Lessons learned: Data management and the Three Lines of Defense concept (3LOD)
Several months ago I got a task to investigate how to position Data management function in relation to the Three Lines of Defense .
My first reading was the article 'Data Governance and Three Lines of Defence' by John Parkinson. The analysis was based on comparison between activities of Data Governance/ Management and those of The Three Lines of Defense . The conclusion was: Data management is the First line and Data Governance is the Second line. I thought: Bingo!
Now, months later I am ready to argue with the conclusion.
Let’s first refresh definition regarding the 3LOD concepts and 1st and 2nd Lines of Defense .
The Institute of Internal Auditors (IIA) stipulates: 1st line are ‘functions that own and manage risks (operational management) ’ and ‘2nd line are ‘functions that oversee risks’.
How the definitions are applicable for the Data management function?
The main points are:
- consider the principles of assigning a business function to the Risk framework;
- assigning the 3LOD role to a business function based on its business activities is not a correct approach.
Only in case that 1st line of Defense can identify risks associated with their data management business processes, they have to deal with 3LOD risk concept. Should it not be a case, then activities of business functions and Data professionals departments are NOT considered to be part of the 3LOD concept.
If you work for a Data professionals business unit and you have to deal with 3LOD concept, there are following tips for you while analysing your company Risk policies:
A crucial question is: what are the triggers to assign your department to one of the 3LOD? An assignment based only on types of activities are not correct in case there is no risk associated with the data management processes executed by businesses.
The 3LOD concept developed by IIA does not define ‘Operational management’ in terms of business activities or types of clients (external or internal). So, your Data professionals organization can be also considered as 1st of Line of Defense function, which provide some services and products for other internal business functions.
- Should your company have Risk taxonomies, check that at least of the risks is associated with data management business processes. If not, Data management is NOT part of 3LOD concept at all.
- Should Data management somehow become a part of the Risk Framework, you still can be in a position to deliver consulting services both to businesses and Risk departments (which usually represent the 2nd LOD) and continue to be considered as the 1st LOD.
Looking forward to seeing your comments below!