Three lines of defense is a widely adopted model used by many organizations as a foundation for an effective risk management program.

The framework is designed to coordinate risk and control management across the business enterprise by mapping out responsibilities for day-to-day management (first line), monitoring and oversight (second line), and independent assurance (third line).

In an Ernst & Young (EY) report businesses that adopted the three lines framework integrating enterprise risk management and controls with internal audit were shown to improve governance that led to increased organizational agility, efficiency, and effectiveness.

Formulating and embedding a governance structure using well-defined and coordinated integrated risk and control framework is the foundation of a strong integrated risk management program. Clearly defined ownership and accountability for risk management and internal control activities are imperative in order to enable effective coordination, communication and reporting.

It has further been shown that, even for businesses that have well-developed risk management practices, achieving integration which includes effective communication, data-sharing, and analytics between the three lines of defence risk management model can often pose challenges.

The EY survey also found that good proactive businesses follow the same, three- lines approach when assessing and improving the internal controls.

The survey discussed 3 elements of Effective Risk Management

The report focused on how maximizing the three lines of defense model led to increased communication and coordination between the business units involved in Governance, Risk and Compliance (GRC), helping the enterprise to improve performance and meet its strategic goals.

Three following three levels identified in the report improved assessments and helped businesses with their risk maturity journey.

Level 1: Process and Technology

Processes and technology used by businesses are the cornerstone that helps drive its strategy and risk management program.

Components to be considered here would include technology enablement, control design and documentation, control testing and analytics on control effectiveness.

The EY report expressly identified the use of technology and data analytics as two of the primary enhancement opportunities that businesses should focus on for improving internal controls.

“Robust implementation of [GRC tools] and their inclusion in the risk and control frameworks reduce reliance on manual procedures and therefore reduce risk of control failures.”

The survey found that data analytics especially was an “untapped resource” in many internal audit and compliance functions used by only a fraction (15%) of businesses to support the execution of their internal controls program.

Levels 2 and 3: Governance and Resources

Once effective management processes and the right technology and tools are in place, businesses can then review their governance and resources.

Factors included here would be, clearly defined roles and responsibilities, third party or vendor oversight and clear definition of the internal controls timeline.

Risk and Controls Management Program

Maturing your risk and controls management program is based on the maturity enablement and assessment model, where the maturity levels range from basic (1) to leading (5). A leading organization with a 5 rating would have the following characteristics:

  • A formal well documented program that was consistent across the enterprise
  • The program is well integrated which avoids duplication and data degradation
  • They regularly review and improve the program to learn from previous lessons
  • They have an integrated risk management program that is aligned and coordinated across the organization

Key Takeaway

There is no silver bullet when considering maturity, however, integration underpinned by technology is a key enabler for moving toward more effective, strategic risk and controls management. Organizations where the three lines of defense work together (operational and risk management, compliance, and internal audit functions coordinating and sharing data) are more prepared to meet challenges, goals, improve performance and better protected.

Integrated GRC solutions and services help set the framework for an effective enterprise risk management program.

Almost 90% of businesses that impellent enterprise risk management solutions have seen benefits that have met or exceeded expectations proving that investment in GRC solution and services is worthwhile.

In addition to the obvious benefits of reducing data duplication and degradation, and significantly improving efficiency, integrated risk management also has the following advantages:

  • Reduced cost of governance, risk and compliance processes
  • Increased oversight and improved insight using reports and analytics on GRC information
  • Reduced gaps and monitored tasks to ensure gaps or findings were closed or tracked
  • Integrating risk and compliance functions to reduce the operational impact across the enterprise and breaking down silos.

If your organization is considering implementing integrated solution to help manage governance, risk, and compliance (GRC), we invite you to explore the Maclear GRC Suite by visiting Our comprehensive range of solutions are designed using best practices with built-in integration to reduce risk, improve performance, and enable strategic decision-making.

To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to

Share This Blog