GRC Technology’s Role in the “3 Lines of Defense” Risk Management Model

  • April 24, 2019
  • Quantivate

Many organizations set the foundation for an effective risk management program using the “three lines of defense.” This widely used model is designed to coordinate risk and control management across the enterprise through appropriately mapping out responsibilities for day-to-day management (first line), monitoring and oversight (second line), and independent assurance (third line).

Three Lines of Defense Risk Management Model

  1. Operational management
  2. Risk management and compliance functions
  3. Internal audit

As Ernst & Young (EY) explored in a report on the three lines of defense model, integrating enterprise risk management and controls with internal audit results in stronger governance that increases organizational agility, efficiency, and effectiveness.

Establishing a governance structure through the use of a well-defined and coordinated integrated risk and control model is the cornerstone of a strong risk management program. Organizations must define clear ownership and accountability for risk management and internal control activities to enable effective coordination, communication and reporting.” 

However, even for organizations that have well-developed risk management practices, achieving integration — effective communication, data-sharing, and analytics between the three lines — can be challenging.

A survey of internal audit professionals included in the EY report found that leading organizations tend to follow the same, three-pronged approach to assessing and improving their internal control environments and ensuring the three lines of defense are working in harmony:


3 Components of Effective Risk Management

The survey studied how industry leaders are maximizing the three lines of defense model to increase coordination between the business units involved in GRC, which helps organizations meet their strategic objectives and improve business performance.

It identified three components that enabled better assessment and equipped organizations to pursue a more mature risk management strategy.

Level 1: Methods, Practices & Technology

At the foundation of this best practices pyramid are the methods, practices, and technology that organizations use to support their risk management program and business strategy.

Example assessment factors organizations may consider in this step include technology enablement, control design and documentation, and reporting on control effectiveness.

In fact, EY identified leveraging technology and data analytics as some of the most common enhancement opportunities for improving internal controls.

“Robust implementation of [GRC tools] and their inclusion in the risk and control frameworks reduce reliance on manual procedures and therefore reduce risk of control failures.”

Data analytics in particular is highlighted as is an “untapped resource” in many internal audit and compliance functions — one that only 15% of organizations use to support the execution of their internal controls program.

Levels 2 & 3: Resources and Governance

After ensuring they have effective management methods and the right technology and tools in place, top organizations then take stock of their resources and governance.

Example assessment factors organizations may consider in these steps include clear definition of roles and responsibilities, oversight of vendors and third parties, and clear definition of the internal controls timeline.

Maturing Your Risk and Controls Management Program

According to this maturity enablement and assessment model, organizational maturity levels range from basic (1) to leading (5). A mature, or leading, program is characterized by the following qualities:

  • Established and consistent
  • Integrated
  • Regularly reviewed
  • Aligned and coordinated across the organization

Even though the three lines of defense approach is widespread, there is still room for improvement. Among the survey respondents, which spanned a range of organization sizes and sectors, only about a third (34%) indicated that their internal control program was mature.

The Takeaway

While there’s no magic bullet for maturity, technology-enabled integration is a key factor in moving toward more effective, strategic risk and controls management. When the three lines of defense work together — with the operational and risk management, compliance, and internal audit functions coordinating and sharing data — your organization is better protected and prepared to meet its goals and improve performance. A common GRC technology architecture and single source of truth for GRC program data and documentation helps teams align their management activities to overall business strategy and objectives.

Set the foundation for effective risk management with integrated GRC technology.

GRC integration has proved to be a worthwhile investment. A GRC maturity survey found that 89% of organizations that implement an integrated GRC program have seen benefits that meet or exceed expectations, such as:

  • Reducing gaps in risk and compliance
  • Reducing the costs of GRC processes
  • Increasing the ability to gather / report on GRC information and present meaningful analysis
  • Reducing operational impact from siloed risk assessments and siloed compliance training

If your organization doesn’t have an integrated solution for managing governance, risk, and compliance (GRC), we invite you to explore the Quantivate GRC Software Suite and Solutions. Our products are designed with built-in integration to reduce risk, improve performance, and enable strategic decision-making.

Learn more by downloading a datasheet or requesting a free demo of our GRC technology platform.

Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: