The three lines of defense paradigm for audit, risk management, and compliance is so commonly accepted, so ingrained in the way that we think of GRC functions, that no one questions it. Until now. Last week at MetricStream’s London GRC summit, Paul Moore, former chief compliance officer and famed whistleblower at HBOS, said the three lines model doesn’t work. That conclusion raises the question of what can replace it.
The three lines model assumes that risks will follow the same hierarchical process oriented structure that the organizational model follows. But we all know the hierarchical org chart is not the real model for how value is created. Value chains don’t follow organizational hierarchies nor are they limited to a single business entity, and neither do the risks associated with the processes, regulatory requirements, and assets that are incorporated within those value chains. The real work is done across teams, across divisions, departments, geographies, and even across companies.
The three lines of defense model assumes that business units are identifying and managing the risks, risk and compliance managers are ensuring that the business units have effective controls and risk management processes, and internal auditors are providing an independent opinion to management and the board on the effectiveness of risk management and compliance activities. This model assumes specialization and segregation of each of the lines of defense, and increasing objectivity from the first to the third lines.
This model leaves out the people closest to the risks. The person with the best knowledge of a risk should be the person closest to the processes or the assets that create value for the organization. This might be a front line employee, a business partner, or even a customer. It’s rarely an auditor, a risk officer, or a business unit leader. Enabling those people at the front lines to recognize risks, and to manage and mitigate them is critical to sustainable performance.
The three lines model is no doubt going to persist for a while, but already it is being disintermediated aggressively. Regulators are demanding more and more corporate data that enables them to independently evaluate risks and controls. SEC chairwoman Mary Jo White attributes the record number of enforcement actions in 2014 to the innovative use of advanced data analytics technology.
Social media has also served as a check on companies. As more corporate data is available to crowds of networked individuals, key influencers can mobilize a “social lobby” to respond to what they perceive as poor industry or corporate practices. Armed with social technologies, the people formerly known as the customers (or the voters, citizens or constituents) become the new regulators.
Companies can learn from these big data and social lobby developments. Crowd sourcing risk management can be used to tap into the collective intelligence of customers, partners, employees, or experts. Data based risks and controls monitoring with advanced analytics can enable quicker identification of potential risk events or control failures, and discover risks that might fall between organizational and risk management silos.
Disintermediation is usually not complete. iTunes has not replaced recording companies for instance, but it and other music industry cybermediaries have forced a huge shift in the recording industry’s business models. We should expect cybermediaries to arise that offer GRC services that force a shift in the three lines of defense model; even more revolutionary, imagine GRC cybermediaries that compete with regulators and statutory auditors.