Click to learn more about author Tejasvi Addagada.
Why Defining a Data Risk Strategy is Crucial?
Risk and Value are two sides of the same coin. Value realization along with benefits management is vital to appreciate the strategic goals of an organization. A balance between realization of these benefits along with effective management of Risk is required to enable these benefits. How about Charlie from Chocolate factory saying “I would want to enjoy the benefits that dark chocolate brings to my health, but I would not have control over the amount of sugar that goes into Its preparation”. More sugar can weaken the benefits that dark chocolate brings, but it is required to enjoy the chocolate. Similarly, the emphasis is on Data Risk Management to enable benefits while also managing Risks. This is to ensure that strategic objectives through data capabilities are realized well, while also managing data related risks in operations.
Where to Start?
It is better to start with the mission and vision statements for the Data Risk Function.
The vision would rather state where the function would want to be five years from now. Are you looking at having this practice enable strong corporate Governance through enforced aspects of Data Management and Governance in the long term?
The mission statement lays clearly what the function is poised to do today. Are you looking to have the function guarantee trust on data through Risk Governance over data and its operations?
While the vision and mission are being formulated, the firm would have published its strategy along with the Goals. The organizational goals need to be cascaded to the data risk management’s Goals and Objectives.
A goal like “100% compliance in data related operations” would mean that risk management’s objective is to ensure that “All the risks related to compliance related data are actively managed with priority, within the appetite and tolerance levels”.
Capability Based Planning to Arrive at Strategic Roadmap
The goals of the function need to be prioritized once cascaded from the organization. It is better to include the board and executive leadership to endorse them and it is suggested to take them along the journey. The function provides risk governance services that can be considered horizontal in the organization. The same will be pushed to business units, they like it or not. But, early collaboration across the organizational units in strategy analysis provides future buy-in to risk management activities. This would enable the units to participate in eliciting risks and decisioning on solutions related to data, in a council discussion, once the services are pushed to a division.
The next step would be to come up with capabilities that would achieve the objectives of the data risk management function. This would entail to understand the people, process and technology capabilities required to achieve the objective. A sample set of capabilities are as below:
People Capabilities – Data Owners are responsible to classify data as compliance related while stewards and data risk manager enforce and guarantee the same in data domains, through controls and Governance processes.
Standardizing roles, responsibilities and accountabilities of Data controls executive, data risk manager along with identification of stakeholders and empowerment.
Process Capabilities – Metadata capture and management process should facilitate capture of attributes that classify data as regulatory or compliance related.
Architecture should provide the facility to classify the data landscape into logical domains/datasets like compliance domain, based on the need.
Governance processes should ensure that regulatory or compliance related data is tagged as high risk and critical data, while the all the data management processes should be mandated on such data.
Technology capabilities – Metamodel for metadata and repository should have the facility to store the attributes that classify or tag data elements or business terms as compliance or regulatory related.
Further, every objective can clearly state the below aspects for better understanding of the objectives and capabilities:
- Needs | Inputs | Outputs | Benefits | Outcomes |Capabilities
Understanding the Current Capabilities by Performing a Capability Analysis
The next step is to understand what level of the capabilities exist in the organization. A capability analysis assists in scoping and planning by creating a shared understanding of outcomes across objectives, their alignment with strategy, while also assisting in prioritization of capabilities.
These capabilities if existing today, should be assessed for their current performance gaps and their associated risks to achieve the outcomes. The specific gaps can be fixed by adequate planning for maximum outcomes.
If there are multiple stakeholders that need to provide the above information, it is suggested to roll out a questionnaire to get them to force score the capabilities. On arriving at a complete analysis, it is easy to comprehend where to focus the investments. Multiple capability requirements can be related with relationships during the strategic analysis and requirement analysis stages.
Just like process levels, the capabilities can also be grouped under level 0, 1, 2 to better manage the relationships between them as well as their prioritization.
The capabilities like policy management can be grouped as organizational capabilities
Metadata Management capabilities can be grouped as Data Management capabilities
Data Control self-assessment or policy assessment can be grouped as Data Risk Management capabilities.
A heatmap can depict the health of these capabilities based on their current performance gaps. For instance, Policy management can be given green given it has certain level of maturity for long in the organization while Data Risk Management capabilities can be showcased in amber. A product like a GRC solution can be deployed to fill the gaps in the technology and process capabilities to achieve the objective of establishing data risk governance across organization.
Put a Strategic Roadmap
The objectives along with outcomes, benefits, risks and disruptors need to be designed across a timeline in a simple but effective roadmap. This can be a generic Roadmap but it needs to emphasize the outcomes and benefits which will stress the need for Benefits Management. The risks that need to be captured would be strategic risks that can interrupt the achievement of the benefits. While, the disruptors can be external to the organization like the PESTLE factors which can impact, like a specific maturity model being enforced by an investor or regulator.
Cascading to an Operational Roadmap
There is a need to fund the capabilities through logical grouping into projects or changes. The milestones for these changes need to be designed in the operational roadmap. If there is a product being deployed, it will be beneficial to supplement the same with a product roadmap. Many product development efforts are to improve the performance of an existing business capability like data quality assessment or to deploy a new capability like Governance process.
This need not be the only way to put a data risk strategy in an organization, but it leverages the aspects of capability based planning and benefits management along with strategic risk management holistically.