Monthly Archives: October 2014

Disintermediating the three lines of defense, and the regulators too

Source: University of North Carolina, Charlotte

Source: University of North Carolina, Charlotte

The three lines of defense paradigm for audit, risk management, and compliance is so commonly accepted, so ingrained in the way that we think of GRC functions, that no one questions it.  Until now.  Last week at MetricStream’s London GRC summit, Paul Moore, former chief compliance officer and famed whistleblower at HBOS, said the three lines model doesn’t work.  That conclusion raises the question of what can replace it.

The three lines model assumes that risks will follow the same hierarchical process oriented structure that the organizational model follows.  But we all know the hierarchical org chart is not the real model for how value is created.  Value chains don’t follow organizational hierarchies nor are they limited to a single business entity, and neither do the risks associated with the processes, regulatory requirements, and assets that are incorporated within those value chains.  The real work is done across teams, across divisions, departments, geographies, and even across companies.

The three lines of defense model assumes that business units are identifying and managing the risks, risk and compliance managers are ensuring that the business units have effective controls and risk management processes, and internal auditors are providing an independent opinion to management and the board on the effectiveness of risk management and compliance activities.  This model assumes specialization and segregation of each of the lines of defense, and increasing objectivity from the first to the third lines.

This model leaves out the people closest to the risks.  The person with the best knowledge of a risk should be the person closest to the processes or the assets that create value for the organization.  This might be a front line employee, a business partner, or even a customer.  It’s rarely an auditor, a risk officer, or a business unit leader.  Enabling those people at the front lines to recognize risks, and to manage and mitigate them is critical to sustainable performance.

The three lines model is no doubt going to persist for a while, but already it is  being disintermediated aggressively.  Regulators are demanding more and more corporate data that enables them to independently evaluate risks and controls.  SEC chairwoman Mary Jo White attributes the record number of enforcement actions in 2014 to the innovative use of advanced data analytics technology.

Social media has also served as a check on companies.  As more corporate data is available to crowds of networked individuals, key influencers can mobilize a “social lobby” to respond to what they perceive as poor industry or corporate practices.  Armed with social technologies, the people formerly known as the customers (or the voters, citizens or constituents) become the new regulators.

Companies can learn from these big data and social lobby developments.  Crowd sourcing risk management can be used to tap into the collective intelligence of customers, partners, employees, or experts.  Data based risks and controls monitoring with advanced analytics can enable quicker identification of potential risk events or control failures, and discover risks that might fall between organizational and risk management silos.

Disintermediation is usually not complete.  iTunes has not replaced recording companies for instance, but it and other music industry cybermediaries have forced a huge shift in the recording industry’s business models.  We should expect cybermediaries to arise that offer GRC services that force a shift in the three lines of defense model;  even more revolutionary, imagine GRC cybermediaries that compete with regulators and statutory auditors.



Float the market for GRC

Float the Market

Float the Market

Quite a while back, I started setting the stage for a move from Gartner.  I had recognized through hard knocks that GRC in a big analyst firm would be just one of many “very important topics.”  Resources to meet client needs are necessarily split between scores of teams and hundreds of analysts, and no one topic area can possibly get the resources that its strongest proponents want.  Finally, one day in July after having had some vacation time to reflect, as much as it hurt to leave, I decided the time to move was now.  So now I’ve moved to MetricStream whose sole business is GRC.

I’m now in week 4 with MetricStream, and I’m beginning to get my thoughts in order on my role as Chief Evangelist.  Week 1 started in Palo Alto at MetricStream HQ.  I met everyone I could there, and I tried to learn what the expectations were that everyone had for this new role of Chief Evangelist.  Week 2 was spent at a customer site with our sales leaders, and I learned what it takes to go through a detailed proof of concept.  Week 3 was in London at our first ever European GRC Summit.  In a fireside chat on stage, it was my first opportunity to share some thoughts on where the market had been and where it’s going.

One question I that came up in Londonwas about the title of Chief Evangelist — why not Chief Strategy Officer or something along those lines.  I guess that would have been fine, but that would not capture a key element of the role.  The role goes beyond being a strategist for MetricStream, and extends to being an advocate for GRC overall.  This is a new market that has suddenly gotten a good deal of traction, and the message on GRC, and all the practical activities attached to that message, need to float the market.   That’s the goal — for all of us who are in the GRC space — whether a compliance or risk management professional, or a software or services provider — to spread the word on generating real business value from GRC.