The Model Office Blog

Governance, Risk and Compliance (GRC) and Technology’s Role in the ‘Three Lines of Defence’

[fa icon="calendar"] Aug 12, 2021 9:30:40 AM / by Chris Davies

Let’s start with the top three challenges firm’s face when it comes to GRC management.

  1. It’s raining regulations
  2. ‘Swivel chair’ compliance can create disparate resources and dysfunction
  3. Without a cohesive, coordinated approach, systems and controls may not be deployed effectively

Many organisations employ the ‘three lines of defence model’ which is designed to coordinate risk and control management across the business through mapping out responsibilities for management (first line), monitoring and oversight (second line) and independent assurance (third line).

The three lines of defence model

Screenshot 2021-08-12 at 09.20.44

Even for organisations who have well-developed risk management practices, achieving integration, effective communication, data-sharing and analytics between the three lines can be challenging.

An EY report and survey for internal audit professionals found that leading organisations tend to follow a similar strategy to assessing and improving their internal systems and controls and ensuring the three lines of defence are working in harmony:

Three components of effective risk management

Level 1: Methods, Practices and Technology: The foundation or risk management are the methods, practices and technology used to support risk management. Technology enablement, control design and documentation and reporting on control effectiveness are all at the heart of assessing, managing and reporting risk. Data analytics is very much an untapped resource for internal audit and compliance functions something MO® offers in abundance.

Level 2: Resources: This includes, technology, documents, people, management methods and third parties. MO® has structured all GRC responsibilities into 6 key resources that can be easily accessed, providing real-time data and MI

Level 3: Governance: Ensuring the organisation has a robust oversight framework, strategy, system and control. MO® will ensure evidence-based practice and internal controls for boards, committees and internal/external auditors to ensure they know (not think) they comply

Model Office and the Three Lines of Defence: 

Screenshot 2021-08-12 at 09.19.11

Model Office-MO® ensures:

  • Three lines of GRC management are aligned and second/third lines reported
  • Real-time data analytics and management information for clear communications and management of all risks
  • Dependent on your GRC defence model, MO® maybe deployed across a single defence tier or multiple tiers plus as MO® is SaaS and Cloud based, the system can integrate with other GRC resources and technologies


When the three lines of defence work together — with the operational and risk management, compliance, and internal audit functions coordinating and sharing data; your organisation is better protected and prepared to meet its goals and improve performance.

 Please click the below icon link to MO®'s platform and learn more about MO® today..

New Call-to-action


Topics: Financial regulation, Financial business development, fintech, regtech, Risk management, practice management, FCA, advice, HMT, suitability, MiFIDII, Data, GDPR, Culture, Enforcement, supervision, audit, Conduct, auto advice, streamlined advice, AI, GRC, governance, compliance

Chris Davies

Written by Chris Davies

Subscribe to Email Updates

Recent Posts