Data Management and Data Governance enables us to harness the right data fit for raising an organization’s confidence and trust in its data. There is definite value associated by leveraging the right data and at the same time, there is also risk associated with data and its operations. Risk and Value are two sides of the same coin. While Value realization is much needed, a balance between realization of benefits along with effective management of Risk is required to enable these benefits.
Today, Capability Based Planning is a widely embraced technique in defense and other spaces like Data Management as well, to plan for any strategic changes. The analysis used in this technique deal with uncertainty of the outcomes, estimation of risk, and in the way of making choices that deliver required benefits.
The principle of Capability Based Planning is to account for uncertainty upfront rather than to discount it; this approach further assists in expressing and managing risks that are highly apt for the scenarios while also eliciting costs and benefits. Stemming out of this is a technique of Capability Based Assessment which is reverse-engineering of the existence of capabilities or controls in a control environment to assess risks better.
Data Management and Data Governance ensure that there is a control environment in place, that has the required capabilities to ensure control for Data Quality, Metadata, privacy, and policy enforcement. Though Data Governance in most organizations, is limited to formalizing Data Management as a function, there is a requisite need for enabling a risk management function to guarantee the enforcement of the controls and policy.
The Data Risk Managers can effectively leverage a Capability-based Risk Assessment (CRA) through Data Risk Control Self-Assessment (RCSA). This technique focuses on identifying, quantifying risks associated with the delivery of strategic and operational business outcomes through Data Management enablement. In most of the organization, Data Management is business-driven and technology-led, and combines the essential Stewardship of all lines of business to achieve the desired outcome.
An important aspect of a capability is that it has various dimensions. TOGAF methodology lists a people, process, and material dimensions for a given capability. A CRA focusses on the strength of all dimensions of a capability to assess the gaps in the controls and thereby the risks arising from these control gaps. The imbibement of a capability-based perspective within an organization is a powerful mechanism to deliver value by holistically managing risks across all dimensions.
Let us take a risk identified in Metadata Management such as failure to capture complete relationships between business terms or data elements (horizontal relationships like “Synonyms,” “Acronyms,” “Specifies,” and also vertical relationships across physical, logical and conceptual levels like a “Specialization,” “logical/physical representation of”) .
While we assess this risk we look for the outcome of the risk, which is inefficiencies in leveraging Metadata for the purposes of impact analysis, business requirements analysis, Data Analysis, integration, and reporting.
The controls that are required in this scenario include people, process and technology dimensions.
- A Process control refers to “policy, procedure and activities to capture and publish horizontal and vertical relationships among business terms or data elements.”
- A technology control refers to “Metamodel and Metadata Repository updated to capture and actively manage the relationships among data elements”.
- A people control refers to “Stewardship of responsible stakeholders through trainings, guidance and best practices and Stewardship to enforce capture of the relationships among data elements.”
On the other hand, data controls are often described as technical deliverables not as business outcomes, making it difficult for business to appreciate what was being delivered and frequently the IT to lose sight of the objective. The risk management functions are evolving in the financial firms, where the established roles of Data Controls Executive and Data Risk Manager are progressing. This is to actively ensure a CRA is practiced across the organization horizontally by aligning with the corporate Data Governance practices.