Data is the fuel for business, and its volume is growing at an exponential rate. But, to harness this powerful fuel, you must effectively store, transfer, manage and analyze it.
Most of all, you must secure it. In business terms, data leaks can be explosive.
Recently, four Grant Thornton specialists discussed
how businesses can take the next step in the journey to manage the asset, opportunity and liability of data.
To effectively use and control data, businesses need effective data governance. The journey to effective data governance requires each business to identify its unique considerations, roles and rules that inform its principles of value and security. Grant Thornton IT IA and Cybersecurity Partner Scott Peyton explained, “We often find that some aspects of data governance are being attended to in an organization, but there’s separation. Multiple groups take ownership of their piece of the puzzle, but getting an enterprise view is where things often break down.”
Start with a focused approach and flexible framework
“We often find that some aspects of data governance are being attended to in an organization, but there’s separation. Multiple groups take ownership of their piece of the puzzle, but getting an enterprise view is where things often break down.”
Any discussion of data governance should start with the business drivers for your company. Your industry, market position, business model, compliance requirements, strategies and other factors define your internal and external data demands.
You must keep your unique data demands in mind to ensure that your data governance framework is comprehensive enough for your enterprise while being specific enough to drive your strategies.
Questions to drive your high-level framework
Your high-level data governance framework should help you strike the right balance between producing and using data while still protecting it. Grant Thornton IT IA Managing Director Matt Cassidy noted that “Our clients are telling us that if they lose the ability to produce their data assets, they lose a competitive advantage.”
After establishing this framework, you can further assess the risks that will inform your data governance program.
Assess your data risks
The risks to your data are real, and constantly evolving. If you do not have a formal data governance structure, with appropriate data security measures, your enterprise is at risk of data loss, operational disruption, regulatory non-compliance and reputational damage. Risks arise from external attacks, access errors, internal negligence and more. An effective risk assessment identifies what can prevent you from achieving business goals, meeting compliance requirements, improving efficiencies or gaining competitive advantages.
As your data volume and structures proliferate, it’s important to keep the following nine aspects of data governance risks in mind:
Assess your data governance
- Data stewardship:
Your organization must have champions who are responsible for the quality and safety of data in each key function, or you can suffer a data breach in a critical gap where there is a lack of accountability and control.
- Organizational responsibility and communication:
Support your champions by establishing clear responsibilities and lines of communication, with strong C-suite support. Yiru Chen, Grant Thornton Risk Advisory Senior Associate, stressed, “If appropriate data governance roles and responsibilities do not exist, and stakeholders are unaware of data management responsibilities, the strategic alignment between the data management function and the whole business cannot be supported or promoted.”
- Data strategy:
If your champions do not align their work with a formal data strategy, different business units may pursue conflicting agendas that undermine your data management overall.
- Data standards, policies and procedures:
Even with the best strategy in place, data management will be inconsistent if standards, policies and procedures are not enforced. Insufficient guidance and enforcement will negatively impact data definition, collection, maintenance, use and security processes.
- Data architecture:
Your data strategy, standards, policies and procedures should inform your data architecture. Make sure that you are housing data in a way that facilitates your current objectives and considers the flexibility that you are likely to need in the future.
- Regulatory compliance:
Poor data quality or ineffective data architecture can put your organization at risk of noncompliance fines and other measures, adversely impacting the organization’s performance and reputation.
- Issue management:
When questions arise about data quality, relevance, consistency and availability, you need to be sure you can resolve them quickly and consistently. Make sure you include an escalation path for unresolved issues, because ongoing issues can create continual losses from poor data quality, incorrect information or even noncompliance.
- Project management:
Project management determines what gets done. Make sure that your data management work is effectively prioritized and funded. When weak project management leads to poorly made decisions or misallocated funds in data management, the resulting losses can continue and grow.
- Data management services (vendor management):
The success of your data governance is not entirely controlled by your employees. Make sure that your vendors are properly vetted, and that the terms of service are fully defined in the contracts.
Whether formal or advisory, a data audit can give you a holistic view of your data governance, providing essential transparency to executives and board members.
Your audit should be driven by your risk assessment. Every company’s risk profile is unique. For example, a retailer will value data for its contribution to business intelligence. A healthcare or financial company will often be most concerned with privacy and data security. Below are some examples of the areas where a data audit can focus:
Effective data maintenance is essential for many reasons, including the need to ensure your data quality — which is a common concern, and a complex factor. For example, is a given set of data relevant to the decisions you need to make? An audit can determine if there are controls in place to determine relevance. It could further determine if the controls are reviewed often enough, and if those reviews are conducted by qualified experts.
Security and access
Other factors impacting data quality might include accuracy — is the data the same after scrubbing, manipulation and aggregation? Here, auditors might recommend an automatic embedded script to discern accuracy as data moves through the system, or a manual check of high-value records.
Other questions can include: Are there biases that will distort key business decisions? Can you get the insights you need from this data, in this form? Are there inconsistencies when data is aggregated from other sources, and do those inconsistencies cause confusion or inefficiency? Could a control normalize distortion or inconsistency?
While data security is paramount in sectors such as healthcare and finance, it’s important in every sector of business. Audits can look at network security, physical security, access security and authorization protocols. They can verify that controls enforce the principle of least privilege to all databases, data marts and data warehouses.
On the loss prevention side, an audit can help determine if a business needs — and is ready for — an automated loss prevention tool that finds and protects sensitive data. It can determine whether data is encrypted in all destinations, and in all states. Auditors can look at how data is classified by sensitivity, from public to highly compartmentalized. They can help determine if classifications are comprehensive and appropriate. They can also assess whether the necessary safeguarding procedures (such as encryption) are in place to protect the sensitive data.
A holistic view of data emphasizes its power as a business tool. Here, many of the tools deployed to ensure data reliability, relevance and objectivity will be germane. Controls which ensure consistency, and rollback mechanisms which minimize duplication, will help decision-makers.
Partition tolerance has special relevance for business intelligence discussions. High levels of tolerance mean that more decision-makers can access data more readily, but the data itself might be less consistent. Auditors can help determine if these considerations are being weighed appropriately.
“Audits can help management assess their roadmap and provide objective opinions about whether the roadmap could take the data governance program to the level of maturity desired within the set timeline.”
Overall, a data audit can help you determine where you are on your data governance journey. Data governance can be divided into five stages: undefined, tactical, focused, strategic and transformational. “Audits can help management assess their roadmap and provide objective opinions about whether the roadmap could take the data governance program to the level of maturity desired within the set timeline,” said Lucia Wang, Grant Thornton Risk Advisory Director.
It’s important to know where you are on your data governance journey, and where you want to be. It’s also important to empower the people who can take you there.
Empower your people
Auditors identify and verify the conditions that will lead to your data governance program’s success, but it is your day-to-day employees who create that success.
Your program’s support must start at the top and permeate the organization. High-level support can take the form of a Data Governance Council, led by the Business Information Security Officer and the Chief Information Security Officer. The council should refine and enforce the strategic vision of data governance across departments, tie that vision to larger organizational objectives, and serve as the escalation point for significant issues. Beside the council, designated data governance organization members would address the specifics of data management functions, data ownership and accountability across different areas and processes within the business.
At the heart of the program, a Center of Excellence Team can act as data stewards with skilled knowledge. Team members can include system administrators, owners of key controls and data guardians. These champions of governance should understand policies, practices and standards — and make sure others do, as well. Their many responsibilities can also include setting priorities within their business functions, reviewing requirements associated with workstreams or work requests, defining data, managing metadata, communicating definitions, approving usage standards, owning metrics, monitoring compliance, and recommending improvements based on an analysis of root causes.
Everyone within the organization is responsible for data governance. Employees, third-party vendors, contractors and all other end users must access and use corporate data and information resources responsibly, and only for authorized purposes.
Leading practices and technology trends
Many of the high-level tasks in a data governance journey are common — start with a framework, assess your risks, assess your program, establish and empower your roles. These form the foundation for a data governance program that aligns with your goals, identifies technology needs and informs ongoing assessments.
But the data governance landscape is rapidly evolving. Emerging tools can use AI and machine learning to streamline processes, reinforce data integrity, improve data visualizations and enhance high-level storytelling that clarifies business decisions. At the same time, evolving ethical discussions mean that businesses will continually need to shift and address new issues.
Every business risk profile is unique, with different data demands at different stages on the data governance journey. To effectively store, transfer, manage, analyze and secure data as the fuel for your business, form a holistic view on governance now and into the future.
Partner, IT & Cybersecurity Internal Audit
+1 303 813 3971
Director, Risk Advisory
+1 678 515 2444
Managing Director, IT IA
+1 215 814 4073
Senior Associate, Risk Advisory
+1 678 515 2495