GRC • 3 min read

How the three lines of defence affect your GRC work

blog
All Blog Cases
|By topic

A challenge with the Governance, Risk, and Compliance (GRC) work is that it often takes place in isolation and the documentation is collected locally, making it inaccessible for the rest of the organisation. This also affects the collaboration between different business areas. Sound familiar? In this blog post we clarify the three lines of defence and offer tips on how to coordinate your GRC efforts.

In organisations that have matured somewhat in their GRC work, you will often encounter the concept of the ’three lines of defence’. The concept is intended to define and clarify the responsibility distribution between different parts of the business relating to risk management, internal control, and GRC as a whole.

The three lines of defence in summary:

  • The first line

Line management and personnel – carry out the day-to-day of risk analysis, mitigation, follow-up, and so on.

  • The second line

Supporting specialist functions, often centralised, that provide support on methodology and specialist competencies to the first line. For example, Chief Risk Officer, Corporate governance functions, and so on.

  • The third line

Internal audit – this can be done in-house or using external providers, but have the important function of providing feedback on how first and second line processes function as intended or need adjustments.

Challenges with coordinating the three lines


  • Work happens in silos and is difficult to coordinate. Different functions want to work in their own way.
  • All functions need the same data to work against, but information is stored locally instead of centrally visible.
  • There is no single workflow/process that all functions are gathered around.

Effects of a failed coordination

When the three lines of defence don’t have good coordination the risk of ’silofication’ increases. Every manager has to report to several parties and sometimes the same information in different ways to be considered compliant with the silo’d requirements.

A selection of impact scenarios are:

  • More energy is spent on collecting information than on analysing and improving
  • Managers struggle to understand what is expected of them
  • Managers struggle to manage demands and requirements from multiple silos at once to avoid duplication

Would you like to read more about how you can coordinate your GRC work and the three lines of defence? Take a look at our guide “Stratsys GRC model and the three lines of defence”. You can download it on the link below.

Download guide