Data lineage is extremely important since unknowns in the data flow are a root cause of enterprise risk. Enterprise Risk Management and Data Governance professionals are teaming up to implement the “Three Lines of Defense” model (3LOD). The goal of 3LOD is to provide an early detection and risk mitigation warning system. Line 1 includes Management and Operations. Line 2 is composed of Risk Management and Compliance. Line 3 involves Internal Audit. To better understand the risk exposure, the different lines of defense must be able to find and verify the source and definition of the data. The key is to focus on those data elements that are critical to managing risk and protecting profitability.
Data lineage today generates a lot of industry buzz. Fortunately, there are highly rated software providers. Unfortunately, the desired protection continues to elude all three lines of defense. What gives? In searching for answers at some of our client sites, we discovered a repeating pattern that led to project failure. The process starts with a management directive to implement lineage, usually coming from the IT sector. Budgets are appropriated. The lineage tool is selected, along with a consulting partner. Over several months (or longer), the lineage of complete datasets is captured back to source systems in a systematic sweep across the data landscape. The project goes live with new dashboards and lineage maps. Success. However, fast-forward two years and we find that the lineage of complete datasets has failed to deliver the required risk performance. For example, the folks in Audit and Compliance are no closer to data awareness because the company did not commit enough resources to keep the metadata current or was not focused on the real risk and quality prize. Who didn’t do their job? In many cases, the project sponsor blames the software and suggests that a better tool is the answer. The pattern begins again. Rinse and repeat.
The problem is not likely with the software. Nor is it the fault of the implementation team. For some of the problems we analyzed, we found that IT had underestimated the need for ongoing maintenance, including the time and cost to maintain the complete lineage map. In other cases, the projects failed to limit the lineage scope to only those critical data elements. With data lineage, the adage holds true: Less is more. Enterprise Risk managers would be satisfied with highly accurate lineage on the relatively few critical data elements that impact risk. Even in large companies, this would be fewer than 100 data elements, not the thousands of data elements systemwide.
What constitutes critical lineage? Focus on the key data elements that could heighten risk or negatively impact profit. You will find these critical elements in places such as:
- Measures for key Data Quality controls
- Data elements that impact core financial statements
- Structured or unstructured confidential data
- Financial model results
- Data that impacts organizational CSF and KPIs
The approach to defining and implementing an effective data lineage program starts with the question, “What data in our company directly impacts risk or profitability?” Don’t make the “rinse and repeat” mistake by asking, “Which database should we analyze first?” The ultimate lineage stakeholders are better served with the integration of Data Governance and Enterprise Risk in alignment with the 3LOD model. Managing risk and protecting profitability is the goal – we call it Lean Governance.