Are you involved in compliance management, process management, quality management, sustainability management, security management or data protection? Or perhaps you are responsible for one of the many other important management functions within your company?
Yes, as you can see, many different professionals come together in one company! And depending on the management function, you have valuable skills and subject-specific expertise. Despite different areas of responsibility and perspectives, however, you all pursue a common goal – the creation of an effective and efficient GRC system.
However, if you now have the feeling that you and other management functions are not pulling in the same direction, this could be due to the fact that the isolated systems approach is being pursued in your company. What this means exactly and how you can manage to create a common communication basis for efficient task fulfilment, you will find out in this blog post!
The Governance, Risk & Compliance (GRC) system of a company or organization indisputably represents an essential component of corporate governance. Various management functions such as risk management, compliance management, internal control system, security management, data protection or emergency and crisis management serve to protect the company from dangers and risks but also to identify opportunities in order to ensure the continued existence of the institution as a whole. In order for these tasks to be fulfilled efficiently and effectively, the technical and organizational design of these management functions plays a decisive role.
When setting up a GRC system, companies can basically pursue two strategies – the isolated systems approach, the so-called management islands, or the integrated approach.
In the case of the first, isolated approach, each GRC function defines a management system for itself, without considering dependencies with other GRC functions and the impact on the operational units. In comparison, it is often more promising to set up a GRC system integrated with the various management functions.
Comparison between an isolated and an integrated GRC system
This comparison makes it clear that following an integrated approach when setting up your company’s GRC system is the best choice. This approach requires greater coordination between the individual topics, however, the advantages of an integrated GRC system speak for themselves.
Check out our webinar on integrated management systems to learn more about how risk management, ICS and BPM benefit from one another.
The Three-Lines Model as the basis for your GRC system
The Three-Lines Model of the European Confederation of Institutes of Internal Auditing (ECIIA) and the Federation of European Risk Management Associations (FERMA) has proven its worth as a basis for setting up and operating a GRC system.
It is a simple but very effective approach to improve the interactions and communications of the different management functions and to describe and clarify essential roles and responsibilities.
The model divides an organization into 3 lines, the so-called three-lines, which define tasks for the following three groups:
- Functions that manage and own risks
- Functions that oversee risks
- Functions that provide independent advice and assurance
Integrated GRC system in the context of the 3 Lines Model
If we divide an organization into three levels, define the boundaries of each group of responsible persons and place their position in the overall risk and control structure, we can more easily ensure effective risk management and thus the success of GRC. The three-lines model thus offers a new perspective on the processes within a company, regardless of size or complexity, and helps to ensure the continued success of risk management initiatives. So let’s take a closer look at each of the three lines:
1st Line – Operational management
The so-called 1st line is characterised by operational management and represents the centre of the three-lines model. From the point of view of the organizational structure, this typically consists of the heads of department or division, who have the functional responsibility for all processes in this area. The tasks within the organizational unit are structured and defined via these processes. Process responsibility is accompanied in particular by responsibility for key figures, risks, controls and adherence to compliance requirements.
2nd Line – GRC functions or assurance services
The so-called “guardians of the systems” of the various disciplines are located on the 2nd line. They define the procedure and method to perform and fulfil the various tasks or duties within the respective function. These include functions such as:
- Process Management
- Risk Management
- Internal Control System
- Compliance Management
- Corporate Security Management
- Data Protection (DPR)
- Quality Management
- Environmental Protection
- Occupational Safety
3rd Line – Internal audit
The last of the three lines consists of the internal auditors, who take over the tasks of monitoring the GRC system and check it for effectiveness and efficiency. Discover more about the exact tasks internal audit deals with.
Use the full potential of an integrated GRC system
The Three Lines model is ideally suited for dividing up the individual topics and tasks of enterprise-wide risk management among the different levels of corporate management. Using this model purely to define the terms or determine the responsibilities would leave some unused potential on the side. The full benefit of this approach is realized once those responsible for the system along the 2nd Line recognize the potential of working together to resolve cross-cutting issues and give operational management the opportunity to complete the required tasks efficiently, comprehensively and on time.
Mapping the Three Lines also enables cross-line collaboration, especially between the 1st and 2nd Lines. In addition, the resulting integrated and centralized database spares the internal and external auditors time-consuming data collection. The immediately available, clear and historically traceable data reduces the effort required for data analysis. These aspects provide the audit department with additional resources that can be used for the development of improvement potentials as well as for consulting activities.
Would you like more detailed information on setting up an integrated GRC system with the Three-Lines model? You will find everything you need in our free webinar! With one click you will be forwarded directly.