Data management & 3  lines of defense.

Several months ago, I got a task to investigate how to position Data management function to the Three Lines of Defense.

My first reading was the article 'Data Governance and Three Lines of Defence' by John Parkinson. The analysis was based on a comparison between Data Governance/ Management activities and those of The Three Lines of Defense. The conclusion was: Data management is the First line, and Data Governance is the Second line. I thought: Bingo!

Now, months later, I am ready to argue with the conclusion.

Let’s first refresh the definition regarding the 3LOD concepts and 1st and 2nd Lines of Defense.

The Institute of Internal Auditors (IIA) stipulates: 1st line are ‘functions that own and manage risks (operational management) ’ and ‘2nd line are ‘functions that oversee risks’.

How are the definitions applicable for the Data management function? 

The main points are:

  • consider the principles of assigning a business function to the Risk framework;
  • assigning the 3LOD role to a business function based on its business activities is not a correct approach.

Only if the 1st line of Defense can identify risks associated with their data management business processes, they have to deal with the 3LOD risk concept. Should it not be the case, business functions and Data professionals departments' activities are NOT considered part of the 3LOD concept.

If you work for a Data professionals business unit and you have to deal with the 3LOD concept, there are the following tips for you while analyzing your company Risk policies:

A crucial question is: what are the triggers to assign your department to one of the 3LOD? An assignment based only on types of activities is not correct if there is no risk associated with the data management processes executed by businesses.

The 3LOD concept developed by IIA does not define "Operational management" in terms of business activities or types of clients (external or internal). So, your Data professionals organization can also be considered as 1st of Line of Defense function, which provides some services and products for other internal business functions.

  • Should your company have Risk taxonomies, check that at least if the risks are associated with data management business processes. If not, Data management is NOT part of the 3LOD concept at all.
  • Should Data management somehow become a part of the Risk Framework, you still can be in a position to deliver consulting services both to businesses and Risk departments (which usually represent the 2nd LOD) and continue to be considered as the 1st LOD.

Looking forward to seeing your comments below! Please, leave comments here.