Prior to the launch of every spaceship that lifts high above the earth is a countdown that ends with 3...2...1...lift off! This signals the final moments before the spaceship takes off to fulfill its mission. My blog is a play on the 3, 2, 1, liftoff analogy and how it relates to the "Three Lines of Defense" model.
Marshall Toburen is doing a great blog series that explains the Three Lines of Defense in It Takes a Village: The Three Lines of Defense Model. Check that out to get a thorough understanding of the 3LoD model. In short, each line of defense refers to a part of the governance, risk and compliance (GRC) structure. The 1st LoD are business process owners - operations, IT, Sales, etc. The 2nd LoD are Enterprise Risk Management (ERM) and Compliance groups, and the 3rd LoD is Internal Audit. Each has their role in the GRC structure to manage risks and controls and must work together.
Internal Audit was one of the original risk and control groups with the charge to identify risks and evaluate controls. Then ERM became en vogue and many companies implemented ERM or Operations Risk Management (ORM) groups as well as separate Compliance organizations. This has taken some of the load off of Internal Audit but there are still many challenges in aligning across all of these areas. Here's the crux of the matter. These groups have a role to play in the risk and compliance picture, but who is in the best posture to do something about risks when whey pop up? Who is in the best seat to make sure controls are functioning? It's that 1st LoD - the business processes themselves. However, while they're closest to these risks, it's not their primary focus and their perception of how to manage and address these risks can be very different from the 2nd and 3rd LoD. Internal Audit, ORM and Compliance groups are struggling to implement programs and processes and just keep up with the velocity of new regulations and risks, so it's imperative that more be done by the 1st LoD.
Through this blog series I'll be discussing ways that realization, accountability and ownership over risks and controls can and should transition from the 3rd and 2nd LoDs to the 1st LoD, and why. What's more important is I'll talk about ways that don't add to the already heavy loads these 1st LoD functions already have. In fact, I'm convinced that as we launch from 3..2..1 that companies will lift off in their risk and compliance programs!
I'm presenting on this topic at the September 10th Phoenix, AZ Security and Audit Conference, so if you're in Phoenix - come and join me! Follow me @pnpotter1017 on Twitter and give me your ideas at firstname.lastname@example.org.