Data risk: Is the genie out of the bottle?

In our previous article, we looked at why organisations that consider data risk as part of a comprehensive operational risk profile can cut through complexity and drive the business change needed to prepare for disruption and create real business value with data.  But once the ‘data risk genie’ is out of the bottle, what do you do about it? Who’s accountable? And how can you use it as an opportunity to simplify and automate your data control environment?
 

Defining roles and accountabilities for data, technology and risk sets you up for action

With both the Financial Accountability Regime (FAR) and CPS 230 Operational Risk Management (CPS 230) coming into play, in addition to CPS 234 Information Security (CPS 234), the pressure to demonstrate that roles and accountabilities for data, technology, cyber-security and risk are defined, understood, and embedded is ramping up. 

However, the reality across many organisations today is that the landscape of data-related roles and accountabilities is complicated. Many roles across the C-suite will have data accountabilities. They will also have accountabilities for operational risk management. But it may not be clear how these sets of accountabilities, and those for technology and cyber-security, are aligned so that data risk is managed effectively. And as innovation, stakeholder expectations and market events have rapidly shaped the data eco-system, it’s possible there may be accountability gaps or conflicts. 

At the operational level, the number of data ‘roles’ has grown as organisations have mobilised and re-shaped their enterprise data initiatives. This includes Data Owners, Data Stewards and Data Custodians amongst many other roles which have data-related responsibilities. Common challenges here include misalignment with executive accountabilities, an unclear operating model across the ‘three lines of defence’ and lack of organisational willpower to embed and enable it, which in turn contributes to an inability to appropriately manage or respond to data risks, including the things that must go right with data. 

What does good look like?

Leading organisations are embracing the transition to FAR and CPS 230 as an opportunity to align the accountability landscape across data, technology, cyber-security, and risk. This includes:

• Taking stock of data-related senior management accountabilities and the cascade to operational roles and responsibilities. For example, do you have a complete view of data-related accountabilities? Is it clear how they are cascaded into operational roles and responsibilities? Are there inconsistencies across the ‘three lines of defence’?
• Taking the steps needed to re-align the accountability landscape to address the gaps and opportunities identified. For example, by updating data-related policies and standards as noted below.
• For Executives with data-related and risk accountabilities, understanding how obligations under FAR can be discharged and the penalties for failure to do so.

Aligning the ‘rulebook’ for data with technology and risk enables a coordinated implementation approach

As data innovation, stakeholder expectations and market events continue to shape the data ecosystem, the ‘rulebook’ for data may not have kept pace with the change across many organisations. As a result, policies and standards may not be clear on the minimum expectations for managing and building trust in data to deliver on the business strategy or meet legal and regulatory obligations. There may also be gaps and conflicts with data-related expectations in technology and risk policies and standards. And there may not have been consideration of the alignment across these requirements which can have consequences for the practical implications of making it all work together effectively. Whilst many organisations will have established at least foundational data management policies, these are often siloed.

What does good look like?

Leading organisations have recognised that a cross-organisation approach is needed to get their data ecosystem working effectively and efficiently. A clear 'rulebook’ for data, implemented through policies and standards, is an important piece of this puzzle. This includes:

• Identifying the touchpoints across the organisation to build out a coordinated and aligned ‘rulebook’ for data. How aligned are requirements for data, technology, and operational risk and control? Is there a clear handshake with related disciplines such as information security and privacy?
• Refreshing data policies and standards so that they support implementation of business strategy and compliance with legal and regulatory obligations in a coordinated way. Do they describe the core principles and minimum requirements that address how data is acquired, managed, maintained, and delivered in normal times and in periods of disruption? Do they set out the rationale to ensure that data is trusted and managed? Are they practical?
• Considering the implications for business, data, and technology architecture. Do they exist in your organisation? Are they aligned and do they support the intended business outcomes?

Optimising the data control environment leads to more effective monitoring and oversight

Whilst data risk investment in recent years has been focused on understanding and evaluating the data control environment and establishing foundational data management capabilities, a substantial optimisation opportunity remains on the table for the industry. 

For some organisations, the recent wave of investment has resulted in a deeper understanding of the data control environment without the clarity around whether it addresses data risks to an acceptable level. With heightened expectations around monitoring and oversight in CPS 230 and FAR, this makes it challenging to focus on the risks, issues, and hot spots that matter. The next wave may need an optimisation focus to simplify, standardise, eliminate, or automate data controls and to digitise assurance. Aside from the potential for ‘cost out’ and scalability benefits, optimising the data control environment helps those with data-related accountabilities to be confident data risks are being managed effectively.

Data issue and incident management has also been a focus across the industry, in part because the work over recent years has identified lists of data vulnerabilities that now need attention. Data issues and incidents also have the potential to be a ‘lag indicator’ of the soundness of the data control environment and are a valuable source of input for continuous improvement. However, existing data issue and incident management processes are often separate to those processes set-up for issue and incident management under the operational risk framework. This can mean insufficient transparency of data issues and incidents, and ineffective oversight of the action (and funding) needed to address them.

What does good look like?

Organisations are re-evaluating how technology, analytics and AI can help to optimise the data control environment and improve the monitoring and oversight approach for senior management and the Board. This includes: 

• Resetting the approach to data issue management so that processes support consistent, accurate and timely identification and management of data issues in line with operational risk minimum standards.
• Validating appropriate cross-organisational stakeholder involvement and escalation pathways are in place for data risks and issues.
• Developing an optimisation strategy for the data control environment and running pilots to simplify, standardise, eliminate, or automate controls and digitise control assurance.

Key questions for your organisation

• What are the role and accountability gaps and conflicts across your data ecosystem? Are data-related accountabilities and responsibilities consistently operationalised across policies and standards for data, technology, and operational risk?
• When was your organisation’s ‘rulebook’ for data last refreshed? How does it support coordination across data, technology, and risk?
• What are you doing to optimise your data control environment?