Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Former Member
The first time I heard of the Three Lines of Defense was at a Compliance Week conference in Washington DC around 2008. My reaction was negative. I didn’t like to think of GRC as a defensive thing. I thought GRC professionals could and should do more than adopt a defensive posture. I changed my mind.

Many of my colleagues in the GRC world still resist the notion. Others think more lines are necessary.

A Different View of Defense

I think that those who oppose the concept of Three Lines of Defense don’t understand the meaning of defense. Here is a quiz that I think helps me make my point.

Skill Testing Questions:

  1. What is the name of the government department commonly assigned responsibility for overseeing the country’s military?

  2. Do faster cars need bigger brakes?

  3. In the US National Football League, is the role of defensive players generally considered passive?



  1. Generally speaking, governments assign oversight of their armies, navies, and air forces to a department of defense (or defense) as the case may be.

  2. Racing cars generally have larger, more powerful brakes than a typical family sedan.

  3. Defensive players in the NFL are among the highest paid players in the league and they are not paid to be nice.


Defense Does Not Mean Passive

The Three Lines of Defense concept that I support is devoted to the relentless pursuit of business objectives and supports the achievements of those objectives.

My image of the Three Lines of Defense is not a wall protecting a castle. It’s an army of determined business managers, risk and compliance executives, and assurance professionals in pursuit of the strategies and objectives set by the Board.

I believe it is what the OCEG organization calls principled performance.

Internal control frameworks are inherently defensive. Risk management frameworks that focus on preventing risks are inherently defensive. Both have become ends in themselves and aren’t linked to the business and its success.

Let’s stop the professional navel gazing. Let’s use our skills as GRC professionals along with technology to drive business value.

This is my definition of defense and my view of the purpose of the Three Lines of Defense.

What’s your definition? What do you think the role should be?