by Chris Grundy, Director Product Marketing, SAP
Can you assure that your company proactively and effectively manages risk while meeting an ever-growing number of technological challenges? During a recent SAP Game-Changers radiocast, panelists Ganesh Ram, lead of PricewaterhouseCooper’s governance, risk, and compliance team; Kevin D. Heckel, director of the cyber risk services area at Deloitte & Touche LLP; and Jérôme Pugnet, senior director of product marketing for GRC solutions from SAP, discuss how technology can enhance the “three lines of defense” model.
Ram challenges companies to consider complex third-party relationships that keep your suppliers and consumers interconnected in a massive technology-driven ecosystem. He states that the three lines model helps ensure that a business can sustain all challenges it faces. So what do the lines look like?
- Operational management teams that runs the business from the front lines
- Risk management and compliance functions to implement and monitor effective risk management practices and robust internal controls
- An internal audit or oversight function that ensures the management team is performing its job properly
These are supplemented by external auditors, who provide advisory support as experts with fresh eyes and no bias (sometimes qualified as “the fourth line of defense).
According to Ram, most companies place too much importance on the first line and not enough on the second two. “It’s worth reflecting on whether your focus is on what really matters from a risk management perspective – and if investments in risk management and lines of defense give you the return that you plan for,” he posits.
Manage risk for the right reasons
Heckel muses on how risk has evolved from a necessary evil to a major business driver at the board level. However, he cautions, “It’s not a value. It’s a cost to the overall compliant agency. What are you doing and why are you doing it? Are you doing it for the right reasons?”
Pugnet explores these questions, citing social media as a prime reason for expanding a business’s outlook on what risk really means. A company’s reputation can suffer serious damage in just minutes if a negative post goes viral.
The challenge, according to Heckel, is to be resilient and respond quickly and appropriately to such situations. You want to do whatever it takes to keep customers or avoid ending up in the headlines for the wrong reasons.
Ram thinks it’s important to treat governance, risk, and compliance as a balancing act, and to use the three lines model as a strategic advantage instead of a crutch or a reason to avoid any risk at all.
Such balance is most critical when expanding your business, according to Pugnet. If you acquire a new company, you need to cover the requirements across the three lines of defense. This necessitates bringing this company into the overall compliance system – a challenging endeavor. You might find that existing systems are not scaling very well, which creates additional work without available resources. That’s when it’s important to turn to those second and third lines of defense – which can include technology that streamlines processes and catches oversights before they become massive issues.
Finally, the panelists agree that risk and control are often approached as separate silos with a significant amount of overlap. By working collaboratively across those lines of defense to reduce redundancy, you can cut your overall compliance cost. To learn more about the three lines of defense, listen to the full radiocast.