JC's Column /

GRC: The “Three Lines of Defence” model only works on Trust

JC Gaillard's column on cybersecurity

A “people” perspective on GRC models

It is no big secret that the “Three Lines of Defence” model underpinning many GRC practices in large firms is poorly understood and poorly applied at grass-root levels.

Anecdotal evidence we observe in the field every day suggests that many organisations operate it in a variety of hybrid fashions – knowingly or unknowingly – and experience a range of dysfunctions that seriously limit the value the model is designed to bring.

These dysfunctions all revolve around the same problem in our experience: A form of defiance between the parties, which builds up over time and is rooted in inconsistencies, lack of clarity around reporting models, language issues, and a lack of over-arching investment coherence at Board level.

For example, it is not uncommon to find situations where 1st line controls are fundamentally weak or missing in some areas. This is something the 2nd line must identify and report on, but at the same time, the 2nd line cannot become prescriptive with regards to the implementation of the relevant 1st line controls (even if the actual nature of the 2nd line controls themselves may always influence the determination of the 1st line controls to be put in place). It is unavoidable, in those situations, that 1st line stakeholders may feel singled-out and exposed, in particular if (for example):

  • Those deficiencies are going to be reported in the simplistic format of a RAG report to a body of management where they are not represented
  • The topic at hand is genuinely complex, multi-dimensional and rooted in decades of adverse legacy (and may be impossible to explain in simple terms to senior executives coming from a totally different background)
  • The same issues were not identified in an earlier targeted audit performed by the 3rd line
  • Their management is clearly pushing them towards other priorities, sometimes coupled with aggressive cost reductions

It is easy to look at this list and think that most of it revolves around ordinary day-to-day political dysfunctions that are common to many large firms, and impossible to avoid to a large extent. After all, the “Three Lines of Defence” model is not designed to avoid those issues, but to highlight them so that they can be treated (maybe).

But it remains unavoidable that, over time, these dynamics create the conditions for distrust to build up at the interface between the lines of defence, in particular if personalities don’t match or where differences in personal backgrounds create language issues or other barriers.
Distrust breeds window-dressing, and in the long-run, could bring data quality or relevance issues that may seriously skew risk reporting and mislead investors or shareholders.

These situations are generally hard to unlock, with 2nd and 3rd line functions often entrenched in dogmatic separation of duties considerations. There are two lines of action to treat the problem:

Heads of Risk, Compliance or Internal Audit should ensure that counterparts across the lines come from a similar background and professional culture: For example, the 2nd or 3rd line staff should have faced the same day-to-day challenges as their 1st line counterparts at some point in their career, and should therefore relate to those more naturally and more practically. Using only life-long auditors or life-long consultants to staff those layers often creates the conditions highlighted above.

Where 1st line maturity is really low towards controls and 1st line stakeholders are genuinely struggling with the concepts involved, Heads of Risk, Compliance or Internal Audit should sponsor the set-up of a separate “Controls Architecture” function (independent from their respective teams) which would assist stakeholders in that respect.

Separation of duties is important, and often looked at dogmatically by regulators; but an overarching principle of efficiency has to prevail, in particular where senior management is genuinely driving a culture of change around controls. In an earlier post, we have highlighted how this principle of efficiency could be applied, for example where the Infosec function is structured within the portfolio of the CIO.

Hybrid models can work and bring value around GRC – more than watertight and dogmatic separated models – but as long as the dynamics of trust and efficiency are preserved.


JC Gaillard

Managing Director

Corix Partners

Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.