In our previous article, we looked at why organisations that consider data risk as part of a comprehensive operational risk profile can cut through complexity and drive the business change needed to prepare for disruption and create real business value with data. But once the ‘data risk genie’ is out of the bottle, what do you do about it? Who’s accountable? And how can you use it as an opportunity to simplify and automate your data control environment?
Defining roles and accountabilities for data, technology and risk sets you up for action
With both the Financial Accountability Regime (FAR) and CPS 230 Operational Risk Management (CPS 230) coming into play, in addition to CPS 234 Information Security (CPS 234), the pressure to demonstrate that roles and accountabilities for data, technology, cyber-security and risk are defined, understood, and embedded is ramping up.
However, the reality across many organisations today is that the landscape of data-related roles and accountabilities is complicated. Many roles across the C-suite will have data accountabilities. They will also have accountabilities for operational risk management. But it may not be clear how these sets of accountabilities, and those for technology and cyber-security, are aligned so that data risk is managed effectively. And as innovation, stakeholder expectations and market events have rapidly shaped the data eco-system, it’s possible there may be accountability gaps or conflicts.
At the operational level, the number of data ‘roles’ has grown as organisations have mobilised and re-shaped their enterprise data initiatives. This includes Data Owners, Data Stewards and Data Custodians amongst many other roles which have data-related responsibilities. Common challenges here include misalignment with executive accountabilities, an unclear operating model across the ‘three lines of defence’ and lack of organisational willpower to embed and enable it, which in turn contributes to an inability to appropriately manage or respond to data risks, including the things that must go right with data.
What does good look like?
Leading organisations are embracing the transition to FAR and CPS 230 as an opportunity to align the accountability landscape across data, technology, cyber-security, and risk. This includes:
Aligning the ‘rulebook’ for data with technology and risk enables a coordinated implementation approach
As data innovation, stakeholder expectations and market events continue to shape the data ecosystem, the ‘rulebook’ for data may not have kept pace with the change across many organisations. As a result, policies and standards may not be clear on the minimum expectations for managing and building trust in data to deliver on the business strategy or meet legal and regulatory obligations. There may also be gaps and conflicts with data-related expectations in technology and risk policies and standards. And there may not have been consideration of the alignment across these requirements which can have consequences for the practical implications of making it all work together effectively. Whilst many organisations will have established at least foundational data management policies, these are often siloed.
What does good look like?
Leading organisations have recognised that a cross-organisation approach is needed to get their data ecosystem working effectively and efficiently. A clear 'rulebook’ for data, implemented through policies and standards, is an important piece of this puzzle. This includes:
Optimising the data control environment leads to more effective monitoring and oversight
Whilst data risk investment in recent years has been focused on understanding and evaluating the data control environment and establishing foundational data management capabilities, a substantial optimisation opportunity remains on the table for the industry.
For some organisations, the recent wave of investment has resulted in a deeper understanding of the data control environment without the clarity around whether it addresses data risks to an acceptable level. With heightened expectations around monitoring and oversight in CPS 230 and FAR, this makes it challenging to focus on the risks, issues, and hot spots that matter. The next wave may need an optimisation focus to simplify, standardise, eliminate, or automate data controls and to digitise assurance. Aside from the potential for ‘cost out’ and scalability benefits, optimising the data control environment helps those with data-related accountabilities to be confident data risks are being managed effectively.
Data issue and incident management has also been a focus across the industry, in part because the work over recent years has identified lists of data vulnerabilities that now need attention. Data issues and incidents also have the potential to be a ‘lag indicator’ of the soundness of the data control environment and are a valuable source of input for continuous improvement. However, existing data issue and incident management processes are often separate to those processes set-up for issue and incident management under the operational risk framework. This can mean insufficient transparency of data issues and incidents, and ineffective oversight of the action (and funding) needed to address them.
What does good look like?
Organisations are re-evaluating how technology, analytics and AI can help to optimise the data control environment and improve the monitoring and oversight approach for senior management and the Board. This includes:
Key questions for your organisation