Rethinking the Three Lines of Defence: Putting Customers at the Core of Compliance
By taking a customer-centric and product-led compliance approach, organizations can foster the right behaviours, streamline their control systems, and achieve a "get it right the first time" mentality in the first line of defence.
In the world of corporate governance and risk management, the three lines of defence model has long been hailed as a best practice framework. However, one critical aspect that often goes unnoticed is the identification of the true customers within each line of defence. By taking a customer-centric and product-led compliance approach, organizations can foster the right behaviours, streamline their control systems, and achieve a "get it right the first time" mentality in the first line of defence. Join me in this multi part article, where we will explore this misconception, delve into the importance of understanding the real customers, and highlight the benefits of re-evaluating our approach to the three lines of defence.
The Three Lines of Defence: A Recap
Before diving into the misconceptions, let's revisit the three lines of defence model. The three lines of defence or 3LOD model was developed by the Institute of Internal Auditors (IIA) circa 2013. It has since become the most widely adopted framework for risk management and control in organizations around the world The first line of defence comprises the operational management and staff directly involved in day-to-day activities. The second line consists of risk management and compliance functions, providing oversight and support. Finally, the third line represents independent assurance, often performed by internal or external audit.
Here is a picture of this model as it stands today, and the defacto for the compliance community. This model gives the sense of order and structure, when in reality the lines gravitate to blur and converge in modern organizations, creating tensions not always productive, that we will discuss in a later post.
The Customer Conundrum
In the realm of compliance, it is essential to recognize that the true customers are not internal stakeholders or control functions, but the external customers who rely on the organization's products or services. This customer-centric viewpoint brings a fresh perspective to the three lines of defence model, enabling organizations to align their efforts and investments more effectively.
Reimagining the First Line of Defence
By focusing on the actual customers, organizations can empower the first line of defence to be proactive and quality-driven. Implementing a product-led compliance approach means embedding controls within the products and services themselves, ensuring that compliance requirements are met seamlessly. This approach fosters a mindset of getting controls "first time right" and reduces the need for extensive rework or corrective measures downstream.
Understanding the Second Line
In the traditional model, the second line of defence tends to be seen as the primary driver of risk management and compliance activities. However, by embracing a customer-centric approach, organizations can leverage the second line to provide guidance, support, and tools that enable the first line to deliver customer-focused compliance. This shift allows the second line to empower the first line rather than overshadow it, creating a more harmonized and effective control environment.
The Role of the Third Line
The third line of defence, typically internal or external audit, plays a crucial role in providing independent assurance to senior management and the board of directors. By recognizing the real customers as the ultimate recipients of the organization's products or services, the third line can focus on assessing the effectiveness of controls in meeting customer needs, providing valuable insights to enhance customer satisfaction and mitigate risks.
Benefits of a Customer-Centric Approach: "shift audit left"
I will take the liberty of coining the term "shift audit left", where adopting a customer-centric and product-led compliance approach yields several benefits for organizations. Firstly, it creates a shared understanding of the importance of compliance throughout the organization, as all employees directly contribute to delivering compliant products and services. Secondly, it drives a culture of accountability and continuous improvement, as the first line takes ownership of controls from the outset. Lastly, it optimizes resource allocation, ensuring that investments in risk management and compliance are directed towards initiatives that directly impact customer satisfaction and organizational success.
Conclusion
Reevaluating the three lines of defence model through a customer-centric lens allows organizations to shift their focus from an inward view of compliance to one that aligns with customer needs and expectations. By empowering the first line of defence, organizations can achieve a "get it right the first time" approach, streamlining control systems and avoiding unnecessary costs. A customer-centric and product-led compliance strategy not only enhances customer satisfaction but also instills a culture of compliance throughout the organization, positioning it for long-term success in today's rapidly evolving business landscape