Do Fines Motivate Data Governance? Do the Math!

By on

Click to learn more about co-author John Ladley.

Click to learn more about co-author Thomas Redman.

It’s hubris to think that the way we see things is everything there is.” — Lisa Randall

Recently, Citi Group was fined $400 million by the Office of the Comptroller of the Currency (OCC)  “… related to deficiencies in enterprise-wide risk management, compliance risk management, Data Governance, and internal controls.  The agency also issued a cease and desist order requiring the bank to take broad and comprehensive corrective actions to improve risk management, Data Governance, and internal controls. The order requires the bank to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order” (OCC News release, October 7, 2020).

This large fine was another in a series of fines and warnings so the size of the fine is not surprising (Barron’s Magazine, October 8).  

The data professional community applauded the fine.  There were a lot of “I knew it!” and “it’s about time!”   No surprise.  Seeing sound evidence for the business case surrounding the importance of Data Management and Data Governance is always good.

 Many are excited that this is, “the event we have waited for.”  The tipping point that will put Data Governance on the agenda for corporate boards and CEOs. 

Not so fast!  If history is any guide, this won’t happen.

Remember Sarbanes-Oxley?  That was to be the full-employment act for data governors.  CEOs had to sign off on financial statements, with the threat of jail time, if the numbers weren’t right.  We all joked that ROI meant ‘risk of incarceration.”  Reported numbers improved but there were still thirty-two statements in 2019 that contained a material issue and therefore had to be reissued.  Yet no one went to jail.  That worry now appears to be off the table.

Then the Great Recession and the GDPR.  Both were believed to be the events that would kick open access to the leadership suite.   It did not happen. In fact, many organizations have implemented what amounts to window dressing to be compliant.  Even more aggravating, large organizations that must address regulatory issues may put on a show, vocally claiming “we learned our lesson.”  It appears to us that they get a pass on any scrutiny for several years.  Do they use that time to advance professional Data Governance and Data Management?  Not that we can see.

Worst of all, people may come to equate Data Management with regulatory compliance, denying themselves the many advantages that come with great Data Management.

The real process goes otherwise.  Several GDPR-driven strategies developed by John provide good examples.  The typical result:  After presentation of a broad plan for total compliance to GDPR, a global company executive extended genuine thanks, heaped praise on the quality of the work and then remarked:

“We are not going to do this. We will focus on some operational changes and a few other recommendations, so we do not attract regulatory attention, then see what happens.  Our risk management experts don’t see a return on the proposed program.” 

Let’s dissect what happened. The proposed program was extremely comprehensive, addressing all aspects of GDPR and related Data Management and Data Governance capabilities.  It cost north of $10 million over 5 years. The worst-case GDPR fine for the organization ranged from $150 – $250 million. But the company recognized that:

  1. With high likelihood, any fines levied would be much smaller
  2. The chance of being fined was low
  3. GDPR regulators were already hot on the trail of larger organizations.  It was safe for a good, long while

The risk-reward calculation did not justify the proposed Data Strategy.  

Surely, you say, Citigroup is different – $400 million is a lot of money.  But not for Citi.  Its net income in 2019 was $19.4 billion.  The fine therefore is only 2% of net income and a business expense, so deductible.  Their provision for taxes was $4.4 billion, at a tax rate of 23%.  So almost one fourth of the fine is absorbed as a tax deduction. 

If all it took was a stunning number to get Boards interested in data, the job would be long done.  IBM put the cost of bad data in the US at $3.1 Trillion per year (yes, trillion!).  That’s about 18% of GDP and it is easy enough to see that Citi’s share is easily greater than $10 Billion. 

What really hurts Citi is the prohibition on acquisitions and other restrictions on business activity.  In addition, executive compensation needs to reflect risk, not just profit. 

This is where the real impact, not the fine, may lie.  It is not the money the company may lose. It is the on-going inconvenience to its executives and the hit to their own paychecks.  They can’t go about buying businesses and doing other cool banking things. 

This is where the real “tipping point” needs to happen. There needs to be recurring impact.  One-time fines are not drivers for Data Governance.  They never will be.  Nor even a big, recurring number will do the trick, as the lack of reaction to the $3.1T/year number attests. 

The “hit” has to be personal—to an executive’s bonus or their ability to do new things.  

The financial sector is not alone. In the 1990s many manufacturing companies faced new competitive threats and needed to improve quality to survive.  Many did not. And many disappeared, finding all sorts of reasons to ignore quality. 

What should we do? If a large fine, even a threat to survival, is not enough, how do we get senior management’s attention?  Here are our five recommended steps:

  1. Do the math.  Understand the impact as the involved company sees it.  What looks like a big number is big only to an outsider.
  2. Look at the entire income statement, balance sheet and stated strategies.  The fines are the tip of the iceberg.  In the case of Citi the fine was actually financially trivial, but the other impacts mattered more.
  3. Focus on the impact on individuals.  A reduced bonus may be a better motivator than managing risk.
  4. Most executives want a good legacy. They do not want to be part of the leadership crew in charge as the company failed.
  5. Change the conversation to focus on opportunity!  Better data means lower costs and more ways to monetize the data, translating into higher profits and bigger bonuses.  Tom stresses the importance of provocateurs—people who see such opportunities for themselves and, in so doing, advance data programs.

Do we ignore fines?  Of course not.  They are good indicators – the smoke that makes us look for the fire.  Smart Data Management professionals will dig deeper, looking for ways to apply our recommended steps.  To be clear, fines cannot be the sole driver, and they are certainly NOT the bellwether events that will lead us all to Data Governance nirvana.  Messages that tie Data Management solely to the regulatory “I told you” storie are ill-fated. 

But don’t despair!  There are a host of great reasons to pursue Data Management.  Your job is to sort out those that will motivate specific individuals, craft the right message, and drive it home. 

Leave a Reply