Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
16 June 2016

Are 3 Lines of Defence Enough? Introducing the 4th Line of Defence

Are_Three_Lines_of_Defence_Enough_Introducing_the_Fourth_Line_of_Defence.jpgWhen it comes to enterprise risk management, the phrase “three lines of defence” is often heard. I have been in many situations, where experienced practitioners have sagely nodded along yet, shortly thereafter, can be heard asking “what were they on about” in muted tones.

1st Line of Defence – The controls themselves. The purpose of controls is to prevent risks from becoming issues or incidents, thus become the first defence against the potential risk incident. If designed correctly, this is normally through business users performing their jobs diligently.

2nd Line of Defence – The management assertions and validation that the controls have been working throughout a pre-agreed/designated period of time. This is the first opportunity to critically assess whether the controls are fit for purpose and the first check that the people performing the control have done their jobs correctly. The general aim is to get management approvers to prove that the controls are effective in managing the risk. These people should have a vested interest in the control being performed properly to avoid risk in their area. However, these managers may well be influenced by office politics or external influences where they would rather report a clean bill of health to avoid airing their dirty laundry in public. This is where the 3rd line of defence is required.

3rd Line of Defence – This is where a truly independent review should be undertaken – normally some sort of Audit, either internal or external. Typically, this will include an element of control effectiveness testing both for the Design of the control (in theory, does it cover the risk) and Operation (does it actually work in reality). Depending on the criticality or importance of the risk being managed, this independent assurance may also include sample based testing and evidence of the control to categorically prove that it is working as designed.

The “3 lines of defence” is normally sufficient to prove that a company has control of its business operations but some companies are moving towards creating an additional layer:

4th Line of Defence – Predictive analysis to identify conditions and scenarios where risks are likely to occur. This can be based upon historical data or through theoretical modelling of scenarios helping to pinpoint areas of concern in business operations where risk incidents can be expected.