Data Governance enables us to harness the right data for purpose of raising an organization’s confidence and trust in their data. There is a definite value associated with leveraging the right data for business functions. At the same time, there is also risk related to data and its operations. This risk is a business risk and should be business owned, as is the Value. So, are your thresholds for Data Quality, Metadata Management, security and privacy, Architecture, and content management in line with the risk appetite and tolerance of your enterprise? What does a zero appetite for privacy incidents and loss of price-sensitive data mean to data management and Governance? How often do your organizational risk priorities, appetite, tolerance and limits change – annually or bi annually?
What is driving Data Governance adoption – Risk or Value?
Consideration of assessing and managing risk linked with data and related resources often take a back stage in an enterprise risk management strategy. Shortly, we will look into the synergies required between Data Governance and risk functions to enable a holistic management of risk related to data. Data Governance is already a new normal in most enterprises as is demanded by regulations like BCBS 239, GDPR, EU No 1024/2013, EMIR, MiFID2, etc. The regulatory landscape is fast changing with much legislation like MIFID II providing future guidance on controlling risks associated with sub optimal Data Quality.
Financial institutions which by now have accounted for risk in Data Governance are well prepared for the upcoming environmental changes, threats that reduce the commercial value of business. The scenario with most organizations is very similar to saying “we are preparing for a heavy rain while a warning for a tsunami is issued but there isn’t enough time to control the impact,” or “we somehow think we are prepared but we will have to re-look at it from a risk perspective to be confident.” Regulation and compliance are major drivers for enterprises to adopt risk management in Data Governance. The other leading driver is the need to prioritize and manage data associated with high regulatory, financial or operational risk. These multiple drivers necessitate the blend of data management, risk management, and Data Governance principles which further bring up several questions –
- Is risk management an integral component of your Data Governance division? Or does your risk governance take into account data management principles? How do these work in tandem?
- Have you considered addressing gaps and overlaps between risk and data functions of governance?
- Have you accounted for risks that are considered a priority to your organization and have you cascaded these risks to your Data Governance operational frameworks to reflect these priorities?
- Does your data tiering framework take into account risk parameters apart from value parameters?
- How differently do you manage data that is high risk/high value from medium and low risk/value?
View Data Governance from the perspective of risk.
Organizations have several lines of defense in addressing various enterprise risks. These include regulatory, reputational, financial, credit, strategic, operational risk and many more. Data, its management and resources, including infrastructure, are all integral contributors/assets in consideration of these risks. Risk events can occur with both uncertain frequency and magnitude. They create challenges in meeting strategic goals and objectives. It is not only information risk that needs to dealt with but also risk related to data as well. The risk thus identified should be controlled, assessed for residual risk, and prioritized for automation or re-engineering or design that reduces the frequency of occurrence or impact to business.
Where does risk management associated with data fit in the organization?
From this discussion arises one other question – “Does data risk management align with Data Governance division or Chief Risk Office.” My personal take is that Risk Management needs to be an integral dimension of Data Governance for which policy needs to be defined in close coordination with the enterprise risk function. But, accountability can be provided to a sustainable, standalone function within the risk office. It makes perfect sense to extract responsibility from accountability and maintain management review in aligning Data Governance in view of risk with enterprise objectives.
Data Governance is the only existing pillar in most organizations to ensure successful and sustainable management of data as an enterprise asset by enforcing, formalizing, and enabling data management practices. Data Governance further defines oversight by establishing policy, approval mechanisms and evaluation of adherence to policies. It is the responsibility of the division to ensure business functions take responsibility and accountability for maintaining data quality, metadata, content, compliance, and source the right data. Do you see many gaps in operationalizing these well needed aspects of Data Governance?
The risk management component of Data Governance considers Integrity, Accuracy, Completeness, Consistency, Efficiency, Effectiveness, Confidentiality, Availability, Compliance, and Reliability as some of the many dimensions. The idea is to establish a common enterprise risk view. For example, there is risk associated with not having to identify the right data element for solution, defining incorrect meanings, identifying incorrect systems of record which Governance policies address. But there is also risk associated with not having to collect, extend Metadata in the right project lifecycle phase. The oversight will address such program delivery risks by ensuring integration of Data Governance policy in the program lifecycle.
Various risks and best practices in addressing them with Governance –
Benefits enablement – There are missed opportunities that can be realized with adoption of information capabilities to increase operational efficiency or chase new business opportunities. This is related to strategic and environmental risk.
An example can be an organization missing an opportunity to leverage a Metadata management solution to better manage data elements and their meanings than handling it in spreadsheets. Or leveraging the ESB vs custom real time services for efficiencies.
“While performing needs analysis in requirements & design phase, make sure to generate maximum options to satisfy the business need. The critical considerations for the decision are dependent on the objectives, but will involve an understanding of the quantitative and qualitative value and risk of each option, the turnaround time to achieve each future state and opportunity cost to the enterprise. Make sure to have the Data Governance council, representative and data risk committee/group participates while generating options.”
Program delivery risk – Often associated with contribution of data to new or improved capabilities in the organization. These risks are inclined with market risk, credit risk, and financial risk.
Have you identified data requirements for financial reporting, while also stating data sources with 45% accuracy as system of records? Have you considered the federated disparate sources of data and the challenges in integration? These factors will delay your program timelines if you are not accounting for them upfront but discover them later on in the project lifecycle. These events thereby are going to increase the service time to market thus missing the regulatory deadlines or reducing market share.
“Include risks and disruptors associated with data, information and related resources in strategy, business outcome, Evolution and product lifecycle roadmaps.”
Operations and service delivery risk – Is often associated with the availability, consistency and usability of data and related systems, interruptions to regular services which can reduce the commercial value of business. This is related to operational and compliance risk.
For example, the latest lead data for the week that was acquired from a third party doesn’t align with semantic and structural consistency policy, while it also not available in time for the campaign orchestration.
One more example can be an information system downtime for online/mobile applications due to outages/bad data in the information systems effecting regular services to the customers.
“Use Risk Governance policy, RCSA, evaluation, response options to assess, manages and control operational risk.”
Ineffective management of data causes risk of financial loss or damage to brand. Some scenarios are stated below –
I will end by saying; Data Governance enforces authorization, formalization of authority, policies and guidelines for better management of data to realize its complete value. The risk management component or function also makes it fool proof by addressing gaps in formalizing authority, including risk principles in data management frameworks, leveraging governance in managing enterprise risk and many more aspects. So, does it makes sense to say that if you start with your data risk management function you will have a major say in data tiering strategy and data certification to measure the transformation from federated to controlled environment?
Click here to learn more about Tejasvi Addagada.