Rising risk and regulatory compliance complexity are keeping more and more CFOs, their boards and external stakeholders awake at night.
CFOs are already burdened by trying to ensure that the controls integral to finance are effectively designed and performed and mitigated. In addition, they are responsible for board and C-suite reporting with accurate, compliant enterprise-wide information; driving change in governance, risk and compliance (GRC) practices; challenging the high cost of the status quo; and obtaining better, more timely information on risks from finance and GRC professionals.
So how can CFOs deliver on all of these mandates? The answer is to optimize the "three lines of defense" framework so it runs efficiently across an organization.
What is the three lines of defense?
Originating from the European Commission, the three lines of defense is a globally accepted, integrated framework for managing GRC. The framework encompasses operational management (identifying their risks and maintaining effective internal controls), corporate risk and compliance oversight (setting standards for assessing and monitoring risk) and internal audit. But is it working well enough to help the sleep-deprived CFO?
A recent Forrester Research report found that 63 percent of organizations surveyed are either implementing, planning to implement or have already implemented the three lines of defense. However, despite this success, there are still problems: there is nothing in the primary concept that provides finance professionals with the necessary instructions or tools for execution. The good news is, most companies have all the pieces. However, most departments are so siloed that the pieces haven't yet come together in order to form the full picture.
- Educate your workforce. Companies need buy-in from top level executives and board members in order to ensure that the three lines of defense is implemented and accepted across the entire organization. To do this, education is key. By educating your workforce to make sure that everyone is using the same terminology technology and nomenclature, companies can start to change the mindset internally and approach from the top-down.
The three lines of defense can be a powerful framework in helping companies manage governance, risk and compliance. However, in order to be successful, companies need to optimize their efforts and align strategies internally to make sure they are maximizing the impact of this model.
An earlier version of this piece appeared in the Digitalist.