Cure for the CFO's Sleepless Nights: The Three Lines of Defense for GRC

Rising risk and regulatory compliance complexity are keeping more and more CFOs, their boards and external stakeholders awake at night.

CFOs are already burdened by trying to ensure that the controls integral to finance are effectively designed and performed and mitigated. In addition, they are responsible for board and C-suite reporting with accurate, compliant enterprise-wide information; driving change in governance, risk and compliance (GRC) practices; challenging the high cost of the status quo; and obtaining better, more timely information on risks from finance and GRC professionals.

So how can CFOs deliver on all of these mandates? The answer is to optimize the "three lines of defense" framework so it runs efficiently across an organization.

What is the three lines of defense?
Originating from the European Commission, the three lines of defense is a globally accepted, integrated framework for managing GRC. The framework encompasses operational management (identifying their risks and maintaining effective internal controls), corporate risk and compliance oversight (setting standards for assessing and monitoring risk) and internal audit. But is it working well enough to help the sleep-deprived CFO?

A recent Forrester Research report found that 63 percent of organizations surveyed are either implementing, planning to implement or have already implemented the three lines of defense. However, despite this success, there are still problems: there is nothing in the primary concept that provides finance professionals with the necessary instructions or tools for execution. The good news is, most companies have all the pieces. However, most departments are so siloed that the pieces haven't yet come together in order to form the full picture.

How can organizations optimize their use of the three lines of defense?
  • Educate your workforce. Companies need buy-in from top level executives and board members in order to ensure that the three lines of defense is implemented and accepted across the entire organization. To do this, education is key. By educating your workforce to make sure that everyone is using the same terminology technology and nomenclature, companies can start to change the mindset internally and approach from the top-down.

  • Introduce a CRO (Chief Risk Office). CROs or Chief GRC officers are quickly becoming one of the most important members of the financial management team. This is especially true as finance becomes more digitized and information technology issues become more and more prevalent. By establishing a CRO to determine the level of risk a company is comfortable with, organizations can truly start to embrace transformation.
  • Enforce accountability within your organization. Often the biggest confusion when it comes to the three lines of defense involves the role assignments - who should be doing what. In order to implement a successful three lines of defense framework, companies need to clearly outline roles and responsibilities. Furthermore, organizations need to ensure the three lines of defense aligns with an organization's objectives and strategies to determine where the priorities should be, and how companies should respond to risk.
  • Integrate technology solutions to support efforts. Companies are embracing a wide range of technologies to support the three lines of defense, ranging from GRC dashboard and reporting to control, policy and audit management solutions. Most of the necessary technology is available now and is fairly mature. The issue is not implementing technology; it's integrating the technology. Today, only 30 percent of organizations using these tools said they are fully integrated across the organization. Choosing an integrated platform is key. The business world does not need more technology silos.
  • The three lines of defense can be a powerful framework in helping companies manage governance, risk and compliance. However, in order to be successful, companies need to optimize their efforts and align strategies internally to make sure they are maximizing the impact of this model.

    An earlier version of this piece appeared in the Digitalist.