Data risk: Are you in appetite yet?

We all know that you can’t run a financial services organisation without data. But how many of us really understand the data dependencies across our business? Are we confident our data risks are being managed within appetite? And are we using this insight to prepare for disruption, cut through complexity and create real business value?

Over the next four weeks, this new series of blogs will explore the actions financial services organisations are taking to be ‘match fit’ for a rapidly evolving data risk landscape that is influenced by emerging technology, increased transparency, elevated expectations, and stakeholder scrutiny. It will explore the questions you need to ask to make sure you’re getting the foundations right and get in front of the latent data problems in your business that cannot be ignored in this changing environment. It will also show how leading organisations are starting to realise business value from this investment.

Knowing what must go right with data

Data risk is an operational risk. In simple terms, operational risk is the risk of doing business. It follows then that managing data risk is needed to do business well. This means that to successfully deliver products and services to customers and meet obligations to stakeholders, there are certain things that must go right with data as it moves through the people, processes, models, and systems and technology platforms in your value chain, and to be prepared for and protect it from unexpected external events. This includes:

1. Right data: Do you have (only) the data you need? Do you know where your data is sourced from? Is it accurate, complete, and consistent? Do you invest in fixes for workarounds and shortcuts to manage data that is not fit-for-purpose, such as those for proxies and manual adjustments?
2. Right place: Is your data available and connected across multiple systems and technology platforms? Is data shared across teams, including data created in spreadsheets and other End-User Computing (EUC)? 
3. Right time: Is your data up-to-date and can you access it when it’s needed? 
4. Right use: Is the right data being used ethically and for the right purpose? Is it protected from unintended or unauthorised access and use? Do all the relevant people understand the gaps or limitations that may be present in the data to inform their decision-making? 
5. Right outcome: Have you achieved the business outcome that is needed? Are your business and technology decision-making processes for data effective, aligned and focused on what matters?

Getting these five things right can have a big impact on the resilience of the data ecosystem across your business. It can save time and money, improve decisions, support technology platform stability, eliminate data debt, enable digitisation of your business using emerging technologies such as Artificial Intelligence (AI), build trust with stakeholders and help to avoid regulatory scrutiny or sanction.

Focus on what matters to the business

Having visibility of your data risks – that is, the things which must go right with data – and your responses to avoid, prepare for and manage it will help you to make timely decisions on the impacts for your business, customers, and other stakeholders. 

Our recent experience in the market has highlighted situations where boards and senior management may not have clear line of sight into data risk exposures, or the effectiveness of the framework for managing it. This sentiment has been echoed by local and global regulators who have been active in clarifying expectations for operational risk management broadly. This has been demonstrated through published standards such as APRA’s CPS 230 Operational Risk Management, and supervision activity such as APRA’s thematic review on data risk management practices and its independent tripartite CPS 234 Information Security assessment. 

Whilst not new, what has emerged is a clearer requirement for a comprehensive assessment of the operational risk profile for all risk types – including data risk – across the end-to-end processes for all critical business operations.

But why is it so hard? In our experience, the root cause is often a combination of a siloed and tactical approach to data risk management, and poorly defined and embedded accountabilities for operational risk and data management across the ‘three lines of defence’. As a result, common challenges include:

• Inaccurate and/or incomplete views of the data risk profile at individual business line and overall organisational levels, and an inability to connect technical and business views of data risks. This can prevent an end-to-end view of everything that needs to go right for data across the value chain and an inability to surface data risks and issues to all the relevant stakeholders.
• Lack of consideration of data risk in key business and strategic change processes (e.g., new product approval, technology architecture reviews, etc), so that data risks are identified, managed, and monitored from the outset.
• Lack of alignment between framework elements (e.g., data issue management not informing decisions impacting the data control environment) and silos across data-related risks (e.g., data risk, technology risk and cyber risk). Recent high profile cyber incidents and breaches have demonstrated that an integrated approach is needed to understand the overall impacts of data-related risks on an organisation’s operational risk profile and resilience.

Supporting the change required for your data journey

In our experience, organisations that have taken structured and measured steps to understand, assess and respond to data risks across the business and bring this information together as part of a comprehensive operational risk profile are better able to navigate the organisational change needed to prepare for disruption, cut through complexity and create real business value with data.

These steps may include:

1. Frame the landscape: Do you understand the components across your value chain that need to be aligned for the right data to be in the right place at the right time to enable the right use and deliver the right outcome?  These components include the data that is critical to your business processes, and the systems and technology platforms, models, end-user computing applications and suppliers that is needed to deliver it.  Identifying these components, including the relationships and any dependencies between them can provide a reliable and consistent basis for assessing and reporting on your data risk profile, especially if the information about them is captured in the one place (for example, your Governance, Risk and Compliance (GRC) system). 
2. Define what matters: How much data risk can you accept to deliver the right outcome? The upsides and downsides of data risk are well known however, knowing where to set the red line can be challenging. A data risk appetite with clear limits at both a group and business unit level makes this line clearer and informs business decisions on what is or is not acceptable in your approach to data. 
3. Understand your level of data risk: What needs to go right with data to achieve your business outcomes? Identifying and assessing your data risks, in terms of their impact and likelihood, enables you to understand where you are relative to your data risk appetite or if you are meeting your legal and compliance obligations. 
4. Implement risk responses: How will you know that everything is going right with your data? Accepting, reducing, sharing, or avoiding data risks in line with data risk appetite is key to a sustainable data risk approach. This is where an effective data control environment fits in. Having a data risk appetite and clarity on the business outcomes required allows you to determine, and then optimise, your data control environment to be right-sized, effective, and efficient. To use a racing car analogy, using the brakes more effectively can help you go faster and achieve more efficient, safer results in the end.
5. Monitor, adjust, monitor: Where are you exposed or outside of your data risk appetite? Where are the opportunities to change your risk response? How will you and the Board know where you stand? This is the time to use your data risk profile to assess, calibrate and challenge your approach. The consequences of new or emerging data risks, such as those arising from Generative AI, identified in business and strategic change processes need to be considered. Similarly, the results of assurance activity and scenario analysis can be used to consider how data-related risks (e.g., cyber risks) may have implications for your readiness and the speed with which data risks may take hold.
6. Measure and track value: What does your data risk profile tell you about the health of your business? Where are the opportunities to enhance your operations to reduce risk or realise value? A feedback loop back to strategic and business decision processes establishes the information flow needed to inform investment decisions that can improve the data control environment (e.g., process simplification, control automation, assurance automation etc). 

Key questions for your organisation

• Do you know what needs to go right with your data to achieve your business outcomes? Have you clearly explained why managing data risk is needed to do business well?
• How do you know whether your data risks are within appetite?
• Is your data management, operational risk and regulatory change spend resulting in a deeper understanding of your organisation and driving commercial outcomes?

Co-Author: Anthony Ung