Problem solve Get help with specific problems with your technologies, process and projects.

Forrester's GRC framework: Using three lines of defense

Chris McClean of Forrester Research provides a GRC framework. It offers three lines of defense to boost participation rates and define clear roles.

To some extent, every member of an organization is responsible for governance, risk management and compliance (GRC),...

from top executives and the board to business process owners and frontline staff.

To achieve the broad participation necessary for success, enterprises need to set the expectation that employees of all levels play a vital role in GRC.

Across the globe, individuals who contribute in any way to the performance of a company must deal with operational challenges and regulatory requirements. The challenge comes when coordinating GRC efforts and communicating priorities to all branches of the company.

As we've seen in the recent case where JPMorgan Chase & Co. admitted at least a $2 billion trading loss, decisions a single user makes can drastically alter a firm's overall risk posture, especially when an organization's structure doesn't clarify who is accountable for making sure such decisions are in line with established policy.

When companies perceive GRC as one team's responsibility, it undermines the real value that a coordinated program can deliver; risk and compliance professionals can't possibly identify and measure all risks or enforce all policies across the organization. They need to rely on their colleagues for support, which means enterprises must lay out clear expectations for every user. Conversely, enterprises must explain the benefits users should expect based on their active involvement.

In this tip, we'll establish a GRC framework based on three lines of defense to encourage user participation throughout an enterprise, plus reinforce the importance of structure in an organization's GRC efforts.

Establish three lines of defense to manage GRC

To achieve the broad participation necessary for success, enterprises need to set the expectation that employees of all levels play a vital role in GRC. Forrester recommends establishing this mindset with a framework for GRC based on three lines of defense. This model, which is increasingly used as a starting point among enterprises and consulting firms, presents a high-level set of expectations that all employees in the organization will play a part in managing risk and meeting compliance obligations. Let's briefly explore each of the three key points.

  1. Set expectations for business operations and internal controls. The frontline business takes responsibility for adherence to compliance and risk management guidelines, policies and internal controls. This group encompasses the largest portion of an enterprise's workforce, so setting firm principles here has the potential to greatly improve an organization's risk posture.
  2. Establish risk, compliance, security and legal authority. The second line of defense is responsible for defining the policies, processes and procedures for GRC, while also monitoring for new risks and vulnerabilities that may arise. Additionally, this line must track the progress of and establish regular communications with upper management and the organization's board of directors to demonstrate that the GRC program continues to perform effectively and efficiently.
  3. Assign assurance duties to internal audit (IA). The third line of defense operates as an independent entity and provides assurance to the board that the first two lines are conducting, managing and overseeing GRC processes effectively. The audit entity may identify risks itself when the organization fails to properly implement necessary processes and controls.

Stakeholder contributions and expectations

An enterprise should take a comprehensive look at its organizational structure to determine what part each role plays in GRC, both as contributors and beneficiaries. As planning begins to determine what is needed from each stakeholder and how to convince them to participate, start by detailing what they have to offer and what they may gain from participating.

These stakeholder roles may not exactly align with an organization's structure. Some firms have chief compliance officers; others assign compliance responsibilities to their general counsel. Some GRC programs reach across many domains of risk and compliance, while others focus exclusively on IT risk and compliance. Regardless of an organization's GRC framework, this exercise should serve to document key stakeholders and establish how they will participate.

From the editors: More on security compliance

Learn how to move beyond the 'checkbox security' mentality.

Determine whether your organization needs GRC or compliance management software.

For each function and component of the GRC framework, specify who will be responsible, accountable, supportive, consulted and informed (RASCI).This may be a difficult and lengthy task, but it's the only way to properly establish expectations. Given the number of involved stakeholders and the long list of projects in a GRC program, the RASCI chart will become the authoritative guide for the scope and role of GRC within an organization.

Depending on an organization's jurisdiction, its RASCI chart might focus on specific domains such as IT, health and safety, projects, HR or finance, or it may encompass all domains as part of a full-fledged enterprise GRC program. Also, consider that there may be multiple assignments for all values in the RASCI chart except "accountable," meaning several individual roles may be "consulted" or "informed," but only one person should be ultimately "accountable” for a single function's success or failure.

By using Forrester's "three lines of defense" approach, enterprises can establish a GRC program that is not only thorough but also achieves a high rate of participation. To achieve success, every segment of an organization must be actively involved with managing risk and complying with regulations. Likewise, a RASCI chart is necessary to define the role that various aspects of an organization will play in GRC. Forrester's model lays the groundwork for a more successful GRC endeavor.

About the author:
Chris McClean is a principal analyst and research director at Forrester Research, serving security and risk professionals.

This was last published in October 2012

Dig Deeper on Risk assessments, metrics and frameworks