Data Governance And The Three Lines of Defence

1.jpg

First of all, you might be wondering to yourself, what is the ‘three lines of defence’ model? Well, it's something that is commonly found in financial services companies, but I have seen it elsewhere, and is typically made up of exactly three lines of business.

So first of all, think about what the first line of defence is considered to be in your business. Generally, this includes the people who do whatever your organisation does: whether that's making things, selling things or running a bank or an insurance company - they're the people doing what your company does.

The second line of defence are the teams that tend to set the rules by which the first line run the business. So, these are people like your Legal team or your Compliance team. They're the people interpreting external regulations and working out what your company has to do in order to comply with them. These teams will also include operational risk.

Now, the third line of defence is where you have your audit. This is either an internal or external audit, which scrutinises the first line of defence who are running the business and makes sure they are doing their jobs in accordance with the rules and policies set by the second line.

So, now on to the most important question - where does Data Governance fit in all of that?

Well, that’s a really interesting question and, you may be surprised to learn that I'm not sure it does nicely fit with this. However, since I have done a lot of work in financial services over the years, this is something I've had to figure out a number of occasions.

I think it's fair to say that more often than not, data governance ends up somewhere in amongst the second line of defence - often sitting alongside an Operational Risk Team. 

Now, it works pretty well there, as long as you remember that a data governance team doesn't just write the rules and then toss them over to the business to comply with. A data governance team is very much supporting the first line to write their own data rules. So a data governance team isn't really writing the rules at all, they're helping and facilitating the first line in writing their own rules.

It’s subtly different, and I have worked for a few organisations that have described data governance as perhaps sitting somewhere in the middle of the three lines of defence, around "one-and-a-half", rather than data governance sitting purely in the second line or purely in the first line.

There is another way of thinking about it. I was discussing this with an Operational Risk Director working within one of my clients fairly recently, and he said he felt that perhaps there was a 1a) and a 1b) in the first line of defence, whereby 1a) are the people doing the work and 1b) are perhaps the data governance team, because they don't set the rules.

Therefore, perhaps it should be considered that the data governance team are sitting in the business helping them run better, but that they're possibly considered 1b) because they're one step back from doing the business itself. They're just helping the business run better by helping people manage their data better.

Don't forget if you have any questions you’d like covered in future videos or blogs please email me - questions@nicolaaskham.com.

Or you’d like to know more about how I can help you and your organisation then please book a call using the button below.

Comment