You must hear this often if you manage any kind of risk - risk and value go together. And that's true, of course! It becomes evident as we hear phrases like "data is the new oil" and "data fuels the digital economy" that data must be managed actively along with technology and people. Both the data and its infrastructure must be managed for their benefits and risks. Popular data domains where risk management has extended to are data quality, regulatory and compliance reporting, ethics, privacy, data centric security, data requirement management and operations to name a few. Tejasvi Addagada has ventured into this new book to expand on this need for formalizing the management of data risks. He is a popular thought-leader in the data and analytics space and has worked with Fortune 500 companies helping them to monetize data. Tejasvi is also the author of a best-seller, data management and governance services – simple and effective approaches .
In a regular setup, a data management function should establish metrics for business processes that influence the quality of the data. This can be as simple as originating a customer through an online form by collecting data on a web channel. There can be other processes like underwriting that consume the same data resulting in less qualitative assets for a bank. As you identify risk scenarios in business processes where quality can be influenced, you can have metrics that can be formally stated to be key risk indicators (KRIs). The KRIs for the data quality-data management domain can sense process breaks like "lack of mobile number verification through OTP", "overwriting a current email addresses with older-one in core systems due to incorrect pipelining”. Most of these changes need to be fixed through the addition of people controls as a compensatory control like performing four-eye checks on an application form. There can be permanent data issue resolution that can happen through IT. However, data quality risk-based indicators (KRIs) can sense process breaks that can be used to recover bad data in the meantime. Similarly, other data management domains like data definitions, metadata management, central data operations, master data management can use similar assessment of risks and KRIs.
Compliance and regulation drive enterprises to adopt risk management in data management and governance. The other leading driver is the need to prioritize and manage data associated with high financial or operational risk. On the other hand, the Data Governance function establishes guidance in managing data by defining policies, approval mechanisms, and communication rigor to actively manage critical data. To encourage employee commitment towards an effective culture of stewarding data, some organizations reward teams who self-identify risks in their business domain and come up with mitigation plans. It is true that developing a risk-aware culture costs capital; however, when you consider the costs of not managing the risks as well as the deficiency in business benefits, the funds spent to address the risks It will be worth it.
In the second chapter, the importance of formally managing data risks in an organization is highlighted. In addition to other important aspects, a board of an enterprise can actively manage data risk appetites and thresholds. Some of these aspects can be data ethics, guiding the organization through policies, stressing fiduciary responsibilities, managing legal and regulatory issues, preparedness for upcoming policy , and of late technology as a disruptive force to bring competitive advantage. Technology would include data analytics, artificial intelligence, cyber security, and digital transformations as its overarching components.
Managing data risk requires a focus right from the top, focusing on prioritizing the regulatory and operational risks exhibited by weaker controls in managing data. An organization must structure a function, such as data risk management. The function will serve as oversight over data operations by curating risks on the fly and actively managing them.
In addition, organizations are poised to strategically grow with the right transformations that will give them an edge over the competition to grab customer attention. Most of these transformations like digitally enabled business, reduced threat surface areas, are associated with putting in the right data capabilities like cloud warehouses, Machine learning operations (MLOps) etc. And, having to manage the risks associated with not having to realize the complete benefits from these data capabilities should be actively managed as well.
By properly representing data risks at the board, programs can be sponsored that will strengthen data operations and thus resulting benefits will be sponsored. Raghavendra (Raghu) Chinhalli, a popular thought-leader in executive data management, extends his experience of such practices to the board.
Tejasvi has focussed on putting the right focus for managing data risks, into the boards of Enterprises and the possible choices to achieve the benefits. The book further explains the aspects of quantitative and qualitative risk assessment approaches and specifically a holistic technique named capability based data risk assessment. The later stated technique can be used in data risk planning, formulating a data risk strategy along with assessing data risks continuously. Also, a risk assessment can be less accurate when used to assist in the measurement of risk. But, curating more characteristics of risk events through the data collection phase can assist in better predictability of risks in data operations. Moreover there are various tools and techniques for data risk management that can assist management of data risks. Arunprakash Asokan, a security expert working with Unilever, narrates his experience is using popular techniques.
The book provides access to twenty data risks straight to be used from the book with details like risk statement, several causes, multiple categories of impact if the data risk is to manifest. Also, the next chapter focuses on leveraging COBIT as a framework to assess and manage data risks. As a popular ask for most organizations is to imbibe a culture of managing data risks, the book provides guidelines to create a data risk culture through awareness and examples.
In light of recent changes in privacy and protection policies around the world in countries like Europe and India, the last chapter places greater emphasis on providing practical guidance to organizations to manage the risks associated with data privacy of their customers. There are fifteen risk scenarios of data privacy that can readily be used in any data privacy office. Tejasvi has attributed some of these combined experiences to Balaji Narayanan, for enriching his thoughts, a data analytics leader and influencer, working with Axis bank.
Mr. Akhilesh Tuteja, Global Head of Cyber Security Consulting at KPMG, has extended further advice on managing privacy and data security control environments, and he is also writing the foreword. This is an exciting engagement with many thought-leaders enriching the practical approaches from Tejasvi Addagada, in implementing data risk management as a function in an organization.