Three Lines of Defense: Enabling High Performing Organizations

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].” (source: www.OCEG.org) Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  • Business Operations. The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  • GRC Professionals. The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  • Assurance Professionals. The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

The Three Lines of Defense Model is well understood and adopted globally. The major downside of the model is the name itself using the word ‘defense.’ This gives the model a perception of being reactionary and tactical and not strategic. This is unfortunate as the model enables high-performance by aligning accountabilities at different levels of the organization and getting these functions working together in context of each other. High performing organizations require consistency and controls to ensure the organization operates within boundaries of controls. The Three Lines of Defense Model is key to enable reliable achievement of objectives and consistent control of the business.

The key to success in implementing the Three Lines of Defense Model is collaboration. If the layers of accountability across the three lines do not collaborate and work together, GRC functions will remain in silos and be ineffective, inefficient, and lack agility to respond to a complex and dynamic business environment. Internal politics and divisions work against the Three Lines of Defense Model in organizations.

Another challenge for organizations in implementing the Three Lines of Defense Model is not having a consistent GRC process, information, and technology architecture. Not only do different groups across the lines of defense need to be able to work together, they need to be able to share information and have a consistent and single source of truth for GRC activities, accountabilities, and controls.

The Bottom Line: Three Lines of Defense is an integrated GRC framework with the goal of allowing different parts of the organization to work cohesively together to reliably achieve objectives while addressing uncertainty and acting with integrity. It enables what OCEG calls Principled Performance, and ensures that there are clear responsibilities, accountability, and oversight of risk and control at all levels of the organization. Organizations are adopting the Three Lines of Defense Model for GRC as they have come to realize that silos of GRC that do not collaborate and work together lead to inevitable failure. There is a need for visibility across these lines of defense that is scalable, integrated and consistent. The Three Lines of Defense Model enables efficient, effective, and agile business.

GRC 20/20's latest research piece evaluating solutions on this topic is:


Understanding Risk Management Process & Architecture

The risk management strategy and policy is supported and operationalized through a risk management architecture. Organizations require complete situational and holistic awareness of risks across operations, processes, transactions, and data to see the big picture of risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to risk management architecture. The architecture defines how organizational processes, information, and technology is structured to make risk management effective, efficient, and agile across the organization and its relationships.

There are three areas of the risk management architecture:

  • Risk management process architecture
  • Risk management information architecture
  • Risk management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organization’s requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for risk management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for risk management instead of finding the technology that best fits their process and information needs.

Risk Management Process Architecture

Risk management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing risk environments.

The risk management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together as well as with other enterprise processes.

While risk management processes can be very detailed and vary by organization and industry, there are five that organizations should have in place:

  • Risk identification. This is the collection of processes aimed at automating a standard, objective approach for identifying risk. Understand your surroundings. It is about the internal business context, the external environment that business operates in, and your strategy as to where the business is heading. On an ongoing basis, and separate from monitoring of individual risks, is the ongoing process to monitor risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks that are evolving that impact the overall objectives and performance of the organization. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any organization. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its objectives.
  • Risk assessment. Once an organization identifies risk it then can identify what can happen to help or hinder your objectives. An organization wants to identify the possibilities of outcomes to what can impact it achieving objectives. This should go beyond heat maps to include a vareity of risk analysis and assessment techniques (e.g., bow-tie risk assessments, scenario analysis, Bayesian modeling).
  • Risk treatment. After the range of potential possibilities is understood, the organization needs to decide what to do. What is going to be the best route for the organization to achieve objectives while minimizing loss/harm. This gets into risk measurement activities of understanding inherent and residual risk while looking at risk strategies of risk acceptance, risk transfer (insurance), risk avoidance, or risk mitigation (controls). The goal is to optimize value and return while keeping risk within acceptable levels of risk tolerance and appetite.
  • Risk monitoring. This stage includes the array of processes to continuously monitor risks in the organization. These activities are the ones typically done within the organization to monitor and assess risks on an ongoing basis.
  • Risk communications & attestations. Ongoing processes to manage the communications and interactions with risk owners throughout the risk management lifecycle. These are done on a periodic basis or when certain risk conditions are triggered.

Effective risk management processes deliver:

  • Holistic awareness of risk. This means there is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework. The IT architecture in place aggregates risk data and effectively communicates, monitors, and manages risk.
  • Establishment of risk culture and policy. Risk policy must be communicated across the business to establish a risk management culture. Risk policies are kept current, reviewed, and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives. Technology monitors key risk indicators (KRIs) to ensure management of risk policy, and the management of risk against risk appetite, tolerance, and capacity.
  • Risk-intelligent decision-making. This means the business has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders and the organization’s track record should illustrate successful management of risk against established risk tolerances and appetite.
  • Multidimensional risk analysis and planning. The organization needs a range of risk analytics, correlation, and scenario analysis. Various qualitative and quantitative risk analysis techniques must be in place and the organization needs an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation, or transfer — must be effective and monitored for progress.
  • Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of corporate optimization, performance, and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance, and timeliness.

The next post will explore risk management information and technology architecture. I would love to hear your thoughts and comments on risk management strategy and process . . .


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):


Risk Management by Design

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is also true in risk management. What further complicates this is the exponential effect of risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into risk relationships across the enterprise. Complexity of business and intricacy and interconnectedness of risk data requires that the organization implement a risk management strategy.

Different Approaches Organizations Take in Managing Risk

The primary directive of a mature risk management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of risks in context of organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage risk:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed risk management initiatives never see the big picture and fail to put risk management in the context of organization strategy, objectives, and performance. The organization is not thinking big picture about how risk management processes can be designed to meet a range of needs. An ad hoc approach to risk management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about risk and performance. The organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any silo understood on its own.
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of risk management that does not fully understand the breadth and scope of risks and risk management needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing risk with the lowest common denominator and watering down risk management. Further, there is no one-stop shop for everything risk management as there are a variety of pieces to risk management that need to work together.
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative risk management, governance, and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in risk management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across risk relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in risk management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

Risk Management Strategic Plan

Designing a federated risk management program starts with defining the risk management strategy. The strategy connects key business functions with a common risk governance framework and policy.  The strategic plan is the foundation that enables risk transparency, discipline, and control of the ecosystem of risk across the enterprise.

The core elements of the risk management strategic plan include:

  • Risk management team. The first piece of the strategic plan is building the cross-organization risk management team (e.g., committee, group). This team needs to work with risk owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in risk management and get them collaborating and working together on a regular basis. Various roles often involved on the risk management team are: enterprise/operational risk management, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the risk management team.
  • Risk management charter. With the initial collaboration and interaction of the risk management team in place, the next step in the strategic plan is to formalize this with a risk management charter. The charter defines the key elements of the risk management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of risk management, the members of the risk management team, and define the overall goals, objectives, resources, and expectations of enterprise risk management. The key goal of the charter is to establish alignment of risk management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on risk management.
  • Risk management policy. The next critical item to establish in the risk management strategic plan is the writing and approval of the risk management policy (and supporting policies and procedures). This sets the initial risk management structure in place by defining categories of risk, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all risks be maintained with appropriate categorizations, approvals, and identification of risks.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):


Monitoring and Managing Risk Effectively

Challenge to Boards, Executives, and Risk Management Professionals

Organizations take risks all the time but fail to monitor and manage risk effectively. Further, risk management is too often seen as a compliance exercies and not truly integrated with decision making and objectives of the organization. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Particularly when risk management is approached from a compliance or audit anlge and not as an integrated displine of decision making that has a symbiotic relationship on performance. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively.

The modern organization is:

  • Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees have been replaced with an interconnected mesh of relationships and interactions which define the modern organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
  • Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
  • Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and build as organizations develop operational and enterprise risk management strategies.

For some organizations, risk management is only an expanded view of routine financial controls with the result nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this, organizations remain keenly interested in how to improve risk management.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as it intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and decision making, business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/regulatory, third-party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations should consider:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective. Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective. Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting that supports business objectives and is integrated with decision making. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):


Providing 360° Contextual Awareness of Risk

Monitoring and Managing Risk Effectively

A Challenge for Boards, Executives, and Risk Management Professionals

Organizations take risks all the time but fail to monitor and manage risk effectively. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations.  Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business.

Organizations Need to Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls, is nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this misperception, organizations remain keenly interested in how to improve risk management.

Risk is pervasive throughout organizations; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at project and department levels, and build as organizations develop operational and enterprise risk management strategies.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/ regulatory, third party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Selecting the Correct Risk Technology Is Crucial to Success

In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. Indeed, for many industries risk management is so fundamental to the success of their business model that it is indoctrinated throughout their core policies and operating procedures.

Organizations have adopted a wide range of technologies for risk management. Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as Monte Carlo tools or Bayesian modeling.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on an information architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations must evaluate:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common information and technology architecture to support overall risk management activities from the project level up through an enterprise view. Whether for a project or department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Organizations need to clearly understand the breadth and depth of their risk management technology requirements and select the solution that is agile and flexible to meet the range of the organizations risk management needs today and into tomorrow.

Watch on demand GRC 20/20's guidance on the Risk Management technology market and what makes a basic, common, and advanced risk management solution or platform . . .


Mistakes & Challenges in Risk Management Technologies and Strategies

Risk management is pervasive throughout organizations. There are many departments that manage risk with a variety of approaches, models, needs, and views into risk. This makes enterprise and operational risk management a challenge. Organizations often fail in enterprise risk management strategies when they force everyone into one flat view of risk, they also fail when they allow different views of risk but do not consider risk normalization and aggregation as they roll-up risk into enterprise reporting.

Organizations have adopted a wide range of technologies for risk management. There are several hundred solutions in the risk management market (a segment of the GRC market). Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as monte carlo tools or Bayesian modeling.

The challenge is that there is not a one-stop solution for all of an organizations risk management needs. There is no a solution provider out there that addresses every area and need of risk management across the organization. In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. HOWEVER, organizations are frequently failing in these implementations as they encounter the following issues in risk management:

  • Failing to provide top-down and bottoms up risk perspective. This is a controversial topic in the risk community, and one that I am sure I will get hammered on by opponents on either side. There are those that see that risk is all about strategy and objectives and you should do a top-down analysis of risk that starts with strategy and objectives. The other side are approaches that see risk management as a bottoms up by identifying risk at the lowest level of operations, transactions, and processes and rolling it up. My perspective is that both are needed. Risk management has to be in context of strategy and objectives, but so often something unseen down in the weeds of processes can rear its ugly head and devastate the organization. This may often have been missed in a pure top-down strategy.
  • No multi-dimensional mapping of risk relationships and impacts. A single risk can impact the organization in different ways and have exponential impact when considered in context of other risks managed in other areas but no one sees the range of related risks. Organizations fail to map risks into different hierarchies of relationships and show a multi-dimensional view of risk, impact, and relationships as it intersects with other risk categories not in the same risk hierarchy (see my post The Titanic: an Analogy of Enterprise Risk).
  • Forcing everyone into a one-size fits all risk analysis methodology. Organizations too often select risk solutions for enterprise or operational risk management that require a one-size fits all approach to risk analysis that ends up watering down risk assessments to the lowest common denominator. Well established approaches for managing risk in areas of the organization get pushed aside and the particular specialized views and details are lost leading to greater exposure. Where health & safety may have been using bow-tie risk analysis they are not forced to use heatmaps and stoplight diagrams. The organization loses depth in risk management by selecting solutions that do not have the breadth of capabilities the organization needs.
  • Lack of risk normalization and aggregation. Organizations attempt enterprise or operational risk management by utilizing solutions that lock them into a single flat view of risk scoring and appetite that creates issues when identifying and managing localized operational threats and opportunities as everything is scaled to an enterprise view. What happens when IT security’s high risk is actually lower than finance’s low risk? Either different departments have to measure all their risks in a single context that fits the entire organization, and they lose a department level perspective that is of value. Or they measure everything at a department, function, process, or project level and fail in enterprise risk reporting as they compare apples and oranges. Very few solutions on the market offer a capability to do risk normalization and aggregation. For effective risk normalization and aggregation, risks must be assessed both qualitatively and quantitatively with standardized methodologies that allow for a view of risk at an enterprise level as well as lower localized levels.
  • Overreliance on heat maps. I have written about my frustration with heat maps for the past 13 years. They provide a false view of risk. The standard two-dimensions are likelihood and impact with the upper right being perceived as the greatest risk of high-likelihood and high-impact. This is false. What organization is having billion-dollar loss events on a regular basis? They are out of business. The greatest risk exposure often is the low likelihood and high-impact events that heat maps fail to call out properly.
  • Lack of supportive risk data. Too often I see very subjective responses to risk assessments. When asked to measure risk in dimensions of likelihood and impact (there are more but we will stick to these as it is most often seen), it is often complete guess work. The organization fails to provide a history of risk events that have materialized top be an event with loss on the organization. When assessing and modeling risk, organizations need a history to mine to see how this risk has materialized in the past within their organization and with peers to be able to objectively score dimensions of likelihood and impact.

Many of these failures in enterprise and operational risk management are the result of organizations selecting GRC and risk platforms that are inadequate for the job. They rely on Gartner and Forrester reports that have a bias toward IT risk management and score and rank risk management solutions in a way that makes no sense. Gartner often only wants to see a ½ hour video demo and sends web surveys to client references. Yet organizations of all sizes are basing their enterprise and operational risk management platform purchases on analyst reports that lack depth (Forrester Waves are very broad in scope), or lack published criteria (Gartner Magic Quadrants are what they say they are, magic as the criteria, and results, are a complete mystery).

Organizations need to start thinking about risk management architecture. Organizations are often best served to take a federated approach to risk management that allows different departments some level of autonomy and supports their department level risk management strategies but also enable a common information and technology architecture to support overall enterprise and operational risk management activities and reporting.

There is no one-stop risk management solution that does everything risk management for the entire organization. Which solution can provide the best core for enterprise and operational risk management that has the right range of risk mapping, modeling, and analytic needs for the majority of the organization. But then also needs to be able to integrate with best of breed risk solutions that offer specific functionality in areas where needed.

Whether for a department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for integrated cross-department risk management solutions. There are several hundred solutions available in risk management with varying capabilities and approaches.  Organizations need to clearly understand the breadth and depth of their requirements, map these into risk solutions capabilities, and understand that there is no one size fits all solution for risk management no matter what solution providers may say. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that are the perfect fit for your organization.

Organizations looking for risk management solutions and intelligence can get objective insight through:

GRC 20/20’s next Research Briefing is on How to Purchase Risk Management Solutions & Platforms. Organizations looking for risk solutions should attend to help them scope their requirements and approach the market.

AGENDA . . .

  1. Defining & Understanding Risk Management
    • Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Risk Management Platform
    • What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Risk Management Platform
    • Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Risk Management
    • Trajectory of Value in Effectiveness, Efficiency & Agility

The GRC Pundit will help organizations . . .

  • Defineand scope the risk management market
  • Understandrisk management drivers, trends, and best practices
  • Relatethe components of what makes a risk management platform
  • Identifycore features/functionality of basic, common, and advanced risk management platforms
  • Mapcritical capabilities needed in a risk management platform
  • Predictfuture directions and capabilities for risk management
  • Scopehow to purchase risk management platforms in a decision-tree framework
  • Discernconsiderations to keep in mind as you evaluate risk management solutions

[add_single_eventon id="3028" show_exp_evc="yes" open_as_popup="yes" ]


Best Practice in Model Risk Management: Modeling Your Models

What is a Model?

By definition, a model is a mathematical approximation of scenarios that is used to analyze and forecast prices, events, risks, relationships, and future outcomes.  It is formally defined as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”[1. While there are several related regulatory guidance and notices, the core guidance is found in OCC SR-11-7, Supervisory Guidance on Model Risk Management (http://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf).  The Federal Reserve has similar guidance (http://www.federalreserve.gov/bankinforeg/srletters/sr1107a1.pdf).  Most recently, the OCC released requirements in its publication Dodd-Frank Act Stress Testing (DFAST) Reporting Instructions OCC Reporting Form DFAST-14A December 2014 http://www.occ.gov/tools-forms/forms/bank-operations/DFAST-14A-Template-Instructions.pdf.]

Models are used across industries to analyze, predict, and represent performance and outcomes that impact operations and business strategy. A range of departments, functions, and roles rely on models as a critical foundation of business processes that support long-term strategic planning as well as day-to-day tactical decisions. They are used pervasively to:

  • Analyze business strategies
  • Inform decisions
  • Identify and measure risk
  • Value exposure in financial products or positions
  • Conduct stress testing
  • Assess adequacy of capital
  • Manage client assets
  • Comply to internal limits
  • Measure and maintain controls and oversight
  • Meet financial and regulatory reporting requirements
  • Provide input into public disclosures.

When Models Fail

While the common understanding of models is that they have three components – input, processing and reporting – the reality is that there are multiple parts to each of these component areas.  Multiple components within input, processing, and reporting connect to each other and have an array of data and analytics.  Adding to this complexity is the human and process elements intertwined throughout the business use of models that weave together a variety of manual processing and technology integration elements needed to run the model.

Organizations have become highly dependent upon models to support critical business processes and decisions. However, models come with risks when internal errors or misuse results in bad decisions. Model risk is the potential for adverse consequences from decisions based on incorrect or misused models and leads to financial loss, poor business and strategic decision-making, and damage to a financial service organization’s brand. It is ironic that the very tools often used to model and predict risk can be a significant risk exposure themselves.

Models, inappropriately used and controlled, bring a number of risks to the organization, because of:

  • Dynamic and changing risk and business environments.
  • Lack of governance and control of models and their components (e.g., spreadsheets).
  • Not understanding the variety of inputs beyond the processing component of the model.
  • Errors in input, processing, and reporting.
  • Misuse of models for purposes they were not designed for.
  • Misrepresentation of reality within models.
  • Limitations in the models.
  • Pervasiveness of models and their use.
  • Big data and GRC interconnectedness.
  • Inconsistent development and validation of models.

Increasing Pressure on Model Risk Management

Increasing model risk combined with a cavalier approach to models has led to increasing regulatory requirements and scrutiny in the governance and use of models. The Federal Reserve Comprehensive Capital Analysis and Review (CCAR)[2. http://www.federalreserve.gov/bankinforeg/ccar.htm] has taken into account the growth and use of models and the need for greater regulatory oversight. Most recently, the OCC released detailed model governance and risk management requirements in December 2014: Dodd-Frank Act Stress Testing (DFAST) Reporting Instructions OCC Reporting Form DFAST-14A December 2014.[3. http://www.occ.gov/tools-forms/forms/bank-operations/DFAST-14A-Template-Instructions.pdf] This has further defined requirements for model risk management and specifically calls out the scope of end user computing applications in model risk.

A Firm Foundation for Model Risk Management

Model governance and risk management has not historically been a strategic priority for organizations. Without a structure to govern models, risk exposure has grown and the result is increasing regulatory pressure.  Organizations should not see model risk management as simply a regulatory obligation; model governance enables strategic decision-making and performance management.

To effectively manage model risk, organizations need a structured approach to:

  • Model risk governance. A well-defined model governance framework to manage model risk that brings together the right roles, policies, and inventory.
  • Model risk management lifecycle. An end-to-end model risk management lifecycle to manage and govern models from their development, throughout their use in the environment, including their maintenance and retirement.
  • Model risk management architecture.  Effective management of model risk in today’s complex and dynamic business environment requires an information and technology architecture that enables model risk management.

Best Practice: Organizations Need to ‘Model’ their Models

Models are complex and have a plethora of data and technology pieces.  Being able to document these pieces and layout how they function and operate together has become critical to maintaining a model inventory and documentation.  The mature model risk management program will leverage enterprise architecture and business modeling technologies to provide an accurate model inventory with detailed documentation of the components and how they function.

Utilizing enterprise architecture and business modeling technologies allows the organization to define all the pieces to models, maintain an accurate model inventory, ensure that models are built from standard and approved IT components and identify where exceptions lie, and provide a visual representation and documentation of the model and how it functions.  It is through the ability to ‘model’ the models that the organization then accurately manages information and technology architecture for model risk management.


Have a question? If you are an organization that is facing the challenges of Model Risk Management, utilize GRC 20/20 to get your questions answered.  As part of our research we offer complimentary inquiries to get your question answered and point you in the direction of who provides the write technology and solutions to solve your model risk management needs.

[button link="http://grc2020test.cloudaccess.host/inquiry-submission/" color="default"]SUBMIT INQUIRY[/button]

Want to read more?  This post by The GRC Pundit is from a longer research piece on Model Risk Management in the Financial Services Industry.

[button link="http://grc2020test.cloudaccess.host/2015/04/01/1601/" color="default"]READ MORE[/button]