Many organizations set the foundation for an effective risk management program using the “three lines of defense.” This widely used model is designed to coordinate risk and control management across the enterprise through appropriately mapping out responsibilities for day-to-day management (first line), monitoring and oversight (second line), and independent assurance (third line).
As Ernst & Young (EY) explored in a report on the three lines of defense model, integrating enterprise risk management and controls with internal audit results in stronger governance that increases organizational agility, efficiency, and effectiveness.
Establishing a governance structure through the use of a well-defined and coordinated integrated risk and control model is the cornerstone of a strong risk management program. Organizations must define clear ownership and accountability for risk management and internal control activities to enable effective coordination, communication and reporting.”
However, even for organizations that have well-developed risk management practices, achieving integration — effective communication, data-sharing, and analytics between the three lines — can be challenging.
A survey of internal audit professionals included in the EY report found that leading organizations tend to follow the same, three-pronged approach to assessing and improving their internal control environments and ensuring the three lines of defense are working in harmony:
The survey studied how industry leaders are maximizing the three lines of defense model to increase coordination between the business units involved in GRC, which helps organizations meet their strategic objectives and improve business performance.
It identified three components that enabled better assessment and equipped organizations to pursue a more mature risk management strategy.
At the foundation of this best practices pyramid are the methods, practices, and technology that organizations use to support their risk management program and business strategy.
Example assessment factors organizations may consider in this step include technology enablement, control design and documentation, and reporting on control effectiveness.
In fact, EY identified leveraging technology and data analytics as some of the most common enhancement opportunities for improving internal controls.
“Robust implementation of [GRC tools] and their inclusion in the risk and control frameworks reduce reliance on manual procedures and therefore reduce risk of control failures.”
Data analytics in particular is highlighted as is an “untapped resource” in many internal audit and compliance functions — one that only 15% of organizations use to support the execution of their internal controls program.
After ensuring they have effective management methods and the right technology and tools in place, top organizations then take stock of their resources and governance.
Example assessment factors organizations may consider in these steps include clear definition of roles and responsibilities, oversight of vendors and third parties, and clear definition of the internal controls timeline.
According to this maturity enablement and assessment model, organizational maturity levels range from basic (1) to leading (5). A mature, or leading, program is characterized by the following qualities:
Even though the three lines of defense approach is widespread, there is still room for improvement. Among the survey respondents, which spanned a range of organization sizes and sectors, only about a third (34%) indicated that their internal control program was mature.
While there’s no magic bullet for maturity, technology-enabled integration is a key factor in moving toward more effective, strategic risk and controls management. When the three lines of defense work together — with the operational and risk management, compliance, and internal audit functions coordinating and sharing data — your organization is better protected and prepared to meet its goals and improve performance.
GRC integration has proved to be a worthwhile investment. A GRC maturity survey found that 89% of organizations that implement an integrated GRC program have seen benefits that meet or exceed expectations, such as:
If your organization doesn’t have an integrated solution for managing governance, risk, and compliance (GRC), we invite you to explore the Quantivate GRC Software Suite and GRC Software Bundles. Our products are designed with built-in integration to reduce risk, improve performance, and enable strategic decision-making.