1+1=3 – With the "Three Lines of Defence" towards an integrated GRC

The Three Lines of Defence – An Introduction

The governance, risk & compliance (GRC) system of an organization undoubtedly plays an integral part in its corporate governance. Different management disciplines such as risk management, compliance management, internal control system, security management, data protection or emergency and crisis management, all serve to protect the company from various threats and risks, as well as ensure the organizations continued existence.


For that reason, both the technical and the organizational design of these disciplines play a crucial role, in terms of how effectively and efficiently different company and management tasks are being executed.


With that said, we can identify two distinctive strategies for establishing and setting up a GRC system. The first one entails an isolated yet systematic approach, involving more separation between the different management principles, thus creating the so-called management islands, or management silos. The second one, revolves around a more integrated approach, which creates synergies between the individual disciplines and brings them close together through a common approach.


Therefore, in the isolated approach, each GRC discipline defines a management system of its own, without considering dependencies on other disciplines, or the impact on any operational units. And the more promising integrated alternative, builds a GRC system from a holistic perspective, maintaining a better coordination between the different management principles.


Let's have a look at the comparison:


Isolated approach

Integrated approach

  • No consensus on method
  • Use of different systems / In-homogeneous data structure or database
  • Operational units confronted with a variety of different requests / inconsistency of exchanged information
  • Inefficient task fulfillment
  • Historical or cross-sectional considerations hardly possible
  • GRC functions work "hand in hand" and speak the same language
  • Uniform IT system / Common database
  • Consistent information / Reusable data throughout the entire organization
  • Efficient task fulfillment / Reduction of operational efforts
  • Historical and cross-sectional views possible




A Brief Introduction into the Three Lines of Defence

The Three Lines of Defence model is a recognized method for breaking down and explaining the various responsible people involved and their specific concerns and issues around corporate risk management. It divides an organization along three lines, namely Operational Management, GRC Functions and Internal Audits, which together provide an ideal organizational and operation model to ensure success in GRC.






Operational Management as the 1st Line of Defence

Operational management is at the very core of the 1st Line of Defence. From an organizational structure perspective, this line typically consists of department heads or managers who own one or several processes in the organization. The processes they own have an operation scope that expands to not only the outputs of the process, but also to the key process figures, operational risks, controls and adherence to compliance requirements. This scope of process definition and responsibility is what turns these managers into a key first line of defence.

GRC Functions or Assurance Services as the 2nd Line of Defence

The 2nd Line of Defence is where we find the so-called 'Guardians of the System'. This refers to the stakeholders from the various specialized disciplines who provide expertise and utilize methods to ensure that the responsibilities of their disciplines are properly executed.

The disciplines include:

  • Process Management
  • Risk Management
  • Internal Control System
  • Compliance Management
  • Corporate Security Management
  • Data Protection (GDPR)
  • Quality Management
  • Environmental Protection
  • Occupational Safety

Internal Audit as the 3rd Line of Defence

Internal and external audits represent the 3rd Line of Defence. This is the group of people that supervise and monitor the other two lines to determine the effectiveness and efficiency of the GRC, or the governance system as a whole.

3 Important Tasks Your GRC Functions Need to Fulfill


Defining the GRC Function's Governance Structure

Defining a governance structure entails specifying which tasks need to performed by each of the involved stakeholders to be able to establish a system for them. Each system has to have a certain set of specifications defined with regards to roles, methods used, tool support, knowledge management, maturity measurement, support of operational units, etc. These specifications are then typically stored in manuals or guidelines which are used as instructions for operational management.


In the context of an integrated GRC approach, this area of activity is of particular importance, since coordination on key issues (role definition, methods, tools, etc.) takes place across functions.


GRC Function's Strategic Management

Strategic management of a GRC function entails defining a data structure, where operational units can place and organize the results of their tasks. Examples of this include a high-level process model, the definition of risk categories and control groups. Based on this, it is possible to plan the implementation of tasks in all relevant organizational units, including resource planning for the GRC functions and operational units.


Apart from task planning and implementation, strategic management of a GRC function also focuses on monitoring of task progress and escalation handling.


Tasks of Operational Management

Operational management plays a particularly important role within the Three Lines of Defence model. It is essential that all tasks performed by a GRC function are executed conscientiously and on time, while day-to-day business is carried out in parallel. Considering the complexity of these activities, this can turn into a juggling act, as balance between various tasks must always be found and maintained.


Therefore, it is all the more important for GRC functions to align as closely as possible to the 2nd Line of Defence, to enable the operational area to perform its tasks efficiently. In any case, overlapping and redundant data collection should be avoided at all costs as to not waste unnecessary resources at the operational level.


From a general point of view, operational management is responsible for performing numerous tasks for a GRC function. And for that reason, the primary objective should be to perform the same tasks for different systems only once.



How to Fully Benefit from an Integrated GRC System

So far, the Three Lines of Defence model has proven valuable, in terms of clarifying essential roles and duties, and helping assure the success of risk management initiatives across the different levels of corporate governance. But if used mainly in a supporting capacity, this approach can result in unused potential being left behind.


So how do you make sure to take full advantage of an integrated GRC system? To gain the full benefits of this approach, the three lines, although separate, should not operate in isolation, but rather have an effective, collaborative relationship instead.


The model allows for cross-line collaboration, which is especially important between the 1st and the 2nd Line of Defence. Having the system responsibles in the 2nd Line of Defence recognize the potential behind cooperation, makes them equally consider cross-cutting issues and provide operational managers with the right conditions to complete their tasks efficiently, effectively and on time.


By breaking down the barriers between the lines, we allow for effective information-sharing and creation of an integrated, centralized database that helps connect the dots and eliminate data redundancies. This eliminates the need for tedious data collection by internal and external auditors, and leaves the revision department with additional free resources, which can be allocated for identifying improvement potentials and for consulting activities.


In summary, the success factors of an integrated GRC, based on the Three Lines of Defence model are:

  • Cooperation of management principles along the 2nd line of Defence, in the course of defining a governance structure
    and in the area of strategic management
  • Definition of a common method and use of a uniform technology
  • Having a common language for the same topics within the organization


For a more in-depth look at the Three Lines of Defence model, BOC Group has over a decade of experience in consulting and introducing an integrated GRC system. We offer not only the expert advice needed to succeed, but also comprehensive tool support and training for successful implementation and continued operation. If you are looking to tackle the transition in the direction of a process-oriented, integrated GRC system please reach out for more information!


Contact us

For a more detailed discussion on:

  • the integration of GRC functions in your company,
  • the possibilities of ADONIS NP and the GRC suite to implement a process-oriented and integrated GRC system
  • the implementation of a GRC assessment to determine your location and roadmap development



Contact Us



Enrique Lobo Cruz

P +353-1-871 94 16
F +353-1-871 94 17
E info@boc-ie.com