Most likely, if you work in the areas of governance, risk management, or compliance, you are already familiar with the “three lines of defense” model that describes risk management in three layers. It’s a good model for understanding how risk is, at some level, everyone’s responsibility, but the discussion needs to go further than most of what I have seen so far.
Risk Management Three Lines of Defense
The risk management “three lines of defense” model begins with the first line of business operations owning and directly managing risk. The second line is a risk, control, and compliance team that provides monitoring and support. And the third line consisting of internal audit that provides independent assurance about risk management to the board.
The Real Value of Risk Management
The real value of driving risk management responsibilities into each level of the organization is the collaboration and synergy that is created, and the accompanying added value provided to each aspect of operations.
Each area is strengthened and supported by the actions of the other. Internal audit is better able to provide assurance when there is active risk management at the business operations level and supporting monitoring activities ensure measurable, actionable information can be gained. Risk managers get a better view across the entity. And perhaps most importantly, the front line operations themselves are improved by the risk management activities which are no longer viewed as just a service being done for someone else – the gain is in the business being more informed, more agile and more capable of taking advantage of risk.
GRC and Risk Management
OCEG, together with RSA, has developed a new infographic in the GRC Illustrated Series demonstrating the business advantages of establishing GRC in the first line of defense and beyond. We invite you to download a copy and use it to discuss the advantages of GRC with your business operators.