In the financial services industry, people are used to the three lines of defense for the majority of the risk functions. Generally the first line of defense for management of risk is the business, the second line of defense is a control function, and the third line of defense is internal audit.
Increasingly firms are considering data risk as a risk element in their overall risk management framework.
Firms are including data risk in their group risk appetite statement in addition to their market risk, credit risk and operational risk. Once the risk is identified, the firm has to establish three lines of defense to ensure the risk is managed in accordance with the risk appetite.
Following is the approach I would consider as three lines of defense for data management and data risk.
- First line of defense: This defense lies with the data owners and data stewards. These are the team members who create/source the data. They are accountable to ensure that the data meets the data quality requirements as stipulated by regulators or by the data consumers.
- Second line of defense: This defense is maintained by the central data office, either a data governance function, data management office, or a chief data office. This team establishes the policy relating to data in the firm. It monitors the data quality metrics and generally acts as an escalation mechanism when the data quality does not meet the required standards. In addition, the second line of defense also provides advisory services related to sourcing of new data and the impact of data in technology and business changes.
- Third line of defense: This defense is internal audit. Internal audit ensures that the firm has adequate policy regarding data management and routinely conducts audit on data management in the firm. Internal audit directly reports to the audit committee and to the regulator for matters concerning data management.
For data management to be successful, it is critical that your firm establish three lines of defense to ensure that everyone is aware of their roles and responsibilities concerning data risk.