In the previous part, I compared the PDCA cycle to an ecosystem and further elaborated on the "Plan" step. In this second part, I continue with the steps Do and Check. Part 3 will conclude with the Act step and a summary.
Do: Execution by the Right Lines
The Three Lines Model determines who does what: the first line performs the controls, the second line monitors and advises, and the third line independently tests. It is crucial that everyone understands why they need to do something and that they have the necessary resources to perform their duties. Make it as specific as possible, for instance by implementing a control manual per owner.
-
What you need to do: a description of the control’s operation
-
Why you need to do it: a description of the associated risk
-
How you prove it: a concrete list of evidence requirements
-
Where you record it: a specification of the storage location
-
When: the frequency and specific dates
-
Who checks you: clearly defined second and third line functions, including, where possible, an expected schedule
-
What if you do not do it: the risk to the organisation and the need for reporting to management
The three lines work symbiotically within an integrated assurance framework and community: who checks what, when, and how do we utilise each other’s findings? This structure prevents the same controls and/or departments from being checked multiple times while other risk areas remain underexposed. Coordination often takes place periodically, for example in an ‘Assurance Community of Practice’. This group can collectively coordinate all assurance needs and requirements, both internally (such as internal audit agendas and compliance assessments) and externally (such as external audits, certifications, and clients’ ‘right to audit’).
Check: From "We Do It" to "We Prove It"
A control marked as "present" provides only limited insight. To fully validate its effectiveness, test on three levels:
-
Design (well designed?): For example, ask, "Does the access procedure cover all scenarios, including leavers and changes in function?"
-
Existence (is it executed?): For example, ask, "How many reviews were actually carried out in the last quarter compared to the plan?"
-
Operation (is it effective?): For example, ask, "How many redundant rights were removed during the last three reviews? If that number is zero, why?"
Too often, there is an overreliance on green checkmarks. A control that never identifies discrepancies is either perfect, or it is not performing its intended function, the latter being more common.
Monitoring is not solely about confirming that everything is running smoothly. It is primarily about identifying, in a timely manner, what is not working (efficiently), the disturbances within your ecosystem. These could be controls that are not executed or prove ineffective, controls that are only reported as compliant during first-line monitoring, new risks that have not yet been covered, or interdependencies that no longer align.
Integrated assurance means assessing the ecosystem as a whole, not just in terms of planning, monitoring execution, and reporting, but also regarding interdependencies. The many-to-many structure introduced in Part 1 makes this possible: you can immediately see which laws, risks, controls and customers are affected if something goes wrong. Furthermore, the evidence gathered is then used multiple times, for auditors, supervisors, and clients alike.
In the next blog, I will continue with the steps Act and Summary.
Also read
-
Overview: Scattered compliance projects? Start with sustainable risk and compliance management
-
Previous blog: Your Risk and Control Framework as an Ecosystem: How to Keep Sustainable Compliance Alive (Part 1)
