In the current dynamic and disrupted business environment, it is necessary for teams to band together to manage the vast web of the organizations risk management requirements. Whether it is operational managers and front-line employees, GRC professionals, or internal auditors, approaching GRC related issues from an integrated and combined lens is becoming increasingly critical for organizations to provide security to the enterprise.
Each subsequent risk manager, operational manager, front-line employee, auditor, compliance officer etc. has their own specific set of skills and experience to bring to the table and an integrated approach allows the organization to break apart siloed processes within departments and divisions of the organization to gain a better understanding of emerging risks and its full impact on the business. This integrated approach also assists in reducing gaps in internal controls and increasing efficiency within these processes.
The three lines of defense is a straight forward model that is designed to assist in defining roles and the distribution of responsibility throughout the organization. It provides a streamlined task and responsibility flow that helps in ensuring the success ofGRC initiatives throughout the organization.
It is a model demonstrating the distribution of risk management processes across different functions of the organization. From business operations to the back office of GRC professionals to Assurance, in 3LD model risk management is assigned to smaller functions.
SecondLine: Back Office GRC Professionals
A single line of defense would not be sufficient in protecting the organization from emerging risks. The organization must establish various GRC functions to monitor and oversee the internal controls of the first line of defense and ensure that the first line of defense is operating within standards that are acceptable.
As a result, the second line of defense is designated for GRC professionals and stakeholders that possess specialized disciplines and provide the expertise and methods to ensure that the operational managers and the first line of defense is in place and adequately designed. These professionals are well-experienced in implementing risk management procedures effectively and their careers are dedicated to risk management and control.
Typical functions of the second line of defense include:
· A risk management committee that helps facilitate and monitor risk practices and procedures
· Monitoring compliance functions with applicable legislation and regulation
· Monitoring risk exposure throughout the organization and reporting findings to the relevant authorities
Managing bodies must implement these different functions to ensure that risk procedures are operating with efficiency, and to provide the first line of defense with the proper guidance and expertise to adequately carry out internal controls and risk procedures.