In July 2021, one of the world’s leading banks revealed a loss of $5.5 billion due to a default by one of its customers. The bank identified the “failure of management and controls” in its investment banking arm as the fundamental cause of this loss. This incident reinforces the importance of a robust governance framework for managing data risks – driven by the right combination of people, processes, and data within the banking industry.
Technological advancements have created expectations for on-demand banking that are typical of banks’ sustainable growth. By adopting digital banking solutions such as mobile, internet banking, kiosks, and WhatsApp, it has become easy to service customers on the go. A typical bank offers services through 70-100 channels. Banks can also harness the insights obtained from big data generated from the interaction of customers with multiple channels.
However, these gains come with their fair share of risks. With digital solutions implemented across traditional processes, financial institutions need to proactively address risks related to data as part of their overall risk management. As a result of all of the above, insights gained through data analysis would also assist in making informed decisions, thereby reducing operational, regulatory, and credit risks. While traditional information security frameworks help mitigate some of these risks, it is posited that a robust Data Governance program will help banks bolster their existing risk mitigation strategies. This will help unlock significant gains from data analysis.
Need for Managing Data Risks
Data is an enterprise asset that must be actively managed along with technology and people. With the evolution of open-source software, data management offerings like a cloud warehouse or lake, and technology to analyze big data have also evolved. However, data curation, analysis, processing, and storage carry multiple risks as well. Most of these risks may not be limited to the confidentiality, integrity, and availability of data. These risks could instead extend to data privacy, regulatory sanctions, and contractual risks associated with using third-party providers.
Traditional “command and control”-based IT control models themselves can struggle to meet the demands of digital business. In a survey conducted in 2021, 61% of respondents indicated that their governance objectives include “optimization of data for business processes and productivity.” Hence a model that is flexible, responsive, and tailored to the bank’s specific data needs and objectives would be better suited than the one-size-fits-all, center-out model.
With the recent focus on customer privacy coupled with the evolution of public policy, banks are forced to acknowledge data privacy risks across the lifecycle of personal data. Generally, policies, guidelines, and regulations emphasize maintaining accurate personal information within the system so that it can be retrieved whenever a customer requests it.
Traditional risk management frameworks that focus on maintaining the availability, integrity, and confidentiality of data without addressing concerns of classification, quality, and privacy may leave banks struggling to meet legal and regulatory compliances. For instance, privacy laws require organizations to provide data subjects with copies of personal data collected/processed/stored by them. Without a robust Data Governance framework where all such data are appropriately classified and centrally stored, banks could be required to spend precious resources collating this data manually and responding within the set timelines. It is therefore imperative that banks look at their risk management strategies to secure their data and derive value from it.
Building Blocks for a Robust Data-Centric Risk Mitigation Framework
Defining Key Performance Indicators
Risk reporting: By ensuring accurate reporting of data risks to the board, programs that will strengthen data operations can be sponsored. For example, a 100% compliance goal for data operations would mean risk management’s objective is to ensure that all compliance-related risks are actively managed with priority, within the appetite and tolerance levels. For instance, questions regarding acceptable data delinquency levels of customers – is it 10% or 30% – need to be first identified before being resolved.
Management oversight and commitment: The board and senior management of banks must promote the identification, assessment, and management of data risk through policy. A risk policy provides guidance around scope, guidelines for identifying data risk, the role of personnel along with their responsibilities and accountability. Impacts of data risk might often be unnoticed unless it is formally managed. To quote an example, one can identify data risk scenarios in a business where data, its architecture, quality, and meaning can impact your balanced scorecard metrics such as customer reachability, satisfaction in operations change, and time-to-market.
Capability-based risk assessment: Both quantitative and qualitative risk assessment approaches are needed to address data-related risks. A capability-based data risk assessment could be a possible solution. This technique can be used in data risk planning, as well as in formulating a data risk strategy along the way. A registry of data risks across data management, operations, contracts, project management, privacy, and security can be used as a guidebook to aid banks in their initial risk journeys. Also, data risk assessment can be less accurate when limited characteristics are known and analyzed. But curating more characteristics of risk events through the data collection phase can assist in better predictability of risks in data operations. Moreover, there are various tools and techniques for data risk management that can be used.
Data Governance framework: Organizations use this framework to implement Data Governance within their organizations. This framework was created to enable different stakeholders across the organization to differentiate Data Management from Data Governance activities. This will enable them to be able to monetize 100% of the benefits of data.
Think of every Data Management activity, such as Data Quality assessment, metadata management, and data privacy impact analysis as enablers. This is a newly developed or improved capability made available to the organization to fulfill a part or need. These enablers can be further classified into business, process, and technology enablers. For example, “policy making” is a business enabler, “metadata service management” is a process enabler, and “data profiling” is a technology enabler.
Control Objectives of Information Technology (COBIT) is an existing industry risk framework that can be overlayed over a data risk landscape to cover the enterprise end-to-end in governing data risk. It is characterized by three components: benefits enablement, program delivery risk and operations, and service delivery risk in relation to data risk.
For every Data Management dimension, one can have metrics that can be formally stated to be key risk indicators (KRIs). The KRI for Data Quality-Data Management can sense process breaks like “mobile number getting updated even though it’s not verified through one-time-password” or “overwriting a current email address with an older one in core systems due to incorrect pipelining.”
In order to recover faulty data on an application form, most of these changes must be recovered by adding people. By using information technology systems, data issues can be permanently resolved. When technology and people control are combined in operational processes, risk can be completely managed. Along the same lines, Data Quality risk-based indicators (KRIs) can sense process breaks that can be used to recover faulty data in the meantime.
The Deputy Governor of the Reserve Bank of India, in his keynote address at the Centre for Advanced Financial Research and Learning, reiterated the need for senior leadership of the banks to focus on bridging the disconnect between the risk appetite framework approved by boards and actual business strategy and decision making, weakening the risk culture that was amplified by the absence of guidance from senior management, improper risk assessment, repeated exceptions to risk policies, conflict of interest especially in related party transactions, and absence or faulty enterprise risk management.
Through a robust risk management framework that focuses on mitigating risks pertaining to confidentiality, availability, and integrity, as well as privacy and quality of data, banks can manage the tightrope walk between ensuring higher customer satisfaction and experiences through innovation, undertaking regulatory compliances, and safeguarding against breaches.
Most organizations are yet to identify the correlation between Data Governance, risk management, and corporate governance. It must be made clear that for corporate governance to be effective, the reach of data risk as a function cannot be limited, and it may also be necessary to integrate Data Governance into the grass-roots culture of the organization to manage risks. Hence, it is clear that a risk-aware culture, driven by Data Governance, assists in achieving corporate governance.