Three lines of defense

In a bid to stay ahead of the evolving risk curve, many organizations attempt to better integrate their business operations. The typical way of doing this is through the ‘Three Lines of Defense’ model:

• First line: managed by people in the business alongside their day job, they are responsible for running processes to implement controls and mitigate risks.
• Second line: an independent oversight function that exists to challenge the first line. They set the methodology for identifying risks and implementing controls, and check it’s being done.
• Third line: provides objective and independent assurance by auditing the whole risk and control function.

It’s a simple and effective model that should enhance your communication around risk management and control because it clarifies everyone’s roles, responsibilities, and accountability.

There’s just one problem…

The new 1.5 lines of defense

There are some organizations that believe the Three Lines of Defense model is no longer suitable to support GRC in their organization. As such, they believe it needs refining to include a new 1.5 line. While others are actively creating a 1.5 line “to challenge the first line and provide effective engagement and integration with the second and/or third lines of defense.”

We believe the emergence of the 1.5 lines of defense is dangerous because it blurs the lines of accountability. For an organization to have 1.5 lines, it means the second line of defense is now heavily involved in supporting the first. It would be like a general picking up a sword and running onto the battlefield – he’s now too involved to retain oversite of the situation and is likely to lose.

Objectivity adds value

The subject matter experts sitting in your first line defense are intelligent people otherwise they wouldn’t have been hired. But risk and compliance isn’t their day job. Therefore, they treat it as a simple tick-box exercise, looking to automate or outsource the process so they can tick the boxes as quickly and easily as possible.

But Risk is a thought process; it’s not a tick-box exercise. If you really want to keep pace with change, what you need is for the subject matter experts to actually engage their brain and take the time to consider what’s changed, and how it affects the organization. To pull someone in the second line down from a position of oversight into the weeds where they’re doing the work, means you’ve lost that valuable expert opinion.

Orchestrate and facilitate

Having the ability to effectively manage the risks associated with operating in a digital world requires you to change the way you work.

All your control activities are dependent on data, so you need to start with a centrally managed mechanism for extracting this information from your teams, making sense of it in a way that matters to your business, and then pushing it out to the organization.

Research shows that organizations that adopt this approach allow the C-Suite to examine its effectiveness and enhance areas where they show vulnerability, as well as boosting their risk appetite, and improving their decision-making capabilities.