PatrickP

Blog Series: Building the First Line of Defense

Blog Post created by PatrickP Employee on Aug 3, 2015

In the first blog in this series, I used the analogy of a rocket lifting into space with the countdown, 3...2...1... equating to the Three Lines of Defense (LOD) model, and how an organization truly achieves “lift off” or success really comes down to the 1st LOD.  In this blog, I’d like to focus on the 1st LOD and three ways to help them achieve lift off for your organization.

 

Walk In Each Someone Else’s Shoes

I’ve found that when I don’t understand someone else and may be at odds with them, then I need to try to understand their perspective.  When I do this I become more understanding, the other side often tries to do the same, we’re both better able to soften our position and we typically start to get along better.  We might even start to change some things we do for the better.  Often, the three LODs are so entrenched in their own individual objectives being separate groups just coming together, that they don’t understand what the other LODs do and why.  Let me give you an example.  Internal Audit is pretty good about understanding what a function does as they are auditing that function.  They review their processes and controls and then determine where to spend their time auditing.  However, it rarely goes the other way.  A completely worthwhile exercise is for each LOD to understand each other because it promotes better understanding, more alignment and will begin to effect change for the better.

 

No One Likes to Be Audited

There are not many things worse than hearing that your department is going to be audited.  You begin to wonder if you’ve made mistakes that are going to be disclosed and if you’ll be in trouble, not to mention the time it’s going to take away from getting your work done.  Audits are a necessary practice but what most “auditees” don’t know is how to reduce the impact of audits.   To my firstpoint above, do business operations take the time to understand why Internal Audit decides to audit them and what they can do to reduce the impacts of an audit? I’m not talking about being sneaky to avoid an audit but understanding Internal Audit’s concerns and objectives and then making real changes to improve, to not only reduce impacts of audits in the future but to actually strengthen controls and processes and reduce risk.

 

Replace Good with Better

Ever thought about how you could do your job better?  What is the definition of “better"? I’ll bet if you were to ask your CEO, she or he would define “better” as owning and improving your job so the company can save money and drive growth.  Ask the 2nd and 3rd LODs and they’ll say “better” means improving controls and reducing risks.  However, who knows your business processes better than you business operations people - the 1st LOD?  Yes, experts can recommend process changes and auditors can recommend controls, but you live the process day in and day out.  Now, it’s tough to come up with new changes in a vacuum, meaning you have to look for ideas to improve and that’s where walking in someone else’s shoes comes in handy, but the more you really look at making good processes and controls better, the lesser the impacts of audits on your organization will be.

 

In closing, until the 1st LOD better understands the 2nd and 3rd LOD objectives around risk and control, and autonomously strengthen processes and controls to really get at the heart of mitigating risk, your organization will never achieve the real benefits and you’ll be frustrated at the unending parade of audits coming your way.  Believe me, the auditors get tired of it too.  Conversely, the more the 2ndand 3rd LODs understand the 1st LOD perspective, the smarter their approaches will be. As a result, all thee LODs will better work together toward – 3…2…1… lift off!

 

Marshall Toburen is doing a great blog series that explains the Three Lines of Defense in It Takes a Village: The Three Lines of Defense Model.  Check that out to get a thorough understanding of the 3LoD model. Also check out my first blog in the series Blog Series: 3...2...1...Liftoff!

 

Contact me at Patrick.potter@rsa.com with feedback and follow me at @pnpotter1017.  Thanks for reading!

117804

Outcomes