Three lines of defense in GRC

“Alert! Alert!” When defensive players hear this call on the football field, they must immediately switch to a new defensive strategy to prevent their opponents from entering the end zone and scoring points on the next play. The team must quickly line up in three lines of defense so that their own end zone remains protected. These “three lines of defense” originating from the American football game can also be applied in the everyday life of a company in governance, risk, and compliance (GRC), where they can ensure greater security for the organization.

This article will discuss how these lines of defense are structured in the GRC, what to look out for and the benefits they provide.

If you look at a football field as a GRC setting, the end zone corresponds to your own company, the team to the employees and the opposing team represents all potential compliance risks such as standards, laws, regulations, and emergencies. The coaches on the sidelines of the football field, who study the opponents in advance, determine game tactics and set guidelines for the style of play, embody corporate governance in the form of the CEO, CIO, CISO, CRM, etc.

Not all the risks actively try to attack the company, but all of them have the potential to do so. To protect the end zone, i.e., the company, it is important to act as compliantly as possible and to have the opponents (risks) permanently under control. The three lines of defense, which are set up as protective barriers in front of the end zone and represent corporate compliance with the areas of operational management, cross-sectional disciplines, and internal auditing, serve this purpose. They do not operate independently of each other as separate protective walls, but are to be understood as an overall construct in which the individual lines support and reinforce each other. Therefore, they are in constant communication with each other and with the coaches (corporate governance) on the sidelines—this is essential for the continuous optimization of the individual lines of defense and the processes within them.

The first line of defense of GRC is operational or departmental management.

This requires the commitment of all employees. Each individual bears professional responsibility for all processes in their organizational unit. This also includes responsibility for risks, controls, and key figures.

The first line of defense is thus about structuring tasks within the respective organizational unit, reviewing processes regarding their compliance conformity, and monitoring adherence to compliance requirements. This also includes reporting compliance violations that are detected at an early stage.

The second line of defense is formed by cross-sectional GRC disciplines such as the internal control system (ICS), process and risk management, occupational health and safety, data protection, environmental protection, compliance management, audit management, etc.

This is where the relevant requirements are defined and the procedure for implementing them in the company is determined. It is important that the potential for cooperation between all cross-sectional disciplines is recognized and exploited.

The third line of defense consists of internal auditing.

As an independent body, regular internal audits support the other two lines of defense by monitoring them and the entire GRC system, and checking for compliance violations, effectiveness, and efficiency.

The cross-departmental exchange contributes significantly to the team spirit and forms a clear goal—to win together. The three lines of defense model therefore considerably improves communication and collaboration between the various GRC management disciplines, which brings the company the following benefits:

• Clear responsibilities in corporate governance and in the GRC environment:
  Each line of defense takes on specific tasks, resulting in an improved assignment of responsibilities and clear roles.
• Better compliance adherence:
  While the second line of defense ensures increased compliance awareness by monitoring adherence to compliance requirements and internal policies, the third line of defense ensures compliance and conformity through independent audits.
• More transparent risk reporting:
  Close cooperation between the three lines of defense enables better and more transparent reports.
• Effective risk management:
  With the first line of defense directly managing risks in operational processes, the second line monitoring and supporting this, and the third line conducting independent reviews, risks can be managed more effectively.