Managing and mitigating data risk is rapidly becoming a key area of focus, with many organisations investing in this area or starting to think about how they can uplift their approach to data risk.
Organisations are exposed to data risks across many business services and operational activities, and data risks often cut through traditional functional boundaries. Substantial collaboration across the lines of defence is required to effectively control and mitigate data risk. Designing and implementing data management capabilities has been at the forefront of CDO priorities for the past decade. We are now seeing organisations building on these capabilities as they develop their approaches to managing data risk.
This blog outlines the challenges associated with data risk and provides insights into the actions organisations can take to manage it better.
What do we mean by data risk management and what are the consequences of not managing this correctly?
Data risk management refers to the activities to identify, assess and mitigate risks associated with data throughout its lifecycle: from its collection, storage and retention, usage, transfer and disposal.
Poor management of data risk can result in significant financial losses due to penalties or fines from regulators. In addition to this, failure to manage data risk can result in disruption to business operations, negatively impact business decision making and lead to reputational damage.
What are common challenges around managing data risk?
Managing data risk can be difficult and data risk exposure is often understated. Common challenges faced by organisations include:
- Inability to clearly report on the overall data risk profile, as data is spread across a complex landscape of systems, business processes and organisational units
- Absence of a data risk appetite statement, or where this is in place, an ineffective governance process for risk appetite breaches, including timely escalation and reporting
- Lack a comprehensive set of data controls and inconsistent implementation across the data supply chain due to a lack of a standardised framework across the organisation
- Risk taxonomies that do not comprehensively account for data risks relating to data integrity, accuracy, privacy, retention, confidentiality and unauthorised access.
What should an organisation be thinking about to better manage data risk?
1. Enhance the risk taxonomy to consider data risks
Risk taxonomies are typically used to define key areas of risk. They enable the organisation to conduct a comprehensive assessment of risk across the business and act as a framework to develop policies, controls and standards. Organisations should consider if their existing risk taxonomy has comprehensive coverage of data risk and update it if necessary.
A common approach to structuring and categorising risk taxonomies is to use a hierarchical approach. Many organisations assign owners for each top-level risk type within their taxonomy to support the setting of accountabilities and risk reporting. For example:
- Level 1: Operational Risk
- Level 2: Data Risk
- Level 3: Data Quality, Data Integrity, Data Privacy, Data Confidentiality and Data Retention
2. Establish the appetite for data risk
Organisations should define a data risk appetite statement which is a broad description of the level of data related risk they are willing to accept to achieve their business objectives. They should also derive a set of quantitative metrics for data risk appetite which measure the ‘design effectiveness’ and ‘operational effectiveness’ of controls across the data lifecycle.
Design effectiveness metrics demonstrate the extent of control over the data landscape (e.g. coverage across business processes, geographies, applications etc.). An example metric is ‘% of important business processes with data assets identified and mapped’.
Operational effectiveness metrics demonstrate the extent to which the data is fit for purpose. Example metrics include data quality rules scores and data issue remediation reporting.
3. Develop a data control library
Once data risks have been identified across the data lifecycle, data controls should be identified and implemented to effectively mitigate these risks.
Organisations should consider a broad range of data controls across the following categories:
- Preventative – those that deter or prevent an incident occurring.
An example of a preventative data control to support data quality is the implementation of data input validation rules that prevent invalid data from being entered into a system.
- Detective – those that identify control failures after they have occurred.
An example of a detective data control to support data quality is the execution of data quality rule measurement to identify breaches of acceptability thresholds.
- Corrective – those that rectify existing failures.
An example of a corrective control to support data quality is the execution of data cleansing rules to transform data in order to comply with a defined consumption standard.
What themes are emerging as organisations learn how to tackle data risks?
- The importance of data governance and management capabilities to minimise risk exposure
Establishing a strong data governance layer typically supports organisation’s risk management objectives, enforcing accountability around implementation and monitoring of data controls, and providing a path for escalation of data risks and issues.
- Effective data risk management can help unlock value from data as an asset
Organisations are changing the way in which they approach data risk as they become data driven, in order to achieve a balance between control and exploitation of data. Previously, some organisations have failed to fully capitalise on large and insightful data repositories (e.g. to inform product development and inform strategic business decisions) because of self-imposed constraints resulting from an un-sophisticated approach to managing data risk.
- Increased adoption of artificial intelligence (AI) exposes organisations to new risks
AI model input, output and training data are a key consideration for data risk management activity. The data used to feed models can intensify hidden assumptions and biases. As a result, poorly designed or monitored AI data, applications and models can result in compliance violations and reputational damage. There can also be significant risk of disruption to the organisation’s operations from unintended machine-made decisions or actions.