Strategy consulting
Your strategy to realise best-practice digitally empowered internal control functions.
Strategy consulting
Your strategy to realise best-practice digitally empowered internal control functions.
Without the right technology, you will not be able to realize best practice internal control functions and cost of control will increase, year after year. However, without the right strategy (S), structure (S), people (P) and processes (P), your technology (T) never will add the desired benefits, if any. In order to realize best practice internal control, you need to have an all-comprehensive strategy and a clear digital roadmap.
When would be a good moment to (re)define you (digital) internal control? At least before:
Individual Lines become a silo and insufficiently collaborate.
New risk areas and regulations are hard to manage of comply with.
You take the decision to buy Controls, GRC or Audit technology.
A decision is made for integrated GRC-solution or integrate point-to-point solutions.
Add AI, RPA, Analytics or other digital solutions to your environment
You decide to outsource (parts) of your internal control functions.
It is already too late and you experience fraud, oversight bodies start with fines, and your accountant is the dominant factor for you to improve.
Strategy support at three levels
We provide workshops, coaching or sparring partner sessions for (supervisory) boards, management and all key internal control leaders – as a group, individually, one-off or as a program.
A methodology with concrete templates
Templated and proven approach using the Three Lines model, SSPPT with Technology/Digital as driving force, and plateauthinking, maturity modelling, and horizonplanning.
Risk & Compliance maturity improvement
How the 2nd Line can grow in maturity:
- Informal & reactive.
- Defined, but siloed,
- Actively integrated,
- Real-time, strategic, Digital enabled partner.
Audit driving best practice internal control
How Internal audit can grow in maturity:
- Audit as controls specialist.
- Collaboration.
- Audit as independent assurance provider.
- Conveying trust.
Strategy support at three levels
Let us help you to align your governance actors, create a clear context for them to collaborate in, maximize your support, and always have the right decision making capacity. We help organizations with strategic support on 3 levels:
Supervisory bodies - Helping supervisory bodies understand the strategic elements of internal control (SSPPT) and how they can be empowered by Digital solutions. We create insights in new risk areas, best practices and help to define and strengthen their governance roles & responsibilities. We help them improving supervision over controls functions, risk management, compliance and audit – maximising them adding value to the organization and limiting their risk of weaknesses in internal control functions.
Board and management - Helping management define their (digital) internal control vision and ambition, translate it into the right governance structures, align assurance functions, and drive improvements via concrete action plans.
All Lines functions - Helping all internal control functions individually to define and adapt digitally empowered best practices; from first Line controls execution, second Line risk & compliance to third Line audit.
We provide one-off group training & coaching, tailored individual sessions, but also more continuous reflection & sparring. Our programs help internal control leader towards a clear mission statement, a strong vision and a concrete board enabled roadmap to drive governance with technology and new Digital solutions.
BR1GHT’s article on building the right internal control environment
Request your ...FREE strategy session... here!!
Request your ...FREE strategy session here!!
A methodology with concrete templates
Good governance and internal control refers to all actions and procedures that ensure an organization functions efficiently and with integrity. It revolves around clear and transparent decision-making, taking responsibility for the (consequences of the) operations, implementing adequate control measures, and being accountable. Good governance protects the interests of all stakeholders, such as shareholders, employees, and society at large. The key questions are: how do you know if “good” is truly good enough, and how do you achieve this?
To establish proper good governance, where internal control creates the conditions for ultimately achieving business objectives, it is crucial for management to thoroughly understand the following key factors we will address during our strategic sessions and are briefly defined below:
Context is key for proper internal control setup.
Three Lines model.
Maturity levels of internal control.
Development through maturity plateaus.
Please read our client experiences about our Strategic Consulting solution.
Please read our client experience about our Strategic Consulting solution.
Context is key for proper internal control setup
The appropriate level of internal control is determined by the context in which the organization operates. In other words, the context defines whether good governance is good enough. Without a proper understanding of this context, it becomes difficult to implement effective and cost-efficient internal control. The context is shaped by:
- External factors in the organization’s environment. Think about the industry, and the level of regulations.
- Internal factors specific to the organization. Think about the size and complexity of the organization and the management philosophy towards risks.
There is no universal best practice for internal control, but rather one best practice per context as we will touch upon in our strategic sessions.
Three Lines model
The Three Lines Model from the Institute of Internal Auditors is a structured model for implementing internal control. This model identifies five actors who must collaborate effectively and in a balanced manner within a defined structure. The five actors are:
- First line with business, finance, and IT
- Second line with risk management and compliance
- Third line with internal audit
- The governing body, including management, supervisory board, and committees
- The external auditor
The model suggests that there is a single best practice for good governance, but we will show that an effective implementation is context-dependent. We see in companies often a rigid application of the model which will leads to siloing. We also see imbalanced implementation, where one department is strong and others are weak. During our meetings with you, we will provide some examples and how to deal with it. We also compare the Three Lines Model with GRC (Governance, Risk, and Compliance) for which it is often mistaken.
The Three Lines model of the IIA
The BR1GHT internal control maturity model
Maturity levels of internal control
Good governance in our opinion is derived from context and can be broadly categorized into four levels, where the aforementioned actors in the Three Lines Model collaborate:
- Informal and risk-driven. The focus is on initially organizing good governance and adequately responding to risks and events.
- Standardized and focused on control measures. The emphasis is on proactively preventing negative events.
- Managed with compliance as the driver. The focus is on accountability regarding internal control.
- Optimized with the goal of building trust. The organization views internal control as a means to achieve its strategy, where trust from shareholders, customers, partners, and society at large is decisive.
We will characterise these four levels of maturity during our sessions in order for you to easily assess in which your organisation resides and provides you insights in the next level you might want to reach.
Improvement in plateaus
Organizations evolve, and the context may change; external regulations may come into play, or companies may be listed on the stock exchange or delisted. As a result, organizations will move between maturity levels of internal control. Each phase of internal control should be viewed as a maturity plateau, where it is essential to have five elements of internal control working effectively together, before moving to a next level. The model that defines these five elements is called the SSPPT-model, and it consists of the following elements:
- Strategy
- Structure
- Processes
- People
- Technology
In our strategy sessions, we will define the above five elements and provide examples why it is important to have these five elements working effectively together.
BR1GHT thinking in maturity plateaus
Risk & compliance (2nd Line) maturity improvement
Risk Management and Compliance, in their protective and guiding roles, are essential to building a resilient, ethical, and well-governed organization. At early maturity, these functions tend to be informal and reactive, focused on issue resolution with limited structure.
As they develop, risk and compliance become defined but often remain siloed, with fragmented processes and limited business integration. With further maturity, these functions are actively integrated, working closely with the first line to embed controls, risk thinking, and compliance into business processes. At the most advanced level, the second line operates as a real-time, strategic, and digital-enabled partner, using data, automation, and analytics to anticipate risks and guide decisions at the speed of change.
As organizations face increasing digital complexity and external expectations—from regulators, investors, and society—Risk and Compliance must also evolve. Their role becomes more dynamic, collaborative, and value-adding, helping the organization navigate uncertainty with confidence.
But how do you get there? Please click below to read more about how Risk Management and Compliance can define their strategy and desired operating model and grow into maturity levels.
Informal and reactive risk & compliance
Risk & compliance defined, but siloed
Risk & compliance actively integrated
The 2nd line as a real-time, strategic, tech-enabled partner
Informal and reactive risk & compliance
The context defined
The governance environment can be described as informal, with a focus on organising governance and initiating risk treatment. This is not a desirable situation, but can be found in the following cases:
- In sectors where few risks are present and compliance plays little to no role – creative institutions or architectural firms.
- In start-ups or organisations that have undergone significant changes (e.g., mergers or new ownership). These organisations need to (re)structure themselves.
- In small or medium-sized organisations that have never dealt with control issues (such as process errors or fraud) or are unaware of them. These organisations have never truly felt the need for a higher level of internal control.
- In companies where management lacks knowledge of internal control and, as a result, does not see its importance, lacks ambition, or the decisiveness to progress to maturity Level II.
Characteristics
- There is limited knowledge of internal control and, consequently, a low level of intrinsic ambition. Internal control is often viewed as unnecessary and as a cost burden.
- There is no formal risk or compliance structure.
- Risk & Compliance are reactive or driven by incidents. In some cases, an incident has triggered a sense of urgency as the organisation no longer wants to keep reacting and seeks to implement preventive measures.
- There is no or very little policy or procedure documentation, (awareness) training, or formal processes.
- Often, one or more specialists in internal, financial, or operational control are brought in to analyse the situation and provide recommendations for improvement.
- No risk/control ownership taken by the first line, so the above mentioned specialists usually remain involved to implement the measures of improvements: the 2nd line becomes the driver of risk & control management.
The role of the 2nd line
At this foundational level, risk and compliance management are in their infancy. The organization operates primarily in a reactive mode—addressing issues as they arise rather than proactively identifying and managing them. There is little to no structure in place to systematically handle risks or ensure compliance with laws and regulations, so risk & compliance management become driven by the 2nd line.
- The primary role of the 2nd line in is infancy stage is to begin creating awareness across the organization. This includes educating key stakeholders about:
- The types of risks the organization faces (strategic, operational, legal, reputational, etc.).
- The importance of compliance with applicable laws, industry standards, and internal expectations.
- The potential consequences of unmanaged risk (e.g., financial loss, regulatory penalties, reputational damage).
- While largely reactive, this stage involves capturing and analyzing incidents, control failures, or compliance breaches when they occur. These events serve as valuable learning opportunities and can highlight systemic weaknesses.
- In many cases, risk and compliance efforts are driven by external demands—such as regulators, auditors, or clients. The organization begins to understand that meeting these requirements is not optional and starts building minimal capability to address them.
- The role of risk and compliance at this level is not to build complex systems, but to lay the groundwork for structured governance. This includes:
- Advocating for leadership buy-in.
- Establishing minimal policies and internal controls.
- Identifying and logging key risks.
- Promoting awareness of regulatory obligations.
- Preparing the organization to take its first steps toward a defined and repeatable risk and compliance approach (Level 2).
- All of the above activities are often initiated as a project. As the organisation matures, risk management responsibilities will gradually be embedded into the second line.
How BR1GHT can support
- Co-developing a strategic vision, roadmap, and programme with all key stakeholders.
- Co-developing a basis risk & compliance register. Facilitating risk identification and prioritization for key business areas.
- Help understand which laws and standards apply to your sector/organization and provide initial gap assessments against applicable regulations.
- Providing risk & compliance professionals who conduct initial assessments and translate their recommendations into tangible improvement/control programmes. This gives you access to extensive experience and professionals who understand the context and can effectively foster engagement.
- Supporting the hiring of the right risk or compliance lead to continue the positive trajectory into the future.
- Coaching the risk & compliance lead and assisting in their role — either as a one-time engagement or as part of a longer-term strategic collaboration.
- Coaching and training first-line staff and management (and where relevant, the supervisory board). Our specialised programmes are tailored to your current organisational culture and are designed to enable you to take the next steps independently, while also formulating a mission, vision, and ambition for the years ahead. Our coaching focuses on knowledge transfer and empowering management and key stakeholders.
- Recruiting other key professionals, such as auditors. Our extensive network is at your disposal to find the right person who fits your corporate culture.
- Steering the improvement programme — either actively through a dedicated project leader or passively in a sparring partner role — to ensure the defined ambition is achieved and the programme stays on course.
- Helping organisations visualise risk thinking. We deliver solutions that make this visible and thus accelerate the process.
- Co-sourcing the risk management function from scratch, supporting management directly in building internal capability.
Risk & compliance defined, but siloed
The context defined
Organizations at this level have begun to formalize compliance and risk activities. The governance environment can be described as standardized. Processes are repeatable but often still siloed. Basic controls and policies are in place, yet risk and compliance are typically managed on a case-by-case basis. In some cases, the first line has started developing and executing basic control measures.This is considered the minimum level of internal control. The organisation has evolved from an initially reactive approach to risk management toward a more proactive and risk based mindset focused on implementing preventive measures.
This level of internal control can be found in:
- Unregulated companies without a high-risk profile – simple local trading and manufacturing organisations, consultancy firms, etc.
- Mid-sized organisations under pressure to be financially and operationally predictable – driven internally (e.g., from an international holding company) or externally (due to supply chain requirements).
- Organisations where quality is a key factor in maintaining competitive advantage (often driven by customer requirements) – service sector such as telecommunications & media, universities, universities of applied sciences, food and hospitals.
- Organisations subject to mandatory audits or inspections by external (oversight) parties, where the organization can no longer rely solely on regularly planned audits and needs to be able to prove that they are pro-active and continuously in control.
Characteristics
- Strong need for good governance with a defined risk profile, and a solid system of internal controls.
- Basic governance structure with clear roles and responsibilities for leadership and oversight, as well as policies, guidelines, and procedures.
- Oversight is present – via a holding or an active supervisory board. Risk or Audit committees are still relatively uncommon.
- Good level of specialists – risk managers, internal controllers, (quality) auditors, compliance officers and security officers – organised across the first, second, and third lines.
- Risk and audit mitigation is often still reactive.
- There is little integration between risk and compliance, and these functions may still operate independently.
- Risk and compliance processes are documented and followed in specific departments or business units, but often lack coordination across the enterprise. There is little integration between risk and compliance, and these functions may operate independently.
- The second line identifies controls to be carried out by the first line. These controls are formally designed and seen as the baseline controls, typically based on objective best practice frameworks such as COSO, COBIT, or ISO standards.
- Ownership in the first line is often still limited. Executing control measures is sometimes perceived as “additional work,” carried out with some resistance or delegated to an internal control function.
- Where law & regulation or guidelines apply a compliance officer is appointed.
- The external auditor is the party that tests the operational effectiveness of controls. The auditor is the organisation’s “control conscience,” and their findings are used as a checklist to achieve adequate control.
- A third line or internal audit function is limited present. If an internal auditor is appointed, their core responsibility typically lies in stimulating collaboration.
The role of the 2nd line
At this level, the organization begins to recognize the importance of structured risk and compliance management. While still largely compliance-driven and operationally focused, there is a noticeable shift from reactive firefighting to basic process definition, role clarity, and policy development. The organization is laying the foundation for a more integrated and proactive approach in the future.
- Risk and compliance professionals introduce standardized processes for identifying, assessing, and addressing risks. They ensure that policies are not only documented but also communicated and followed. This supports consistency in decision-making and operations across departments.
- While still in the early stages, one of the key roles of risk & compliance is to raise awareness and embed risk thinking into day-to-day operations. This includes:
- Promoting policy adherence.
- Delivering basic training.
- Encouraging incident reporting and open communication
- The organization begins to conduct structured risk assessments—usually at the business unit or process level. Risk registers may be introduced, with risks rated by impact and likelihood. While these assessments are not yet integrated into strategic planning, they begin to inform operational decision-making.
- Risk and compliance play a critical role in preparing for external audits, regulatory reviews, and certifications. Their work ensures the organization has a documented trail of controls and procedures to demonstrate due diligence and control effectiveness.
- Most risk & compliance activity at this stage is driven by external requirements, such as industry regulations, contractual obligations, or audit recommendations. The focus is on “ticking the box” rather than using risk as a tool to support business performance.
- However during this stage, compliance management becomes more than a checklist—it evolves into an active effort to monitor adherence to rules and track non-conformities, leading to defined corrective actions and follow-ups.
- The organization begins to define governance roles—often appointing compliance officers, risk coordinators, or internal control specialists. These roles may not yet sit at the strategic table but start to build awareness across functions.
- Foundational governance, risk & compliance policies (e.g., anti-fraud, privacy, code of conduct) are developed and disseminated.
- Key internal controls are documented and communicated, particularly in high-risk areas such as finance, HR, and IT.
- The risk & compliance function takes on a more advisory role and begins developing an Risk/Compliance charter, Risk & Compliance plan, and test programmes.
- Risk assessments and compliance checks may occur annually or in response to audits. However, the process is often manual, spreadsheet-driven, and lacking consistency.
- The role of risk and compliance at this stage is to solidify foundations and prepare for integration into business decision-making. Priorities include:
- Strengthening the risk register and beginning to link it with business objectives.
- Enhancing the consistency of control documentation and monitoring.
- Standardizing compliance reporting and introducing periodic reviews.
- Gaining leadership support to elevate risk and compliance into governance and performance discussions.
- Exploring automation tools and platforms to reduce manual workload and improve insight quality.
- Technology can accelerate the achievement of this maturity level, enhance collaboration between the lines, and make the risk management process more efficient.
How BR1GHT can support
We support organisations in the following ways:
- Boards and management in assessing and strengthening their ambition and vision for internal control. We translate this into effective programmes to enhance governance and internal control. We offer this support in the role of consultant, coach, or trainer.
- Delivering improvement programmes by providing key roles, ranging from project leaders to experts offering support in specific areas of expertise.
- Assisting with the selection of the right technology (for governance, risk management, and internal audit), and ensuring effective and efficient implementation based on our extensive knowledge and experience.
- Providing content in the form of frameworks and best practices, and guiding organisations in setting these up effectively – optionally integrated into our technology.
- Assessing key functions such as risk management, compliance, and audit. We offer concrete recommendations and help establish the necessary preconditions, from drafting charters, processes, policies, and procedures to creating manuals.
- Delivering training and coaching programmes for every actor in the Three Lines Model. This can be a one-time engagement or an ongoing service through annual support contracts.
- Assisting SAP-based organisations in reviewing license structures, authorisations, and security settings, and supporting their proper configuration. We can also structurally co-source these services.
- Providing co-sourcing for controls testing, where we develop robust test plans, define appropriate test procedures, and ensure that testing activities are auditable (for third parties, including external auditors), optionally supported by our technology.
Risk & compliance actively integrated
The context defined
At Level 3, the organization experiences a significant transformation: risk and compliance evolve from being reactive and operational to becoming integrated, systematic, and value-adding functions. This is a pivotal phase where governance structures mature, accountability is formalized, and risk-informed decision-making becomes part of the business fabric.
The governance environment can be described as managed with a focus on providing assurance that all controls are working (have worked over a certain period) – operating effectiveness. This assurance can be provided (on specific areas) by third parties in the form of assurance statements or by the organisation herself (internally and to third parties via voluntary oversight).
The organization no longer sees risk and compliance as box-ticking or audit-driven activities. Instead, they are recognized as essential enablers of strategic objectives, business continuity, and organizational resilience.
- Commonly seen across entire organisations in regulated sectors such as the financial industry (e.g., Basel III), pharmaceuticals (FDA/EMA), utilities providers, and telecom.
- Organisations where specific parts of operations are regulated – multiple tax jurisdictions, construction companies (EHS), financial start-ups (AML/PSD3), international trading companies (export controls involving restricted countries).
- In specialised domains, such as technologically advanced organisations where security incidents can cause significant disruption.
- Listed companies, where the control environment as a whole is subject to external audits/inspections (e.g., financial reporting requirements under SOx).
- IT service providers, where part of the client’s control execution is outsourced.
Characteristics
- Risk and compliance processes are no longer isolated within departments. They are embedded across the enterprise, with coordinated frameworks, shared methodologies, and common taxonomies.
- The organization has formal governance structures such as risk and compliance committees, clear lines of accountability, and reporting to senior leadership or the board. Roles like Chief Risk Officer (CRO) or Chief Compliance Officer (CCO) are typically established.
- Internal control is essential because the license to operate — and therefore business continuity — is at risk. This need is deeply embedded in the culture of checks and balances throughout all layers of the (partially) regulated organisation.
- Decisions at all levels—from operations to strategic planning—are increasingly guided by structured risk assessments, scenario analyses, and key risk indicators (KRIs). Risk appetite is defined and used as a reference in business decisions.
- Risk and compliance performance is measured regularly through dashboards, internal audits, and assurance activities. Issues are logged, tracked, and remediated with oversight.
- Organizations begin deploying GRC tools, compliance monitoring platforms, and risk analytics to support decision-making, automate routine controls, and visualize data.
- Monitoring and (centralised) reporting through combined assurance are vital for effective oversight.
- The Three Lines Model is normatively implemented (sometimes as a mandatory regulatory requirement). Each line has clearly defined charters, effectiveness is monitored via KPIs, and there is a high degree of collaboration between the lines.
- Emphasis is placed on testing operational effectiveness of controls by the business itself. In some cases, the business is supported by an internal control function.
- In large international organisations, functional silos may develop within compliance areas, sometimes supported by their own specific technologies.
- Parts of operations are frequently assessed by third parties (such as external auditors) and issued with formal assurance reports. Examples include ISAE 3402 for IT service provider control frameworks, COS 3000, or SOC 1, 2, or 3 reports.
- More mature organisations strive for transparency with regulators, reporting on the functioning of control measures and proactively sharing all findings, issues, and mitigating actions.
- The same level of transparency is often extended to partners or customers (from the perspective of an IT service provider) when there is a shared interest in joint value creation. As transparency increases, the need for costly external assurance reports may diminish.
The role of the 2nd line
At this maturity level, the role of risk and compliance shifts toward strategic enablement, operational alignment, and continuous improvement:
- Risk and compliance leaders are now embedded in business planning cycles, change initiatives, and investment decisions. They help anticipate future risks, evaluate the risk-return balance of new ventures, and ensure controls are proportionate to objectives.
- The focus turns to driving process consistency, control effectiveness, and efficiency. Risk and compliance teams help streamline business processes by identifying control redundancies or inefficiencies and using technology and data to optimize compliance efforts.
- Rather than simply reacting to incidents, the organization builds the capacity to predict and mitigate emerging risks. It uses scenario planning, trend monitoring, and horizon scanning. Cyber risk, ESG risk, and third-party risk become key areas of attention.
- The risk and compliance culture becomes more visible. Managers at all levels are aware of their responsibilities and take ownership of compliance within their teams. There is an emphasis on ethical behavior, transparency, and proactive issue escalation.
- The “Three Lines of Defense” model is actively practiced. Risk and compliance functions work closely with internal audit to validate control effectiveness and provide a cohesive picture to leadership.
- To move toward the highest maturity level, organizations must:
- Deepen integration of risk with strategic planning and performance management.
- Automate key control monitoring and risk reporting.
- Use real-time data and predictive analytics to anticipate and act on risk early.
- Strengthen the use of insights from internal audit, compliance testing, and external intelligence.
- Foster a learning culture where risks and failures drive innovation and resilience.
How BR1GHT can support
- Boards and management in assessing and improving their ambition and vision for internal control. We translate this into concrete programmes that enhance governance and internal control. We provide this support as consultants, coaches, or trainers.
- Filling key roles in improvement programmes — from project leaders to specialists with specific domain expertise.
- Enhancing technology for governance, risk management, and internal audit — including analytics, solution integration, controls automation, and AI.
- Providing operational consulting to second-line functions. We assess these functions, advise on more effective design, and help implement improvements.
- Co-sourcing all lines, creating an immediate quality boost while also controlling costs.
- Co-sourcing specific second-line themes, such as DORA, SIRA, or AML/CFT.
- Delivering training and coaching programmes for every actor within the Three Lines Model. These can be one-off or ongoing via annual service contracts.
- Supporting SAP-based organisations in evaluating and improving license structures, authorisation mechanisms, and security. We can also co-source these activities on a structural basis.
- Supporting internal audit with pre-assessment services — from (initial) assessments to (compliance) readiness improvement (using our own or best practice maturity models).
- Co-sourcing the risk/compliance function as a whole.
- Co-sourcing specific elements of risk & compliance, such as operational support to ensure AML/KYC or targeted support in areas such as IT and operational risk management.
The 2nd line as a real-time, strategic, tech-enabled partner
The context defined
At Maturity Level 4, risk and compliance management are no longer treated as supporting functions—they are fully integrated into the organization’s DNA. The governance environment can be described as optimised, with a focus on conveying trust to specific stakeholders and/or society as a whole.This is a state where governance is not only efficient but strategically enabling. The organization manages uncertainty and complexity with confidence, using insight, foresight, and ethical leadership as competitive advantages.
Here, the approach to risk and compliance is dynamic, data-driven, and continuous. It enables innovation, guides investment, and shapes long-term strategy. This is not compliance for compliance’s sake, nor risk avoidance out of fear—it is risk intelligence, embedded deeply in decision-making.
Factors contributing to this context include:
- The general typology of the organisation.
- The company’s specific risk profile.
- The number of years the organisation has been active and stable.
- The quality of management and the presence of key actors, including their insights and expertise.
- The ambition and decisiveness of the leadership.
Characteristics
- This organization anticipates change, rather than reacts to it. Whether it’s a shift in regulations, a geopolitical event, or a cyber threat, the organization already has the models, data, and controls in place to detect, assess, and respond in real time.
- Risk and compliance are monitored continuously using automated systems. Tools like Continuous Control Monitoring (CCM), real-time dashboards, and predictive analytics provide executives with live insights. These systems detect anomalies, trigger alerts, and even self-correct certain issues—long before human intervention is required.
- Instead of waiting for annual audits or quarterly reports, decision-makers can access live risk indicators, control statuses, and compliance metrics on demand. These insights are not just backward-looking—they are forward-focused, allowing the organization to see around corners and act ahead of crises.
- Core business processes involve minimal human intervention and are highly automated – platforms, content providers, banks, etc.
- Culture is at the heart of this maturity level. Risk awareness is woven into every layer of the organization, from front-line teams to board members. Employees don’t see compliance as a burden—they see it as part of how they do their jobs well. Managers routinely factor risk and control considerations into operational and strategic planning.
- The organization promotes a speak-up culture and psychological safety, encouraging transparency, accountability, and ethical behavior. It has a clearly defined risk appetite, which is embedded into performance goals and reward systems. Decision-makers are empowered to take risks—but within a well-understood framework of boundaries and responsibilities.
- Transparency and trust is the norm to add value – organisations under public scrutiny (due to activism or public pressure), or to those functioning as partners in a value chain technologically integrated (e.g., Bol.com and all its suppliers and partners).
- At this level, risk and compliance do not merely support strategy—they help shape it. Executives rely on these functions to:
- Evaluate the risk-reward balance of new ventures or product launches
- Inform ESG and sustainability efforts.
- Manage reputational risk and brand trust.
- Navigate complex, multi-jurisdictional regulatory environments with agility.
- These functions are also instrumental in business resilience and continuity planning. They help the organization prepare for uncertainty—be it economic volatility, climate impact, cybersecurity threats, or supply chain disruptions—so it can respond quickly and recover stronger.
- Governance is integrated with that of partners. Interdependencies are made explicit and translated into shared responsibilities, control measures, and information needs – IT-service providers.
- All governing bodies require unified insights into the quality of the internal control system. These insights are provided via dashboards with drill-down capabilities.
- (Integrated) dashboards are shared with partners (or co-developed and co-managed), where the organisation has reversed the reporting flow to on-demand insight — meaning the partner accesses data whenever they wish, instead of waiting for periodic reports.
- To build trust, transparency is essential. And to be fully transparent, control measures must function continuously. Any issue can create uncertainty. The nature of controls shifts towards fully automated, repressive (impact-limiting) measures, including automated remediation.
- Technology plays a central role at this stage. The organization leverages:
- Automated compliance workflows
- Real-time dashboards and AI-driven analytics
- Advanced data governance platforms
- Third-party risk management tools
- Integrated GRC systems that connect across business units, functions, and geographies.
These tools free up human capacity, enhance accuracy, and allow the organization to focus on value-added analysis and continuous improvement.
The role of the 2nd line
At Maturity Level 4, the organization operates as a highly mature, resilient, and risk-intelligent enterprise. In this environment, the Second Line of Defense—which includes risk management, compliance, internal control, and related functions—evolves far beyond a monitoring or advisory role. It becomes a strategic partner, a real-time enabler of business decision-making, and a central actor in driving performance, integrity, and long-term value creation.
- The second line at this level functions within a fully integrated governance ecosystem. It works closely with the first line (business units and operations) and the third line (internal audit), supported by technology, real-time data, and a culture of ownership and accountability.
- Rather than acting as a bottleneck, the second line enables speed with control. It provides guardrails—not roadblocks—so that the organization can move fast without losing sight of regulatory, reputational, and ethical boundaries.
- The second line advises on risk, compliance, and control at the earliest stages of decision-making—during strategic planning, innovation, investments, and transformation.
- It brings forward-looking insights to executive discussions, helping leadership evaluate risks associated with new markets, ESG goals, M&A activities, digitalization, and more.
- This advisory role is data-driven, leveraging predictive analytics, AI tools, and risk simulations to enable better choices—not just safer ones.
- The second line maintains and continuously improves the enterprise-wide frameworks for:
risk management, compliance, internal control, policy governance, ethics and integrity programs.These frameworks are no longer static documents. They are digitally enabled, automated where possible, and integrated into operational systems so that compliance and risk responses are part of the daily workflow.
- Leveraging automated controls, real-time dashboards, and exception alerts, the second line tracks key indicators across the enterprise.
- It moves from periodic reviews to continuous monitoring, enabling early detection of control breaches, emerging risks, or shifts in risk profiles.
- Controls are designed to be adaptive, adjusting in response to dynamic business and risk environments.
- The second line facilitates a risk-aware culture by empowering the first line with tools, training, and support.
- It provides clear guidance without taking away ownership. In this model, business leaders understand that they are responsible for managing their own risks—with the second line acting as an enabler, coach, and quality assurer.
- Compliance is no longer something imposed—it is something internalized.
- One of the most critical functions is consolidating risk intelligence across silos into a coherent enterprise view.The second line synthesizes input from operational units, external sources, internal audit findings, and analytics platforms to present actionable insights to the board, audit committee, and regulators.
- Reporting is strategic, transparent, and continuous, shifting the dialogue from “What went wrong?” to “Where are we exposed?” and “How can we stay ahead?”
- The second line acts as a bridge between the board and the business, coordinating among functions such as legal, finance, IT security, procurement, and operations to ensure alignment with risk and compliance expectations.
- It supports the board’s oversight role with scenario modeling, control assurance, and dynamic risk updates—enabling faster, more confident responses to emerging challenges.
How BR1GHT can support
In addition to our services at maturity level III, BR1GHT offers support in the following areas:
- Sparring sessions with boards and management to help shape and strengthen internal control. We translate improvement opportunities into innovation-driven programmes with a strong focus on continuous improvement. We act as consultants, coaches, or trainers.
- Reinforcing continuous improvement by providing experts in specific areas such as continuous controls monitoring, dashboarding, and business intelligence.
- Enhancing technology through continuous controls monitoring platforms as joint innovation projects.
- Providing training and coaching programmes for all actors in the Three Lines Model. These can be delivered as one-time engagements or as part of an annual service contract.
- Supporting internal audit in developing sufficient IT knowledge and experience, and redefining its priorities and focus areas.
- You focus on conveying trust, while we co-source your operational activities to realise the ambition of being proven and transparently in control.
Audit driving best practice internal control
Internal Audit, in its natural advisory role, is often the driving force behind improvements in an organization’s internal control environment. As the first and second lines of defense mature, Internal Audit is increasingly able to fulfill its role as an independent assurance provider to management and the (supervisory) board.
With the continued digitalization of organizations, Internal Audit must also evolve. Digital transformation requires auditors to develop new capabilities and work more closely with the business. To effectively audit and provide assurance over digital change, Internal Audit must be present where the change happens, with control and security integrated by design.
At the same time, increasing external pressures — from regulators, stakeholders, and society — elevate the importance of Internal Audit as a trusted voice. The ability to convey trust and ensure transparency becomes a critical contribution to the organization’s reputation and resilience.
But how do you get there? Enclosed is a framework for how Internal Audit can define its strategy and target operating model, grounded in four evolving roles as described below.
Audit as controls specialist
Audit as collaborator
Audit as independent assurance provider
Audit conveying trust
Audit as controls specialist
The context defined
- In sectors where few risks are present and compliance plays little to no role – creative institutions or architectural firm.
- In start-ups or organisations that have undergone significant changes (e.g., mergers or new ownership). These organisations need to (re)structure themselves.
- In small or medium-sized organisations that have never dealt with control issues (such as process errors or fraud) or are unaware of them. These organisations have never truly felt the need for a higher level of internal control.
- In companies where management lacks knowledge of internal control and, as a result, does not see its importance, lacks ambition, or the decisiveness to progress to Level II.
Characteristics
- There is limited knowledge of internal control and, consequently, a low level of intrinsic ambition. Internal control is often viewed as unnecessary and as a cost burden.
- Sometimes, an incident has triggered a sense of urgency; the organisation no longer wants to keep reacting and seeks to implement preventive measures.
- Often, one or more specialists in internal, financial, or operational control are brought in to analyse the situation and provide recommendations for improvement.
- These specialists usually remain involved to implement the improvements: the auditor becomes the organisation’s born controls specialist.
The role of the auditor
- The auditor’s initial focus as a controls specialist is to interpret the context in which internal control must be developed.
- The next step is to create awareness around internal control responsibilities, clarify roles and tasks of relevant functions, and identify roles that can strengthen control, such as a risk manager or IT security specialist. These roles must be positioned appropriately within the governance structure.
- The core of a successful approach lies in addressing and improving the culture around internal control and the knowledge of key stakeholders. This is achieved through awareness training, coaching, and supporting the implementation of control measures.
- The auditor supports the execution of risk management and the definition of the first control measures.
- The auditor must possess strong communication skills to foster engagement from all stakeholders. They should also have a hands-on mentality to identify risks and define initial effective control measures.
- At this stage, the auditor is still often seen as the organisation’s “controls conscience”. It is essential to be persistent in assigning responsibility to the first line. Clear processes for managing risks and functional collaboration are either not present or still very limited.
- The auditor’s success can be measured by the degree of resistance or support from first-line staff and the extent to which investments are made in specialist roles such as risk managers or compliance officers.
- All of the above activities are often initiated as a project. As the organisation matures, risk management responsibilities will gradually be embedded into the second line.
How BR1GHT can support
- Co-developing a strategic vision, roadmap, and programme with all key stakeholders (board, supervisory bodies, and managers) to establish sound governance.
- Providing auditors who conduct initial assessments and translate their recommendations into tangible improvement programmes. This gives you access to extensive experience and an auditor who understands the context and can effectively foster engagement.
- Supporting the hiring of the right auditor to continue the positive trajectory into the future.
- Coaching the auditor (controls specialist) and assisting in their role — either as a one-time engagement or as part of a longer-term strategic collaboration.
- Coaching and training first-line staff and management (and where relevant, the supervisory board). Our specialised programmes are tailored to your current organisational culture and are designed to enable you to take the next steps independently, while also formulating a mission, vision, and ambition for the years ahead. Our coaching focuses on knowledge transfer and empowering management and key stakeholders.
- Recruiting other key professionals, such as risk managers. Our extensive network is at your disposal to find the right person who fits your corporate culture.
- Steering the improvement programme — either actively through a dedicated project leader or passively in a sparring partner role — to ensure the defined ambition is achieved and the programme stays on course.
- Helping organisations visualise risk thinking. We deliver solutions that make this visible and thus accelerate the process.
- Co-sourcing the risk management function from scratch, supporting management directly in building internal capability.
Read more
Audit as collaborator
The context defined
This level of internal control can be found in:
- Unregulated companies without a high-risk profile – simple local trading and manufacturing organisations, consultancy firms, etc.
- Mid-sized organisations under pressure to be financially and operationally predictable – internal (e.g., from an international holding company) or external (due to supply chain requirements).
- Organisations where quality is a key factor in maintaining competitive advantage (often driven by customer requirements) – service sector such as telecommunications & media, universities, universities of applied sciences, and hospitals.
- Organisations subject to mandatory audits, where the auditor can no longer rely solely on a substantive audit approach and instead relies on control activities performed by the organisation itself.
Characteristics
- Strong need for good governance with a defined risk profile, and a solid system of internal controls.
- Basic governance structure with roles and responsibilities for leadership and oversight, as well as policies, guidelines, and procedures.
- Oversight is present – via a holding or an active supervisory board. Risk or audit committees are still relatively uncommon.
- Good level of specialists – risk managers, internal controllers, (quality) auditors, and security officers – organised across the first, second, and third lines.
- The second line identifies controls to be carried out by the first line. These controls are formally designed and seen as the baseline controls, typically based on objective best practice frameworks such as COSO, COBIT, or ISO standards.
- Ownership in the first line is often limited. Executing control measures is sometimes perceived as “additional work,” carried out with some resistance or delegated to an internal control function.
- Where law & regulation or guidelines apply a compliance officer is appointed.
- The external auditor is the party that tests the operational effectiveness of controls. The auditor is the organisation’s “control conscience,” and their findings are used as a checklist to achieve adequate control.
- A third line or internal audit function is limited present. If an internal auditor is appointed, their core responsibility typically lies in stimulating collaboration.
The role of the auditor
- The auditor focuses on the quality of the control measures. They aim to take a step back from defining controls themselves by promoting the involvement and structure of risk management and possibly compliance (the second line).
- In some cases, there is a need to strengthen the second line with pure specialists, for example in the area of cybersecurity.
- The auditor is deployed by management as a broad expert in special situations, such as fraud investigations or the assessment of major investments.
- The auditor’s work increasingly shifts toward clarifying responsibilities within the Three Lines Model (of Defense) and operationally facilitating collaboration among the various actors. In doing so, the auditor plays an important advisory role to management.
- Much attention is given to more strategic collaboration between management and the supervisory board, with a focus on defining the right mandates. For this body, the auditor is the primary provider of insights regarding the maturity and quality of internal control.
- The auditor will take on a more evaluative role and begin developing an audit charter, audit plan, and work programmes. Depending on the size and risk profile of the organisation, an independent internal audit function may be established and auditors appointed.
- Technology can accelerate the achievement of this maturity level, enhance collaboration between the lines, and make the risk management process more efficient.
How BR1GHT can support
- Boards and management in assessing and strengthening their ambition and vision for internal control. We translate this into effective programmes to enhance governance and internal control. We offer this support in the role of consultant, coach, or trainer.
- Delivering improvement programmes by providing key roles, ranging from project leaders to experts offering support in specific areas of expertise.
- Assisting with the selection of the right technology (for governance, risk management, and internal audit), and ensuring effective and efficient implementation based on our extensive knowledge and experience.
- Providing content in the form of frameworks and best practices, and guiding organisations in setting these up effectively – optionally integrated into our technology.
- Assessing key functions such as risk management, compliance, and audit. We offer concrete recommendations and help establish the necessary preconditions, from drafting charters, processes, policies, and procedures to creating manuals.
- Delivering training and coaching programmes for every actor in the Three Lines Model. This can be a one-time engagement or an ongoing service through annual support contracts.
- Assisting SAP-based organisations in reviewing license structures, authorisations, and security settings, and supporting their proper configuration. We can also structurally co-source these services.
- Providing co-sourcing for controls testing, where we develop robust test plans, define appropriate test procedures, and ensure that testing activities are auditable (for third parties, including external auditors), optionally supported by our technology.
Read more
Audit as independent assurance provider
The context defined
- Commonly seen across entire organisations in regulated sectors such as the financial industry (e.g., Basel III), pharmaceuticals (FDA/EMA), energy providers, and telecom.
- Organisations where specific parts of operations are regulated – multiple tax jurisdictions, construction companies (safety), financial start-ups (AML/PSD3), international trading companies (export controls involving restricted countries).
- In specialised domains, such as technologically advanced organisations where security incidents can cause significant disruption.
- Listed companies, where the control environment as a whole is subject to external audits (e.g., financial reporting requirements under SOx).
- IT service providers, where part of the client’s control execution is outsourced.
Characteristics
- Internal control is essential because the license to operate — and therefore business continuity — is at risk. This need is deeply embedded in the culture of checks and balances throughout all layers of the (partially) regulated organisation.
- Monitoring and (centralised) reporting through combined assurance are vital for effective oversight.
- The Three Lines Model is normatively implemented (sometimes as a mandatory regulatory requirement). Each line has clearly defined charters, effectiveness is monitored via KPIs, and there is a high degree of collaboration between the lines.
- Emphasis is placed on testing operational effectiveness of controls by the business itself. In some cases, the business is supported by an internal control function.
- Technology plays a critical role. Integrated GRC solutions are often used, with the aim of automating as many control measures as possible to increase effectiveness (fewer human errors) and reduce costs.
- In large international organisations, functional silos may develop within compliance areas, sometimes supported by their own specific technologies.
- Parts of operations are frequently assessed by third parties (such as external auditors) and issued with formal assurance reports. Examples include ISAE 3402 for IT service provider control frameworks, COS 3000, or SOC 1, 2, or 3 reports.
- More mature organisations strive for transparency with regulators, reporting on the functioning of control measures and proactively sharing all findings, issues, and mitigating actions.
- The same level of transparency is often extended to partners or customers (from the perspective of an IT service provider) when there is a shared interest in joint value creation. As transparency increases, the need for costly external assurance reports may diminish.
The role of the auditor
- Internal audit is characterised as a professional function staffed by certified professionals (RA, RE, RO, CIA), ideally certified by the IIA. Regular quality assessments are conducted and continuous improvement actions are part of the operating model.
- The audit activities are focused solely on delivering independent assurance over the most risk-sensitive areas, where the first line has indicated that controls are operating effectively.
- Internal audit specialists often play a crucial role in special situations and incidents, such as (management) fraud, reported misconduct, or during investment reviews and mergers & acquisitions.
- The audit function aims to deliver combined assurance, incorporating assurance gained from other investigations in its reporting to management and the board. Internal audit also monitors the resolution of issues and incidents.
- Internal audit seeks to be sufficiently flexible to address specific requests from the business and places strong emphasis on emerging risk areas and ongoing changes (e.g., projects and transformation programmes), thereby adding significant value.
- Internal audit plays a role in supporting the external financial audit. This is always the case in SOx or integrated audits, where control activities themselves are subject to audit.
- Large internal audit functions often leverage dedicated technologies that support complex audits, including advanced tools such as data analytics and artificial intelligence.
How BR1GHT can support
We support in the following ways:
- Boards and management in assessing and improving their ambition and vision for internal control. We translate this into concrete programmes that enhance governance and internal control. We provide this support as consultants, coaches, or trainers.
- Filling key roles in improvement programmes — from project leaders to specialists with specific domain expertise.
- Enhancing technology for governance, risk management, and internal audit — including analytics, solution integration, controls automation, and AI.
- Providing operational consulting to second-line functions. We assess these functions, advise on more effective design, and help implement improvements.
- Co-sourcing all lines, creating an immediate quality boost while also controlling costs.
- Co-sourcing specific second-line themes, such as DORA, SIRA, or AML/CFT.
- Delivering training and coaching programmes for every actor within the Three Lines Model. These can be one-off or ongoing via annual service contracts.
- Supporting SAP-based organisations in evaluating and improving license structures, authorisation mechanisms, and security. We can also co-source these activities on a structural basis.
- Supporting internal audit with pre-certification services — from (initial) assessments to readiness improvement (using our own or IIA maturity models).
- Co-sourcing the internal audit function as a whole.
- Co-sourcing specific elements of internal audit, such as operational support to ensure compliant documentation and ISQM, or targeted support in areas such as IT and operational auditing.
Read more
Audit conveying trust
The context defined
Factors contributing to this context include:
- The general typology of the organisation.
- The company’s specific risk profile.
- The number of years the organisation has been active and stable.
- The quality of management and the presence of key actors, including their insights and expertise.
- The ambition and decisiveness of the leadership.
Characteristics
This level is defined by:
-
- Core business processes involve minimal human intervention and are highly automated – platforms, content providers, banks, etc.
- Transparency and trust is the norm to add value – organisations under public scrutiny (due to activism or public pressure), or to those functioning as partners in a value chain technologically integrated (e.g., Bol.com and all its suppliers and partners).
- Governance is integrated with that of partners. Interdependencies are made explicit and translated into shared responsibilities, control measures, and information needs – IT-service providers.
- All governing bodies require unified insights into the quality of the internal control system. These insights are provided via dashboards with drill-down capabilities.
- (Integrated) dashboards are shared with partners (or co-developed and co-managed), where the organisation has reversed the reporting flow to on-demand insight — meaning the partner accesses data whenever they wish, instead of waiting for periodic reports.
- To build trust, transparency is essential. And to be fully transparent, control measures must function continuously. Any issue can create uncertainty. The nature of controls shifts towards fully automated, repressive (impact-limiting) measures, including automated remediation.
The role of the auditor
- Internal audit is fully matured. Given the nature of the organisation, inflexible annual plans have long been replaced by business-driven audits and reviews focused on the organisation’s most valuable assets — with technology being the key focus. These activities are carried out in a continuous and agile manner.
- Consequently, IT knowledge and experience are a core competence of the internal audit function. This expertise can no longer be outsourced, unlike more operational or financial audit areas.
- For societally critical organisations, the audit function has been expanded with ESG auditors. Their primary task is to assess the organisation’s ability to report in an integrated manner (both financial and non-financial) from the first line.
- All assurance provided by internal audit offers direct value to stakeholders and partners, especially given the characteristics of these organisations (integrated IT systems, interactive dashboards). Internal audit plays a key role in establishing trust — which is ultimately delivered by the organisation as a whole.
How BR1GHT can support
- Sparring sessions with boards and management to help shape and strengthen internal control. We translate improvement opportunities into innovation-driven programmes with a strong focus on continuous improvement. We act as consultants, coaches, or trainers.
- Reinforcing continuous improvement by providing experts in specific areas such as continuous controls monitoring, dashboarding, and business intelligence.
- Enhancing technology through continuous controls monitoring platforms as joint innovation projects.
- Providing training and coaching programmes for all actors in the Three Lines Model. These can be delivered as one-time engagements or as part of an annual service contract.
- Supporting internal audit in developing sufficient IT knowledge and experience, and redefining its priorities and focus areas.
- You focus on conveying trust, while we co-source your operational activities to realise compliant documentation and ISQM.
Read more