- Business Operations.The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
- GRC Professionals.The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
- Assurance Professionals.The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.
While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defense, not a lot has focused on how to effectively engage the first line of defense: the employees and managers in the front line of the organizations. Front line employees are making risk and compliance decisions every day and can either protect or expose the organization to unwanted issues. Risk and compliance are not just about the back office of risk, compliance, and audit management but it is about the front office engagement and education of employees on what is acceptable and unacceptable and how to report issues. While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defence, not a lot has focused on how to effectively engage the first line of defence: the employees and managers in the front line of the organizations. GRC 20/20 is presenting on a webinar on how to engage and enable the front lines of your organization through effective communication and training on policies and how to report issues and incidents in the organization. Attendees will learn:
- GRC in the context of the Three Lines of Defence Model
- How the second and third line of defense depend on the first line to protect the organization
- How to effectively communicate and train the first line of defence on policies
- Methods for first line employees to identify and report issues and incidents
- How technology can automate and enable the first line of defense
- Driving efficiency, effectiveness and agility into all three lines of defense