one page PDF below shows how the right technology brings together all three lines of defence.

Download it here

123 graphic