Data management & 3  lines of defense.

Several months ago, I got a task to investigate how to position the Data management function to the Three Lines of Defense.

My first reading was the article 'Data Governance and Three Lines of Defence' by John Parkinson. The analysis was based on a comparison between Data Governance/ Management activities and those of The Three Lines of Defense. The conclusion was: Data management is the First line, and Data Governance is the Second line. I thought: Bingo!

Now, months later, I am ready to argue with the conclusion.

Let’s first refresh the definition regarding the 3LOD concepts and the 1st and 2nd Lines of Defense.

The Institute of Internal Auditors (IIA) stipulates: 1st the line is ‘functions that own and manage risks (operational management) ’ and ‘the 2nd line is ‘functions that oversee risks’.

How are the definitions apply to the Data management function? 

The main points are:

  • consider the principles of assigning a business function to the Risk framework;
  • assigning the 3LOD role to a business function based on its business activities is not a correct approach.

Only if the 1st line of Defense can identify risks associated with their data management business processes they have to deal with the 3LOD risk concept. Should it not be the case, business functions and Data professionals departments' activities are NOT considered part of the 3LOD concept.

If you work for a Data professionals business unit and you have to deal with the 3LOD concept, there are the following tips for you while analyzing your company Risk policies:

A crucial question is: what are the triggers to assign your department to one of the 3LOD? An assignment based only on types of activities is not correct if there is no risk associated with the data management processes executed by businesses.

The 3LOD concept developed by IIA does not define "Operational management" in terms of business activities or types of clients (external or internal). So, your Data professionals organization can also be considered as 1st of Line of Defense function, which provides some services and products for other internal business functions.

  • Should your company have Risk taxonomies, check that if the risks are associated with data management business processes. If not, Data management is NOT part of the 3LOD concept at all.
  • Should Data management somehow become a part of the Risk Framework, you still can be in a position to deliver consulting services both to businesses and Risk departments (which usually represent the 2nd LOD) and continue to be considered as the 1st LOD.

Looking forward to seeing your comments below! Please, leave comments here.

For more information, visit the Data Crossroads Academy site: //academy.datacrossroads.nl