data risk

How Data Governance is Essential to Managing Data Risk

By Chris Ajiri

The usage of data and our reliance on it continues to grow at unprecedented levels. Data’s value proposition has never been stronger with its connection to informed business decision-making widely recognized in almost every business unit.

Like financial instruments and other corporate assets, data-driven organizations have come to realize that data is more than just data — it’s an asset when leveraged appropriately, and it can be used for competitive advantage to help a business grow and sustain that growth.

Unfortunately, as your organization’s data ecosystem becomes more complex and you rely on data for day-to-day decision-making, your exposure to risk grows.

Risks Inherent with Your Data

Data risk can be consequential from a regulatory perspective, as well. In the financial services industry — the banking sector, in particular — organizations are subject to regulations, such as the Basel Committee on Banking Supervision, to ensure that risk management activities are incorporated in the development of models used in critical business decisions.

Another risk area is consumers’ growing awareness of privacy and the use of their data, which led to the enactment of laws that forced compliance, such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.

Governance and Enterprise Risk Management

So, how does your organization best position itself to use data as an asset and, at the same time, meld data-driven business practices with regulatory and compliance requirements?

Establish a strong data governance program that aligns with the goals and objectives of your organization’s enterprise risk management function.

As I mentioned earlier (and it bears repeating), data is an enterprise asset and should be treated like one. Just as you would protect your business’ financial assets, a strong governance function is needed to establish guardrails to manage your data assets and mitigate risk exposure when data is mismanaged.

Data Quality Implications

The quality and availability of your organization’s data impact your business risk, too. The sense that data quality is “bad” is often caused by incomplete or inaccurate data, inconsistent definitions used throughout your business, data that’s not available when people need it and multiple sources with no “single source of truth” to define and share data that is considered “good.”

Data deficiencies can lead to bad decisions and missed business opportunities to grow and maintain your business’ competitive advantage. To address these issues, you’ll want to develop and implement processes that identify data-related risks and establish controls to mitigate the risk exposure around data.

Managing Data Risk with Guidelines and Controls

The first step in the process is to identify inherent data risk — risk that occurs in the absence of controls or when there are no mitigations strategies in place. When you identify data-related risks and understand their full impact, you arm yourself with information that helps you develop the best plans to reduce risk exposure.

Your next step is to establish standards and policies that provide a set of guidelines and an enterprise-wide approach to address the risks you identify. By establishing these policies, you develop and execute on data controls. The design of the controls needs to align with the underlying risk areas, and the execution of the controls serves as a litmus test in validating that risk was mitigated.

So, what do I mean by data controls? Data controls are processes designed and executed on a frequent cadence to ensure the data your organization consumes is fit for purpose; here are three controls.

Detective control is a control that finds issues within the data. An example of this is data profiling. During profiling, you can detect data that is not conforming to requirements, such as data length, format, type and completeness.

Corrective control is a control that addresses data issues. An example of this can be seen in updating the data through a change request, and the changes can be implemented through the batch process.

Preventive control is a one that keeps bad data from getting into your data environment. This control is undoubtedly the strongest you can implement. An example of this is implementing data rules in the extract, transform, load (ETL) process to prevent data from entering another system if the data doesn’t adhere to established quality, classification or protection rules. Another example of a preventive control is establishing rules in the GUI (graphical user interface) of applications, where users are restricted from entering data in a field that could be duplicative or doesn’t adhere to a standard and must correct the entry before moving forward with their transaction.

Monitoring Data Controls

The last step in managing data risk is continuous monitoring and reporting on the effectiveness of the established controls and periodically reviewing them to ensure they’re effective.

When you have a strong data governance program in place, it supports the efforts of your organization’s risk management. The governance structure stands up the foundational guardrails for a successful data management program that empowers your entire business and can help enforce accountability for implementation of and monitoring of data controls. An internal audit organization can also be a great partner to provide a “third party” review and verification that controls are in place and followed.

Data governance supports enterprise risk management activities by identifying risks, developing policies and controls, executing those controls and having a framework in place for ongoing monitoring.

Methodology for Data Risk Mitigation

There are other data-related risks to consider, and they can be best viewed through the familiar people, process, technology and data methodology.

People risk. If your organization can’t draw upon, retain or develop the right human capital to achieve its goals and objectives, that’s a business risk. This type of risk increased recently with the global labor shortage, which is forcing employers to find new ways to procure and maintain talent. When organizations lose tribal and institutional knowledge about their data assets, the workforce disruption can impact the integrity, availability and understanding of business data.

Process risk. When processes aren’t properly designed or implemented, they can cause breakdowns in operations, unnecessary rework and myriad inefficiencies that cascade across a business. One area of data-related process risk is third-party data and data-sharing agreements when procuring data to augment your data capabilities. Without robust processes in place to govern the terms of use for procured data, you run the risk of exposing your organization to intellectual property, privacy and confidentiality disputes, as well as legal risk.

Data risk. The risk of inaccurate data is a harsh reality many organizations have come to realize. By not having accurate data, insights generated from the data can’t be trusted and information isn’t fit for the intended purpose.

Another data risk area to be mindful of is the security and confidentiality of your data, where key considerations to minimize risk should include:

  • Data integrity. When data isn’t accurate or complete or consistent across systems, it leads to a lack of confidence and mistrust of the data. By implementing controls to address data integrity, you minimize the risks of bad data and enrich the data to be fit for purpose.

  • Data availability. When data isn’t available at the right time and place by those who need it, it can cause operational risk, hampering people’s ability to do their job or to make crucial decisions.

  • Data change. When unauthorized changes are made to the data in key decision-making datasets, it may lead to operational risk and the organization’s ability to reach its goals and objectives.

  • Data security and confidentiality. When data isn’t secure and can be accessed by unauthorized users, the resulting data breaches and leaks can impact your business on several fronts, causing financial, regulatory and reputational damage.

Technology risk. The inability to develop, design, configure, maintain and secure your system architecture and infrastructure leads to inefficiencies and gaps detrimental to your data management aspirations.

One technology risk to call out is the risk around system configurations within the IT environment. Most of the data breaches reported by the news media stem from negligence in configuring a business system. One of the most recent data breaches at SolarWinds impacted 18 government agencies because of improper password configurations in database servers.

Connecting the Dots Between Governance and Risk

Relying on data for business decision-making and treating it as a corporate asset is still in the infancy stages. Data’s value will continue to grow and become a focal point as more organizations use data for informed decision-making and competitive strength and to remain in regulators’ good graces.

Managing and mitigating data-related risk is critical for business growth and sustainability. The better you manage data integrity, the more efficiently you can run operations and maintain stakeholder trust. The best way to achieve these goals is with a strong data governance function that recognizes the risks posed to your organization and includes mitigation strategies to minimize risk exposure.

Good data means good data governance, and good data governance means good risk management.