‘Risk is everyone’s business’ – gone are the days when risk management used to be a siloed function often operating in reactive mode. Be it raising red flags post compliance audits or actions taken after occurrence of breach incidents; risk was always seen playing catch-up game! This strategy never served businesses well and thus led them to realize the importance of incorporating risk-based thinking in both strategy building as well as tactical decision making.
While risk can never be eliminated completely, yet, being proactive in identifying potential future risks helps businesses mitigate, avoid and even transfer some of their risks. Such holistic approach in incorporating risk management in every business function is commonly known in business world as Enterprise Risk Management (ERM). Introduction of internationally accepted standards namely ISO 9001/27001/31000 further helped firms in adopting a systematic & formalized approach towards implementing the ERM framework.
One branch of Enterprise Risk Management that has been expanding and gaining traction recently is Data Risk Management. Various industries have adopted standards that aim at minimizing risks associated with data.
Banking being the second most regulated industry (after healthcare) officially received its first guideline on data governance in 2013 with the issuance of Data Governance Principles covered in circular BCBS 239, issued by Basel Committee on Banking Supervision (BCBS) – the agency responsible for setting banking regulation standards further adopted by country supervisors.
The Australian Prudential Regulation Authority (APRA) that supervises authorized deposit-taking institutes (ADIs/Banks) also introduced in the same year, guidelines for banks on managing data risk by implementing an overarching data management framework. The purpose of Data Risk Management Framework boils down to getting rid of the fragmented & ad-hoc approach towards managing data & the risks associated with it.
Data management certainly isn’t new to the banks. Efforts within banks, although fragmented, have been underway for well over a decade to:
create metadata repository, data dictionary/catalogs;
implement data controls & security measures;
improve data quality to enhance value of data and so on.
But such actions were often found to be restricted & specific to individual business units. Businesses hardly ever owned data management and looked down on it as the responsibility of technology department. Data management undertaken in such manner was good in optimizing data usage, storage and archival but fell well short of sufficiently mitigating the data risks.
The missing bit in such efforts was the lack of strategic thinking towards managing data in a way that not only benefits business but also brings down the risks to data.
Therefore, APRA recommended implementation of strategy-based enterprise data risk management framework that helps ADIs break-down Chinese walls among departments dealing with data during its various lifecycle stages: origination, transformation, storage, utilization, archival & safe disposal.
As per APRA, an effective data risk management framework begins with clearly defining the data strategy and every action taken henceforth must align with the adopted strategy and help bank in managing its data while minimizing risk to it. Such all-encompassing data risk management framework must be drafted and fully endorsed by the bank’s top leadership.
A data strategy is more than just a “strategy statement” because it helps formulate ways in which bank envisions the management of its data. Therefore, it must be succinctly defined with no room of misinterpretation among the readers. It is a good practice to kick-off the data strategy documentation with (data strategy) statement that explains why it is important to manage & protect data and what business objectives a good data risk management framework would help achieve.
As data has multi-faceted usages in different aspects of a business therefore, a well-designed ‘Data Strategy’ must fit together with all these other business aspects as shown below:
The 10 Commandments
A sound and effective Data strategy must be able to provide high level directional guidelines on multiple areas covered under the 10 Commandments:
1. Align your data strategy with vision & mission of your business
A data strategy must propel the organization closer towards its business goals and should be considered an integral part of business strategy. The management must be clear on the advantages that will be derived from an effective data strategy and how it will operate within the risk appetite of the bank. Also, strategy document once approved by the board & senior management, should be circulated and easily accessible to everyone in the organization with reference to contact points acting as ambassador in implementing the strategy.
2. Identify the data important to the organization – know what to archive and what not!
Some data are more crucial than others – banks should be able to identify the data that is critical to their business from multiple viewpoints such as legal, compliance, financial etc.
Based on the segregation of data between critical and non-critical – the data archival and disposal strategy should be formed.
3. Define the benefits the firm aims to derive by implementing the data strategy and the KPIs against which success will be assessed
It must be clear from the strategy itself about how success looks like? What are the key areas in which success can be measured and what are the ways of quantifying success. For instance, identification of critical data elements, cleansing of critical data to reach 99% defect free levels, achieving single customer view etc.
4. Design the model of data governance that the firm will adopt - choose one out of federated, centralized, decentralized.
Data governance is considered to be the most important arm of effective data risk management and majorly focuses on people, processes & systems from data point of view. The governance model must be selected on the basis of business model that the firm follows. In a small organization, a centralized data governance framework works well whereas bigger organizations may go for decentralized or federated data model.
Since, a federated business model offers greater autonomy to businesses operating under larger business group; therefore, this model works best when data officers are assigned at group levels who in turn are supervised by chief data officer on top.
A decentralized model best suits the environment where the business is large enough to provide autonomy to various departments to run their own governance practice.
The appointed Chief Data Officer (regardless of the model adopted) must be entrusted with the task of implementing the framework within organization as a change management project with the practice to be converted into Business-As-Usual in a medium to long run.
5. Define ways in which data will be protected to maintain privacy & ensure proper controls over sharing/usage of data
Ensure data security is not compromised at any stage as occurrence of even a single breach incident can have detrimental effects on business from compliance as well legal perspective. An effective strategy on protection of customer data is a competitive advantage that must be gained by investing in cutting-edge information security infrastructure.
Outsourcing and offshoring of data in today’s world is not uncommon but it exposes firms to greater risks of data leaks. Such risks must be mitigated by strategically shortlisting offshore locations & outsourcing partners that do not put your data efforts into jeopardy and maintain its sanctity at all levels.
A ‘data access’ strategy should also be defined that outlines who should get what levels of access on data and depending upon the data usage type whether it should be granted for a longer or smaller time frame or only on an ad-hoc & need to know basis. The firm’s data should be subjected to strategically defined levels of privacy classifications for access controls.
6. Manage your business and technical metadata with the help of sophisticated tooling
Know what data you have and create a metadata repository. For larger organizations, it makes sense to invest in metadata harvesting tools to automate the process and also carry out metadata management operations on sophisticated tooling available in the market.
Strategically assigning roles & responsibilities surrounding metadata management also acts as a support pillar in effective data governance as well as automated workflow implementation.
7. Strategize usage of data analytics & insights to successfully inculcate data-driven decision making culture
Decide the levels to which data insights will be relied upon in taking business decisions and will certain key decisions be approved if they were taken despite the lack of underlying data. Mandate the circulation of data-supported evidence that went into the decision making to gain confidence of the support staff.
8. Follow the Data Modelling & Storage type that suits your organization i.e. data lakes/rivers, data warehousing, cloud, Hadoop etc.
Make sure to create strategies surrounding data modelling i.e. whether to go for traditional data-warehousing way comprising physical data models, schemas or follow the modern data models such as data lake/swamp/river’s modelling.
The strategic decisions are also required for storage and accessibility of time-sensitive data or data that is critical but not time-sensitive. How often such data must be loaded, when is it made available to consumer, how to serve on-demand data and introduce Data as a Service (DaaS) etc.
9. Techniques & systems that will be used for data cleansing, integration, usability maintenance etc.
Endeavors surrounding improvement of data quality can initially be focused on the critical data and later be spread towards a broader base of data. The data strategy should identify the levels of data quality the organization aims to achieve. What systems to use for data cleansing as well as transformations. What are the data quality management practices that must be adopted firm-wide and the tools to be used in reporting quality levels at granular as well as top (rolled up) levels comprising various dimensions such as completeness, accuracy, timeliness, validity etc. How to ensure that the data remains fit-for-purpose and is also maintained in good health throughout its lifetime.
10. Break-down the Strategy into firm-wide & function specific policies – to be further implemented as standards and procedures
The data strategy when defined succinctly only acts as a roadmap for all the efforts concerning data but is still at a very high level to be actionable or relatable to individual businesses or departments. Therefore, the data strategy must further be broken down into policies that are specific to departments, processes, procedures whereas some of them could be applied firm-wide. For instance, HR department may have a policy of retaining data of every employee exited the organization in past 5 years and the policy in-turn may have been derived from strategy surrounding ‘data retention’.