The need for organizations to establish a data risk strategy
It is always a known but often forgotten fact that risk and value are two sides of the same coin. In most organizations, technology risk management can be in its nascent state of maturity while data risk management within the same function can stand a notch higher. The reasons for this are many.
There are multiple drivers which are in-fact driving organizations to establish data risk functions:
- Compliance with internal policies for service excellence.
- Regulatory demands to have accurate and complete data.
- Enforcing data governance to enable corporate governance.
- Enabling benefits driven and risk aware culture through risk management.
Analyzing the organizational goals
Each year, a typical organization publishes its goals along with a path to achieve its goals through a road map. Careful consideration should be given to the strategic risks that need to be factored with the new data capabilities enforced by the organizational strategy. There should be equal emphasis placed on the risks that can potentially disrupt the organization from achieving its strategic goals.
Let us assume an organization is publishing its goals for this financial year. Let us also assume that service excellence and corporate governance along with compliance with regulations are a priority. The goals need to be cascaded to the technology risk function within the firm for the function to develop and align its objectives to the organization's strategic goals.
While establishing the division's strategy, there should be a capability analysis performed on the existing capabilities that will showcase their maturity. As the future state of the data risk management function/division is evaluated, gaps will be identified, and these might require the creation or improvement of organizational structure, data, people, process and technology capabilities.
In this case, the organization is realizing the need to set up a data risk function that guarantees enforcement of data-related policy. This, in turn, requires a deep dive into the capabilities of the organization, along with their maturity level, gaps and risks. Capability based planning is a technique that can be embraced to have the capability assessment performed.
Most organizations have yet to identify the correlation between data governance and corporate governance. To realize corporate governance as a goal, the reach of data governance function cannot be limited and might require further integration of managing data risks into the culture and grassroots of the organization. A risk-aware culture, driven by data governance, assists in achieving corporate governance.
It is worth noting here the fundamental differences between data governance and corporate governance:
Data Governance emphasizes the organization to formalize the data management best practices through the enforcement of ownership and accountability for data and its related management.
Corporate Governance is all about having to guarantee that the data policy to ensure governance on data and its related assets is enforced. Corporate governance also ensures that data is led, empowered and assessed in managing the data related risks.
Most organizations will see a need to define and improve their organizational functions and structure to guarantee enforcement of data policy. The priorities of the existing technology risk function might stress the need to have data risk governance implemented by increasing the reach through change management (data related projects, programs or adhoc changes) in the firm.
The focus should be on analyzing the strategic direction of the data risk function. As the organizational goals such as service excellence are cascaded to the data risk function, organizations should weigh the benefits, outcomes, capabilities required along with challenges, risks and disruptors. This might in-fact necessitate the objective of having to identify data that is of high value and risk to the organizational critical processes.