As the C&E program field matures, various forms of “checking” become increasingly important to ensuring program efficacy. The “three lines of defense” is a commonly used construct for identifying who does such checking (although the construct is not limited to C&E).
The first line of defense is business people monitoring their own operations. This responsibility – which, in my view, is not mandated in organizations nearly as often as it should be – serves not only as a device for checking, but also as a way of educating the business people on key risks. (A practice pointer: companies should consider reinforcing monitoring responsibilities of this sort by mentioning them in the “Managers’ Duties” part of a code of conduct and perhaps including them – at least in a broad way – in managers’ performance evaluations.)
The second line of defense is non-independent staff (e.g., finance, HR, EH&S or the C&E function) engaging in monitoring. This form of checking is important because in almost any large organization, the audit team cannot, as a practical matter, cover all pertinent areas of risk and so needs checking help from other experts from within a company. Moreover, the lack of true independence in this sort of checking tends, in my experience, to be more a theoretical than actual concern.
The third line of defense is true independent auditing or assessment, which is often performed by a company’s internal auditors, but might also be performed by an external group – including accounting, law or consulting firms. Of course, this sort of checking tends to be the most impactful of the three types. But, as a matter of resources, there is only so much of it that any company can do. (Another practice pointer: among the areas to audit in this third line of defense is how well an organization is deploying the other two lines.)
In addition to the three lines of defense, it may also be useful to consider two C&E “fronts,” meaning fields of activity for which companies should consider deploying any or all of the lines of defense.
One of these two fronts is risk-area checking. To take a somewhat obvious example, using the risk area of corruption:
Using a somewhat less obvious example for this “front,” from the realm of competition law: business people monitor bidding activity in their unit; law (and possibly C&E) engages in some similar activity, as well as checking competition law processes (e.g., those requiring approvals before employees can engage in trade association activity) and, as with anti-corruption law, audit reviews locations/business operations of highest risk for compliance with relevant processes and for potential violations.
The second of the two “fronts” concerns what might be called generic (i.e., not risk-area-specific) program processes. To take the example of C&E training: supervisors are responsible for checking to make sure that employees in their work units have taken required training (both in-person and computer-based), C&E reviews training records to see that the required training is being delivered as planned (and also – if the information has been gathered – how employees are reacting to it) and audit conducts training related reviews (including perhaps interviewing some employees ) to assess both the fact and efficacy of training.
Of course, no company can fully deploy the three lines of defense with respect to all risk areas and all program processes. Indeed, no one could come close to doing this.
However, a well-designed risk assessment process will help inform this effort and guide an organization in how to use its limited checking resources in an effective manner. And a risk assessment that is not helpful in this regard should be closely reviewed with respect to fitness for purpose.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jeffrey Kaplan, a partner in the Princeton, New Jersey office of Kaplan & Walker LLP, has practiced law in the compliance and ethics field since the early 1990’s.
Mr. Kaplan is also former adjunct professor of business ethics at NYU’s Stern School of Business, co-editor (with Joseph Murphy) of Compliance Programs and the Corporate Sentencing Guidelines (West Thomson), former counsel to the Ethics and Compliance Officer Association and co-author of a study by the Conference Board on the use of compliance and ethics program criteria in government enforcement decisions.