Written by GRC Practice Director, Alex Hollis
Control activities (future)
It’s probably safe to say that all organizations want to stand out and be successful. But achieving this requires you to adapt and innovate so you can keep pace with the rate of technological change in the digital world. According to Gartner, 62% of CEOs have a management initiative or transformation program in place to make their business more digital.
The trouble is, that while your CEO is busy increasing your digital footprint, it’s forcing your risk exposure to increase at an exponential rate. Now the pressure is on, and 75% of CROs cite increasing regulatory risk and technological changes as the things they’re most unprepared for.
Three lines of defense
In a bid to stay ahead of the evolving risk curve, many organizations attempt to better integrate their business operations. The typical way of doing this is through the ‘Three Lines of Defense’ model:
- First line: managed by people in the business alongside their day job, they are responsible for running processes to implement controls and mitigate risks.
- Second line: an independent oversight function that exists to challenge the first line. They set the methodology for identifying risks and implementing controls, and check it’s being done.
- Third line: provides objective and independent assurance by auditing the whole risk and control function.
It’s a simple and effective model that should enhance your communication around risk management and control because it clarifies everyone’s roles, responsibilities, and accountability.
There’s just one problem…
The new 1.5 lines of defense
There are some organizations that believe the Three Lines of Defense model is no longer suitable to support GRC in their organization. As such, they believe it needs refining to include a new 1.5 line. While others are actively creating a 1.5 line “to challenge the first line and provide effective engagement and integration with the second and/or third lines of defense.”
We believe the emergence of the 1.5 lines of defense is dangerous because it blurs the lines of accountability. For an organization to have 1.5 lines, it means the second line of defense is now heavily involved in supporting the first. It would be like a general picking up a sword and running onto the battlefield – he’s now too involved to retain oversite of the situation and is likely to lose.
Objectivity adds value
The subject matter experts sitting in your first line defense are intelligent people otherwise they wouldn’t have been hired. But risk and compliance isn’t their day job. Therefore, they treat it as a simple tick-box exercise, looking to automate or outsource the process so they can tick the boxes as quickly and easily as possible.
But Risk is a thought process; it’s not a tick-box exercise. If you really want to keep pace with change, what you need is for the subject matter experts to actually engage their brain and take the time to consider what’s changed, and how it affects the organization. To pull someone in the second line down from a position of oversight into the weeds where they’re doing the work, means you’ve lost that valuable expert opinion.
Orchestrate and facilitate
Having the ability to effectively manage the risks associated with operating in a digital world requires you to change the way you work.
All your control activities are dependent on data, so you need to start with a centrally managed mechanism for extracting this information from your teams, making sense of it in a way that matters to your business, and then pushing it out to the organization.
Research shows that organizations that adopt this approach allow the C-Suite to examine its effectiveness and enhance areas where they show vulnerability, as well as boosting their risk appetite, and improving their decision-making capabilities.