Quality Assurance in a Digital World #2: 'Offense is the best defense'

In our introduction we stated that Digital Transformation (DX) of services leads to rethinking the traditional playing field of Quality Assurance (QA) and the Three Lines of Defense in particular. With a simple equation we illustrated the growing importance of securing accuracy and completeness directly within the first line. Let's dive a little deeper into this evolution.

A thought experiment: "It’s the year 2025 and all your first line processes are fully automated, including the controls required to assure accuracy and completeness."

Then what has become of the first line of defense? And how does the concept of built-in quality come in here?

The first line of defense is ultimately responsible for the choices they make and the risks they take in daily practice, impersonated by the business. Ideally the first line is intrinsically motivated to have clear objectives, to reflect, to regularly conduct the quality dialogue and to ask about incidents and learn from them. The first line is therefore the most important form of quality assurance.

When coming to executing operational processes, controls (e.g. Management Controls, General IT Controls, Process Controls and Application Controls) are often used to assure quality (e.g. accuracy and completeness). When your processes have become fully automated, automating your controls seems a logical next step. However, this is not as simple as it sounds and sometimes even impossible…

Application Controls are the most straightforward to automate, they are specific and within system boundaries. Process Controls are more difficult, they are also specific but often overarch several systems. Management Controls and General IT Controls are the most difficult to automate, being generic and adherent to frameworks (such as COBIT and IT4IT ) resulting in processes of and on their own.

This is where the built-in quality comes in! As a process or system evolves, its design must also evolve to support them. Agile frameworks such as SAFe use built-in quality practices to ensure that each change, at every increment, meets appropriate quality standards throughout development. A similar approach is seen in the from Lean originated concept called Quality by Design . The key to success lies in integrating controls in quality standards and directly capturing them as requirements when designing change.

In conclusion, in order to prevent quality assurance to stay behind while automating the work, offense is the best defense. Next paragraph we’ll look at another line of defense, the second line, and see what is changing there. Just to give a small hint: quality, data, automation and design are all invited to the party...