Data governance and risk

Written By:
Content Copyright © 2009 Bloor. All Rights Reserved.
Also posted on: Accessibility

I am going to make a radical suggestion. I am going to suggest that far from having a data governance council or some other body that oversees a corporate data governance structure that this structure should report to the corporate risk manager. Let me explain my reasoning.

First, consider the primary role of data governance. It is to assure the provision of accurate, complete and up-to-date information. This is not, in itself, of much value. Nor is having a consistent view of your customers à la MDM. Both may have marginal benefit in reducing costs (fewer duplicates means reduced disk requirement) but these are not enough to justify an investment in data quality, MDM or data governance. No, the real benefit deriving from better quality data is that it enables better decision making. For example, once you have a consistent customer view you are in a better place to decide how you can market more effectively to those customers.

Now think about risk management. What’s that about? It’s about balancing upside potential against downside risks. Note that it isn’t typically about processes where you want to eliminate risk, these are usually the domain of compliance (remove risk of fines) or security (prevent fraud), but situations where there will always be risk but you would like to minimise it.

So, where does this risk management take place? When making decisions. Some of these will be big decisions such as whether to acquire a competitor or where to open a new branch office while some of them will be more operational in nature.

And what does risk management require? Essentially three things: appropriate processes, metrics (key risk indicators) and trustworthy underlying data. Without all of these three things risk management will prove hard to accomplish in any meaningful way.

You see the synergy? Risk officers need reliable data and so do operational managers. But the risk management function sees the bigger picture and is not limited to a specific department within the business. It therefore seems to me to make sense that data governance, rather than being in IT, or in the business generally, or in a separate structure of its own, should be in a structure reporting to the CRO (the chief risk officer—if there is such a beast).

I am not saying, of course, that the CRO should take a hand in every decision making process but I do think that risk management can act in a sort of compliance role for decision making: establishing principles and best practices for decision making, and ensuring high quality, trustworthy information. Note that giving a compliance role to risk management is in no way stepping on the toes of the compliance officer, as compliance functions are frequently derogated to other departments (for example, security will often be responsible for ensuring compliance with data protection acts).

Given that a lack of risk management (or proper attention being paid to the advice provided) has in large part been responsible for the current recession, we are seeing an increased emphasis being placed on the position of CRO and it is not unlikely that this will be reinforced through legislation. So, this would be a good place for data governance to live. Moreover, the CRO is someone who should really get the importance of data quality. So: more power to the CRO’s elbow!