Practical advice on how to implement a three lines of defence approach to risk management.
Sourced by Alex Hollis, SureCloud GRC Solutions Director for Information Age
Managing risk within the business is a challenging and necessary activity. But when it’s conducted intelligently, it’s also a great way to add value to businesses, departments, and projects. The first step is to recognize the need for better risk management and to get people across all departments to collaborate.
Businesses need to take an approach to risk that facilitates an internal discussion based on facts, making sure that decisions can be made on where to accept or reduce risk. A key to this is aggregating risk across the business. It’s often resource-intensive, but it’s a critical part of any strategy to reduce the risk of sustaining a loss.
Three Lines of Defense
There are various strategies to address risk. One of the most effective is the three lines of defence approach. This strategy gives the board and senior management three clear line functions to rely on, to ensure the effectiveness of the organization’s risk management framework.
The first line of defence (1LOD) includes those that own the risk and control. These are the people who hold a day job within the business and would be considering risk and controls in addition to their other responsibilities.
The second line of defence (2LOD) are those which oversee or specialize in risk management and compliance. These people are dedicated to risk and control and are well trained to facilitate the implementation of effective risk management procedures. They’re also responsible for reporting and aggregating risk from the various sources up and down the business.
The third and final line of defence (3LOD) are the people that provide independent assurance. They’re normally internal auditors that report directly to the board.
Ensuring effective defence
Changing the risk culture in the 1LOD can be challenging. Managers don’t want to burden their staff with these ‘bureaucratic compliance activities’, so they reach out to the 2LOD. This often leads to the 2LOD thinking the first line need help, when it’s actually the managers’ way of freeing up their staff to get on with business.
While there’s no magic solution for organizations, based on my experience with Governance, Risk and Compliance(GRC) implementations, there are some common factors for success.
The common factors for success
It’s critical that the executive level sets the tone for a risk-ready culture, with the leadership teams delivering their message on risk clearly and consistently. Risk must be incorporated into any strategic planning to provide the first line with an idea of how risk aligns with the corporate objectives.
Second, it’s essential that ‘groups’ don’t own risk-related initiatives. Instead, organizations should assign tasks to the individual so someone will always be held accountable. To make progress, you should define clear boundaries and make sure the correct people are performing the right procedures. The first line should always be the decision-makers.
Training and mentoring
A further success factor is in the training and mentoring of employees. This goes beyond training people on spreadsheets. It’s about providing the relevant training for the risk methodology, irrespective of the technology at hand.
The first line should understand what they’re being asked to do, and what they’re being empowered to do. It’s also essential that the 1LOD are provided access to 2LOD mentors that will help them deploy the training and provide direction.
People, process, technology
Once the training has been covered, it’s time to implement the methodology. You need the right people working on the right processes, which can then be accelerated with the right technology. Leave out the technology until you have the people and processes in place, or you might end up with a failed project.
Define risk appetite
As with all risk methodologies, when using the three lines of defence approach, organizations must define which risks can be taken and which must be avoided. Everyone involved should clearly understand the framework around how risks are measured, assessed and monitored. This should also be communicated clearly to all three lines.
Avoid the cookie cutter
Avoid the easy option of rolling out ‘cookie-cutter’ risk libraries for your departments to leverage. Yes, it sometimes works. But more often it fails, especially when it’s used to try and shortcut training. Often, 1LOD users rely too heavily on the content and the exercise becomes simply box-ticking.
Ensure ease of use
Finally, organizations should stop using spreadsheets. They’re often built out by people in the business who have no software development experience or understanding of user experience and user interface design.
At over 40-years-old, this software product is often built out by people in the business who have no software development experience or understanding of user experience and user interface design. There are many GRC technology tools which are built specifically for the task. Each has its strengths and weaknesses, but they’re all superior to Excel.
By following these steps when adopting the three lines of defence approach, organizations will be able to better manage risk across the business. There will be a rich set of risk and control information based upon good and well thought out opinion from those closest to the business. This rich set of information informs decision making and leads better use of the business assets across the organization with less exposure to uncertainty.