I was recently informed by a respected colleague in a peer-to-peer discussion (see; they’re useful!) about a development of his in the Compliance arena.
About not having just one single Statement of Compliance that all too often wipes deficiencies under the rug for the sake of agreement everywhere. But having two, one on (first-lines’) management awareness of deficiencies as things to actively manage and actively discuss with second and third lines, and one on abstract, ‘anonymous’ no-blame control effectiveness.
So, when the Three Lines of Defense would actually work (yes I’ve ranted against that on this blog frequently as the simpleton approach inherently can’t work!), first-line management can provide their own list of control deficiencies, and the second and third lines can only confirm and not add much of at all. Then, the first line is in control (all is well and/or known-and-WIP), over their own stuff. Hence, awareness ✓ effectiveness X. When the first line doesn’t have much but the 2nd/3rd lines add quite some (other) things, awareness is X and effectiveness is undetermined. Only when the first line doesn’t have much and the second/third lines cannot add quite a few things, will awareness be ✓ and control effectiveness be ✓
Which sounds like a far better, and in practice far better palatable approach than just one messy jumble-together undetermined opinion. For which I leave you with:
[The bus buck stops here at this chaotic (?) shelter; Aachen. In Control statement: similar]