Internal Control Management by Design

Business is complex. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, and business data impedes organizations. Keeping complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance (GRC) functions throughout the business. Business is no longer defined by traditional brick-and-mortar walls. Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Distributed business operations complicates the organization as it attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world.

Managing control activities in disconnected silos leads the organization to inevitable failure. What may seem like an insignificant risk in one part of the organization may very well have a different appearance when other risks are factored. Organizations with siloed and manual processes for control management rely on a range of documents, spreadsheets, and emails that are inefficient, out-of-sync, ineffective, lack agility, and are inadequate to manage internal controls. Reactive, document-centric, and manual processes fail to actively manage controls in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Organizations fail and are encumbered by unnecessary complexity because they manage controls around specific issues, without regard for a common integrated strategy and architecture.

Organizations are tasked to provide an integrated view of internal controls across finance, IT, and business processes and operations. A scope that provides a single internal control management function that coordinates and manages controls across operations and finance. This is what is covered in my Internal Control Management by Design workshops.

At the recent workshops in Washington D.C. and Houston (which were fully booked), the attendees interacted in breakout sessions on the challenges they are facing in internal control management. Their specific issues and challenges are:

  • Providing an integrated strategy and view of financial and operational controls across the organization.
  • Increasing confidence in risk coverage and the complexity of interconnectedness of risk and controls
  • Capturing business changes with updated and changing controls
  • Combining finance and operational control teams and revamping processes
  • Focusing on key controls that could cause the organization to overlook other controls
  • Managing the human element in controls management
  • Expanding regulatory requirements for internal control management such as GDPR, FPCA, PCAOB pressures
  • Addressing a lack of resources while being tasked with more internal control responsibilities across operational controls
  • Keeping controls aligned with business processes and a changing environment
  • Implementing a system/technology to manage ALL controls across the organization
  • Integrating controls into daily workflow particularly when transitions occur with staff and turnover

Controls are critical throughout business strategies, operations, and processes. Internal control management has become a critical foundation for enterprise GRC. The correct controls that are operationally effective are the linchpin to assure that the organization can reliably achieve objectives while addressing uncertainty and acting with integrity (OCEG definition of GRC). As organizations mature their approach to internal control management they are seeing more intersections with risk, compliance, and audit processes which require a more thorough strategy for managing controls in the context of the organization.

Reactive and stovepiped approaches to internal controls management leave the organization not seeing the big picture of how controls interrelate with each other, risks, and compliance obligations. This means the organization wastes resources on managing controls as separate assessments and projects instead of as an integrated whole. Defining strategy, managing operations, and addressing organization change requires agility in internal control management to provide assurance to boards, executives, GRC professionals, as well as the line of business. As business becomes increasingly complex in a changing business and risk environment – that struggles with growing regulations, globalization, and distributed operations – organizations need a blueprint for effective, efficient and agile internal control management. This requires organizations to design internal management into the organization as an integrated part of strategy and operations supported by an integrated internal control information architecture that allows organizations to have a 360° situational awareness of internal controls in context of business strategy and operations.

GRC 20/20’s Internal Control Management by Design workshop provides a blueprint for attendees on effective internal control management strategies in a dynamic business and risk environment. Attendees learn and collaborate/interact on internal control management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Upcoming By Design Workshops include:

Three Lines of Defense: Enabling High Performing Organizations

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].” (source: Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  • Business Operations. The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  • GRC Professionals. The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  • Assurance Professionals. The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

The Three Lines of Defense Model is well understood and adopted globally. The major downside of the model is the name itself using the word ‘defense.’ This gives the model a perception of being reactionary and tactical and not strategic. This is unfortunate as the model enables high-performance by aligning accountabilities at different levels of the organization and getting these functions working together in context of each other. High performing organizations require consistency and controls to ensure the organization operates within boundaries of controls. The Three Lines of Defense Model is key to enable reliable achievement of objectives and consistent control of the business.

The key to success in implementing the Three Lines of Defense Model is collaboration. If the layers of accountability across the three lines do not collaborate and work together, GRC functions will remain in silos and be ineffective, inefficient, and lack agility to respond to a complex and dynamic business environment. Internal politics and divisions work against the Three Lines of Defense Model in organizations.

Another challenge for organizations in implementing the Three Lines of Defense Model is not having a consistent GRC process, information, and technology architecture. Not only do different groups across the lines of defense need to be able to work together, they need to be able to share information and have a consistent and single source of truth for GRC activities, accountabilities, and controls.

The Bottom Line: Three Lines of Defense is an integrated GRC framework with the goal of allowing different parts of the organization to work cohesively together to reliably achieve objectives while addressing uncertainty and acting with integrity. It enables what OCEG calls Principled Performance, and ensures that there are clear responsibilities, accountability, and oversight of risk and control at all levels of the organization. Organizations are adopting the Three Lines of Defense Model for GRC as they have come to realize that silos of GRC that do not collaborate and work together lead to inevitable failure. There is a need for visibility across these lines of defense that is scalable, integrated and consistent. The Three Lines of Defense Model enables efficient, effective, and agile business.

GRC 20/20’s latest research piece evaluating solutions on this topic is:

The Role of Internal Audit in Autogrill’s GRC Journey