The challenge: The need for a consistent, operationalized, defensible method for continuous assessment of data’s value, risk and compensating controls
In today’s business environment, the most important strategic asset of any major enterprise is its data. Each enterprise has the business imperative to use data better to gain deeper insights, to improve decisions and to realize business value. Yet, as business leaders and data professionals know, with the increasing sophistication of users of data, new global data protection regulations, and ever-present cybersecurity threats, it is becoming more challenging to manage data at scale and speed.
What’s more, with the impending arrival of 5G mobile broadband and the ever-expanding Internet of Things (IoT), these challenges will only continue to increase in number and severity as data volume, variety and velocity grow. New and novel approaches to managing data are needed to keep up with these disruptors. Indeed, if these challenges aren’t met, data assets that can be useful and valuable can become data liabilities, with the potential to severely harm an organization.
Businesses can’t manage what they can’t measure. While organizations usually attempt to evaluate data risk, they rarely attempt to measure the value of their data. It is a testament to the poor state of affairs that many business leaders cannot look across their data portfolio and answer these fundamental questions:
- What data do we have and where is it? How are we using it?
- Have we applied appropriate controls considering both data’s value and risk together?
- What data requires immediate action to protect in order to leverage the data and unlock its actual value?
- Lastly, businesses usually cannot answer one of the most important questions of all: Is my data actually worth the risk and cost of controlling it
CREATE A DATA VALUE-RISK-CONTROL PROFILING MODEL
One innovative capability for addressing these challenges is to utilize a data value-risk-control profiling tool. The tool uses a questionnaire, data value, risk and control scores, and simple backend logic to provide a normalized scorecard. The scorecard permits a streamlined, centralized review of data use cases across the organization.
As we move further into the data-driven world, organizations must continuously improve their use and protection of data.
The approach does not attempt to evaluate the monetary value of data—that would be too hard to do at scale. Rather, the tool, based upon the enterprise’s collective subject matter expert knowledge of the data, leverages simplified algorithms as part of its approach to create a normalized score. Across multiple inputs, the tool automatically generates a scorecard assessment of the data’s value, risk, and controls. Moreover, depending upon an organization’s implementation of the model, it could also include an assessment as to whether the data set and the intended use is within risk tolerances/appetite, and whether the use is approved or denied by a governing body.
While this may seem simple, it provides something profound: a simplified approach to calculating data value and risk that is consistent and scalable.
THE ROADMAP: PRACTICAL TIPS ON DEVELOPING THIS CAPABILITY
While each business’s journey will be different, the approach to develop the data value-risk-control profiling model will have many of the same key steps:
- Establish the committee and/or executive sponsor for this effort. If you don’t already have an Information Governance structure at your firm, establish a broad, cross-functional committee to spearhead the project. The committee should include all the professionals from related disciplines that should have a say in developing a data profiling model, including data management, analytics, RIM, legal, IT, Information Security, Marketing, Privacy, Compliance, Risk Management, as well as representatives from key business lines. Additionally, like any change initiatives, lining up executive sponsorship is critical to mobilizing resources and sustaining support.
- Assess the organization’s current state and identify what data-related problems exist. Survey the organization to identify major data pain points to provide insight into which business areas or use cases the model should be deployed to first.
- Create an enterprise strategy that has data value at its core and a timeline for transformation. Whether your company decides to take an incremental approach or tackles many moving parts in parallel, it is important to lay out a strategy upfront. This gives everyone structured and timely goals and metrics to meet and measure progress along the way. This strategy should be value focused: optimizing use of data as a strategic asset while addressing value enablement, holistically, and every time (e.g., managed data quality, data protection by design).
- Develop a specific set of data elements and corresponding questionnaire. If your organization does not already have an inventory of a specific set of data elements, such as those constituting “sensitive data,” you’ll need to create one. Determine which data elements are important for inclusion in this set as a first initiative, and document critical metadata, such as where your data resides and data owners. Next, develop a standardized questionnaire that touches upon the unique value and risk factors that are relevant to your organization. This is where having a broad, cross-functional development committee is most important. Although agile approaches will likely work best— “fail fast fail often” – getting this step right to build support is critical.
- Develop an operating model, train and socialize. Finally, the committee will need to develop an operating model and governance structure for how the model will be used in day-to-day operations. Basic logistics have to be worked out: When must a questionnaire be filled out for a data use case? Who fills it out? Who reviews the results? What are the effects of those decisions? How are decisions communicated to the requestor? Further, the committee should undertake an extensive socialization campaign to get the workforce comfortable. This should include training, playbooks, job aids and on-going awareness campaigns. Finally, all of this should be accompanied by a supportive message from leadership that encourages a change in culture going forward to embrace this enhanced approach to data governance.
Developing a data value-risk-control profiling model, and the associated business processes to support it, may seem like a daunting task, especially when implementation is enterprise-wide. Organizations should consider focusing on smaller business domains or a limited set of use-cases first, and work to grow the model iteratively over time.
As data volumes, risks, and opportunities continue to grow, organizations should find new ways to manage, protect, and control data risk to unlock its value. Measuring data value along with data risk can allow for enhanced analysis of value, greater risk identification, and improved traceability of required controls. The lasting result of such an approach will allow businesses to safely maximize use of their most valuable data.
As we move further into the data-driven world, organizations must continuously improve their use and protection of data. Understanding the value and risk of data across the firm, using solutions like a data value-risk-control profiling model, is a crucial first step towards becoming a data-driven business.