GRC, ERM, and the Three Lines of Defense: Is it time to redefine the model?

Daniel A. Clark

Director of Internal Audit, Washington Trust Bank

For years, those of us in the control side of business have explained the Three Lines of Defense model to business leadership and other interested parties. That model, for those who may not know, highlights that the business is responsible for the first two lines of defense against risk and that Internal Audit—because they are independent—constitutes the third line of defense. There are many reasons for this segmentation and some very good arguments for its visualization.

I would suggest—with the advent of governance, risk, and compliance (GRC) technology and the continued evolution of enterprise risk management (ERM), plus risk management methodologies—that perhaps it’s time to let the Three Lines of Defense model evolve into its destined form.

It’s no longer an advantage to have Internal Audit stand alone as the final stopgap for risk management. We’ve moved far beyond arriving late to the party only to be told that the party was over before we even showed up. We should be intellectual enough to realize that holding Internal Audit on the island of independence is just an excuse to not have them involved where they can provide the most—and the best—value.

First of all, let me acknowledge that I have never believed audit independence is based on an organizational chart. Independence is a character issue only. Auditors can report to whomever they please, but ultimately the character of the auditor determines the level of independence they have, not where on the organizational chart their picture resides. To think otherwise is sheer folly and demeans the profession as well as the individual audit leader. With that admission, let’s explore the value of the new defense model.

The integration of Internal Audit with the first two lines of defense has the potential to electrify risk management and could be the catalyst that links real-time application to GRC visioning and ERM expectations. In football, sometimes the best defense is a good offense, and time has come to bring Internal Audit to the offensive side of the ball. Let’s explore some ways to do just that while ensuring that Internal Audit remains independent.

Review of business controls: The first line of defense

An independent assessment on the effectiveness (i.e., design, implementation, and sustainability) of controls is a basic practice of Internal Audit. There’s nothing wrong with having auditors review controls for those three basic characteristics while processes are being revised or developed—or even during the implementation stages of process redesign. This provides the business with a real-time review of the proposed control structure in such a way that changes can be made before controls are even implemented.

A side benefit of early control review? The elimination of redundant controls or the confirmation that several controls working together actually mitigate the risk in the way the business expects.

Review of control functions: The second line of defense

One of the premises of the Three Lines of Defense model is that Internal Audit could rely on various internal control functions implemented by management. If we hold that belief to be true—and we should—then why does Internal Audit not support management by suggesting the proper organization, skills, and processes needed to achieve that goal?

Ultimately, Internal Audit will review any control function (compliance testing, quality control, credit risk review, etc.) against certain standards that allow full reliance. Internal Audit should move that review forward during the creation of these control functions, thereby assuring strong and sustainable processes that Internal Audit can ultimately rely on. This saves the business money and strengthens the second line of defense.

Integrated GRC: The lifeblood of ERM

Finally, GRC is a shared repository of information. Internal Audit should actively participate in the successful implementation and exploitation of GRC for ERM purposes. Results of audit tests, audit risk assessment, and audit monitoring can provide the business with independent confirmation that controls and risk management efforts are effective.

With Internal Audit populating the business’s GRC tool, management would have a more complete vision of risk and controls at their fingertips. Internal Audit then becomes a partner in risk management by providing independent confirmation that controls are effective. From a management perspective this means “one-stop shopping.” From an audit perspective, it means that auditors are on the path to becoming trusted advisors.

The days of separation need to end. Internal Audit and the rest of the business can become close allies in the battle against risks. ERM and the use of GRC tools have made it easier than ever for the proper synergy to exist. We should all make it happen.

Share This