Leveraging COBIT to Manage and Govern Data, in the Perspective of Risk

By on

Click here to learn more about author Tejasvi Addagada.

Data Governance enables us to harness the right data fit for the purpose of raising an organization’s confidence and trust in their data. There is definite value associated by leveraging the right data for business functions. At the same time, there is also risk related to data and its operations. This risk is a business risk and should be business owned, as is the value. Risk and value are two sides of the same coin. While value realization is the end objective, a balance between realizations of benefits along with effective management of risks is required.

The stakeholders’ needs are rapidly evolving like the need for regulatory preparedness, in financial institutions. The business environment including strategy changes, business model changes, advancements in technology, regulations are some primary drivers for these evolving needs. Data Governance is already a new normal in most enterprises as is demanded by regulations like BCBS 239, GDPR, EU No 1024/2013, EMIR, MiFID2, etc. The regulatory landscape is fast changing with legislation like MIFID II providing future guidance on controlling risks associated with sub-optimal Data Quality or the GDPR emphasizing Data Privacy & Security.

In medieval times, horses were trained to pull carriages from London to Farringdon regularly. The trained horses transferring people to places, is an active process. The process needs to be managed, so that the people reach their destination on time, with the horses being managed properly enroute. This is where the driver plays an active role managing the horses. This also ensures that the passengers enjoy the actual benefits of reaching on time, safely and securely rather than just reaching a destination. There needs to be Governance in place, an oversight over all horses, drivers and carriages owned or third party sourced, by the company. This is to manage the risks such as passengers not reaching on time, safely and securely which impacts profitability.

Similarly, now, the need for Data Governance and inception of risk management within Data Governance can be stressed more for value realization. Many organizations leverage industry standards – Data Management Association (DAMA) or Enterprise Data Management Council (EDM) for guidance to implement Data Governance within their organizations. There is a changing perspective in most organizations, to look at Governance from the outlook of risk. This is primarily due to the fast changing business and regulatory drivers. Along with best practices put forth by these industry groups, the COBIT Methodology can be leveraged in the perspective of risks associated with data, its management, and governance. COBIT describes enablers or processes for efficient management and governance of IT resources which includes data as well. But, there is customization required which is quite un-burdened to fit into the organization and Data Governance models.

There is void in enterprise risk management functions to actively manage data risks. Data Governance in most organizations is the only existing pillar to ensure successful and sustainable management of data as an enterprise asset by enforcing, formalizing, and enabling data management practices. Some organizations are having their risk functions define a standalone second line of defense that caters to data alone, with its own mature and independent capabilities. This would be a sovereign oversight body that orchestrates Risk assessment in the organization through distributed or centralized first line of defense.

Ideally, there is a pressing need to have an approach that will allow the data risk management function identify the focus areas to manage risks and govern data effectively. There arises questions –

  1. Should these focus areas arise from risks identified while tracing them back to processes?
  2. Or should the enterprise goals be cascaded forth to processes and identify the focus areas?

It is ideal to amalgamate the best practices of risk identification with goals cascade, to identify the scope of risk management focus areas, within an enterprise.

1) The challenges or pain points from data management group and Data Governance divisions can be used as high level triggers to understand the scope & high priority focus areas that the data risk management function should focus on.

a) The Data Owners can have challenges in adopting responsibilities of data quality, data privacy & security services for Data that they own. This can be used a trigger to understand the focus areas in Governance processes that deal with assignment, communication & enforcement of responsibilities in a Governance structure.

2) There should be an enterprise goals cascade from Data Management and Governance goals to enablers or processes. This can be done using COBIT methodology. Based on the traceability achieved with this cascade from goals to management & governance activities, the scope should be defined for effective data risk management.

a) If reputational risk management or increase in customer satisfaction or Net Promoter score is an objective for the organization, the same needs to be traced to COBIT Generic Goals, cascaded to IT goals and then to processes. The processes thus arising from the goals cascade would be the focus areas for data risk management.

3) Risks are identified annually or bi-annually along with their rational and risk ratings, derived from probability of occurrence and impact to commercial success of business. This would be based on the organization defined risk identification principles. Then, based on assessment of controls; the control gaps are identified, the processes that need to be focused on will be in scope for data risk management.

a) There can be a risk of not being able to come up with holistic Data Quality rules which include context based business rules, data integrity rules, notification, threshold and transformation rules, at the right project phase, by the right stakeholders, using right technology, process and business capabilities. This results in significant strategic and operational risk thus impacting customer satisfaction. The focus areas here would be the process “Data Quality assessment” and activity “Eliciting Data Quality rules for profile”.

* Below is the approach for goals cascade using COBIT methodology leveraged in aspect-2 above.

Step 1. Stakeholder Drivers Influence Stakeholder Needs. Stakeholder needs are influenced by strategic changes, business model changes, regulatory environment changes and advancements in technologies to quote a few.

Step 2. Stakeholder Needs Cascade to Enterprise Goals. Stakeholder needs can be associated with enterprise goals. COBIT integrates the generic, yet holistic enterprise goals within the balanced scorecard. These generic goals can be traced to the enterprise specific goals and is considered an important step to start with.

Step 3. Enterprise Goals Cascade to IT Related Goals. The enterprise goals are traced forth to IT-related goals. Even, the IT related goals are arranged within dimensions of the balanced scorecard.

Step 4. IT-related Goals Cascade to Enabler Goals. To achieve IT-related goals, a number of enablers, be it business, process or technology must be incorporated into the operating models of Data Governance dimensions.

A successful scoping exercise would assist the data risk management division in understanding the focus areas that the organization and function needs to narrow its efforts on, to positively impact the enterprise goals.

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept