Three Lines of Defense: Enabling High Performing Organizations

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].” (source: www.OCEG.org) Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  • Business Operations. The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  • GRC Professionals. The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  • Assurance Professionals. The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

The Three Lines of Defense Model is well understood and adopted globally. The major downside of the model is the name itself using the word ‘defense.’ This gives the model a perception of being reactionary and tactical and not strategic. This is unfortunate as the model enables high-performance by aligning accountabilities at different levels of the organization and getting these functions working together in context of each other. High performing organizations require consistency and controls to ensure the organization operates within boundaries of controls. The Three Lines of Defense Model is key to enable reliable achievement of objectives and consistent control of the business.

The key to success in implementing the Three Lines of Defense Model is collaboration. If the layers of accountability across the three lines do not collaborate and work together, GRC functions will remain in silos and be ineffective, inefficient, and lack agility to respond to a complex and dynamic business environment. Internal politics and divisions work against the Three Lines of Defense Model in organizations.

Another challenge for organizations in implementing the Three Lines of Defense Model is not having a consistent GRC process, information, and technology architecture. Not only do different groups across the lines of defense need to be able to work together, they need to be able to share information and have a consistent and single source of truth for GRC activities, accountabilities, and controls.

The Bottom Line: Three Lines of Defense is an integrated GRC framework with the goal of allowing different parts of the organization to work cohesively together to reliably achieve objectives while addressing uncertainty and acting with integrity. It enables what OCEG calls Principled Performance, and ensures that there are clear responsibilities, accountability, and oversight of risk and control at all levels of the organization. Organizations are adopting the Three Lines of Defense Model for GRC as they have come to realize that silos of GRC that do not collaborate and work together lead to inevitable failure. There is a need for visibility across these lines of defense that is scalable, integrated and consistent. The Three Lines of Defense Model enables efficient, effective, and agile business.

GRC 20/20's latest research piece evaluating solutions on this topic is:


Increased Pressure to Control Spreadsheets and Documents

Pervasiveness of End User Computing Brings Risk

Use of end user computing applications such as spreadsheets, emails, and other document types has revolutionized how technology creates value for organizations. However, this brings a significant challenge to govern and control information and technology in a distributed and dynamic environment. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over end user computing applications, particularly spreadsheets used in accounting and finance processes. This specifically has caught the attention of the Public Company Accounting Oversight Board (PCAOB) and external auditors. This scrutiny is leading to new SOX failings for companies that had previously had no such failings.

How does the organization take advantage of the wealth of benefits that end user computing solutions such as documents and spreadsheets deliver while avoiding the compromise of confidentiality, integrity, availability, and auditability of critical business information, increased risk exposure, and potential legal and regulatory actions?

End user computing applications are pervasive in the enterprise. This increases productivity and gives organizations agility that helps them succeed in a complex, dynamic, and distributed business environment. At the same time, risk and compliance issues are compounded by the extensive nature of collaboration and unstructured data. Individuals and departments can quickly set up online collaboration portals and share documents inside and outside the organization, increasing the number of people who can misuse them and simultaneously decreasing the organizations control over them. Consider that information comes in various forms:

  • Structured data is found in databases and consists of master data and transactions. Structured data can expose the organization to significant risk and compliance concerns but is contained within database structures and is to a degree easier to control, monitor, and secure.  However, pathways to export data and access to structured data is a concern to organizations when it is exported and manipulated in spreadsheets and documents.
  • Unstructured data is pervasive and quickly gets out of control. It consists of documents, emails, spreadsheets, as well as communication and collaboration technologies. Data is easily copied, disseminated, and manipulated. In the distribution process, different versions evolve and can conflict with each other. Business critical data is often stored within spreadsheets and communications subjecting the organization to risk and compliance exposure.
  • Dark data that is data that the organization has no clue about or control over. What should have been destroyed still lives on in remote corners of the organization and beyond. An older version of a spreadsheet that relies on bygone assumptions may still be accessed and used resulting in poor business decisions and faulty analytics.
  • Rogue data that is easy to manipulate and present out of context. What is legitimate information may be unintentionally or maliciously altered to present a different story out of context.
  • Duplicated data in which the organization may have understanding and control of areas where information exists, but is not aware how it has been copied and distributed. When the data changes, those changes are not reflected across areas where it has been copied, referenced, and used.
  • Pervasive data that has no boundaries — unless controlled. Employees quickly use social sharing, collaboration portals, and mobile devices to access information from wherever they are, whenever they want it with little thought to risk and compliance.

There is no doubt about it – end user computing applications are a strategic and critical business application. End user computing applications, particularly spreadsheets, represent an essential and strategic application to business, but also are a significant risk if left uncontrolled.

Specific Challenges and Risks in the Use of Spreadsheets

Organizations face a challenge: spreadsheets are a strategic, useful, and flexible business application but require significant amounts of checking and review to mitigate errors and risk. It is not the spreadsheet’s fault; it is the users’ fault. Organizations need to control spreadsheets so that they can in the end control or avoid the problems users introduce in their use – both inadvertent and malicious.

Organizations that have failed to manage and control spreadsheets have faced significant loss as the result of bad decisions from unreliable data. Lack of control can introduce significant loss to the organization: spreadsheets are prone to breaking because of user error in their configuration, values, use, and calculations. The organization, without proper end user computing controls, does not know that spreadsheets are broken and ends up relying on data that is faulty. Bad spreadsheets do not tell you they are broken; they just spit out bad information. Organizations need to have a defined process to ensure the control over end user computing applications used in critical business processes. This includes understanding:

  • Business criticality of end user computing applications. Spreadsheets and documents are business-critical applications. They offer advanced analytics and modeling of numbers, finance, and statistics. They are flexible, used, and cherished by many users. Spreadsheets and documents are here to stay, and the organization must figure out how to control them.
  • Pervasiveness of spreadsheets and documents. Spreadsheets and documents are everywhere; every workstation typically has them installed as a standard application. They electronically breed and multiply by users adapting them for different purposes. They are copied and modified with no accountability or documentation of their use. Little thought has gone into their development and they often have a host of inaccuracies.
  • Complexity and integrity of spreadsheets and documents. Spreadsheets, while a tool in everyone’s electronic toolbox, are often highly complex with bewildering math, configuration, and calculations spanning multiple worksheets. Complexity makes integrity a challenge. The data quality and integrity of spreadsheets is critical, and the more complex they are, the more control, oversight, and diligence is required.
  • Simple mistakes introduce significant errors. Spreadsheet issues resulting in loss and bad decisions come about through simple user error, miscalculations, and manual processes such as copying and pasting data. When spreadsheets and documents are not controlled or vetted, it can be quite some time before the organization realizes the loss, and in the meantime, it has grown exponentially. It is the exponential loss that finally brings attention to the fact that a simple error in a spreadsheet caused it. Organizations also struggle with the fact that as spreadsheets were developed or changed, no testing was done to provide assurance that they functioned correctly.
  • No audit trail, change control, or versioning. Changes to spreadsheets are typically not monitored, and the organization could not tell you who did what, when, how, and why. It is not a difficult task for miscreants to come in and modify numbers to cover a trail and protect themselves. Further, the data in spreadsheets can often be a mystery with no way to trace where it came from. Organizations struggle with versioning and archiving of spreadsheets because of modifications and cannot fall back to a reliable version should an error be found as there is no reliable version available.
  • Lack of accountability and ownership. In general, spreadsheets and documents are unsecured and unmonitored tools. A spreadsheet is developed and then proliferated throughout the enterprise. It may be modified, and calculations changed. Multiple versions end up existing with no single person responsible for their integrity and use. Someone may access a spreadsheet and never realize it was modified and perhaps functions in a different way or has errors in calculations and/or values.
  • Compliance and audit challenges. Organizations are under the microscope from regulators and external auditors to improve control and assurance over the data in their spreadsheets, comply with regulatory requirements, and conform to auditor expectations. Further, the internal control and audit process is cumbersome as it involves manual processes that require significant time to manually check spreadsheet integrity and function - time that constrained resources in internal audit and control staff do not have. They need an automated and reliable approach to meet expectations and requirements while minimizing risk and loss to the business.

Despite these challenges and risks, many organizations lack a thorough understanding of end-user computing solutions that present a risk to an organization’s financial reports.

Increased Pressure to Gain Control over End User Computing

The information within documents and spreadsheets faces a bombardment of risk and compliance challenges from every direction. New methods of collaborating through pervasive access to data introduce serious risk and compliance concerns. Documents shared inside, as well as outside, the organization may not be adequately protected. How does the organization take advantage of the wealth of benefits that end user computing and pervasive access to information promises? While at the same time avoiding the compromise of confidentiality, integrity, and availability of critical business information, increased risk exposure, legal actions, and regulatory actions? With an onslaught of regulations and enforcement actions, the concern of information governance, risk management, and compliance continues to grow.

The creation, integration, consumption, and analysis of information in various forms drives the products, services, operations, and finances of the organization, determines strategy, and impacts operations of organizations. A challenge to organizations is to govern information and use in end user computing applications like word processes and spreadsheets. This requires managing the uncertainty and exposure to risk that documents and spreadsheet use brings to the organization.

Spreadsheets are too often not in the purview of internal control programs, though they support and are an important part of critical business processes. Thus, they often fall below the radar of internal control, oversight, and audit with little to no governance and data standards. This is something the PCAOB and external auditors are focused on rectifying. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over end user computing applications, particularly spreadsheets used in accounting and finance processes. The PCAOB specifically has requested auditors to increase their focus on ‘System Generated Data and Reports’ driving the application of so-called ‘enhanced audits’ of Sarbanes Oxley (SOX) control processes which often involve a predominant and pervasive use of end user computing applications.

This scrutiny is leading to new SOX failings for companies that had previously had no such failings. Enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that spreadsheets are often open to manual manipulation.

 

Organizations have a clear need to ensure that information access and collaboration is controlled and secured. GRC roles have often been in reactive mode to an onslaught of regulations and risk and have failed to develop a sufficient strategy to govern how end user computing is used across the organization. It is the responsibility of an internal control team to work in tandem with GRC functions across areas of IT, security, legal, compliance, risk management, and audit. Together these roles have the responsibility to provide a clear strategy for end user computing controls. In that context they need to clearly define classification, policy, and control of unstructured information, and use of end user computing solutions.  This is not the responsibility of one department, but is a cooperative effort across functions. These collaborative roles need to clearly define the appropriate use of end user computing applications in policies and provide for automated controls needed to govern end user computing applications. GRC technologies that discover, monitor, and enforce control of end user computing solutions are a key component of how to address this growing need.

Information governance is not information restriction. The goal is not to inhibit business, but to protect the business. There is a legitimate need for the access to information and collaboration with others inside and outside the organization using end user computing solutions. It is the role of GRC professionals to provide this control and governance so that those who need it in the context of regulatory boundaries and risk mitigation can access information.

A GRC strategy for end user computing controls helps organizations to:

  • Ensure that ownership and accountability of information governance and collaboration through end user computing technologies is clearly established and enforced.
  • Manage ongoing business impact of risk exposure in the context of end user computing.
  • Integrate intelligence that establishes workflows and tasks when issues arise that impacts the organization in context of improper use of end user computing solutions.
  • Monitor the organization’s environment for the dissemination, access, and control of information across end user computing solutions.
  • Identify changes in risk, compliance, and control profiles spreadsheets that expose information to issues of integrity, confidentiality, availability, and auditability.
  • Visualize the impact of a change on the organization’s processes and operations in the context of information and end user computing use.

GRC 20/20 will be presenting a webinar on this topic on April 26th: The Spreadsheet and SOX: the Never Ending Battle

This post is an excerpt from GRC 20/20’s Strategy Perspective research: Gaining Control Over End User Computing: Increased Pressure to Control Spreadsheets and Documents

  • Have a question about End User Computing & Internal Control Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Internal Control Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Internal Control Management by Design Workshop in your organization.
  • Looking for Internal Control Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Internal Control Management Research includes . . .

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):