Sarbanes-Oxley, HIPAA, Basel II, privacy laws—they all have something in common. They expect you to assess risk to your data and then to employ formal governance in managing that risk. Data-savvy companies have recognized this and have designed their Data Management objectives to meet not only operational requirements, but also Governance, Risk, and Compliance (GRC) requirements.
They manage the following types of data-related GRC risks:
- Security risks: the possibility the data could be hacked or stolen
- Privacy risks: the possibility customers’ confidential data won’t be protected from thieves, will be lost, or will be inappropriately revealed
- Quality risks: the possibility data won’t meet integrity requirements
- Assurance risks: the possibility data management efforts won’t be transparent enough or auditable, that the enterprise can’t prove it uses adequate governance models, or that controls won’t meet the expectations of auditors.
A GRC approach to data has four steps:
- Establish your Data Governance “Rules of Engagement”: What is the scope of your efforts? What stakeholders will participate in decision-making? What processes will they use? How will they resolve conflicts and issues? How will governance decisions be documented for auditors and communicated to stakeholders?
- Decide how to approach risk: What’s the scope of your risk assessment? What’s your tolerance for risk for different types of data and different types of risk? What strategies for managing risk will you apply? How will you convert those strategies to processes and automated controls to prevent, detect, or correct problems?
- Establish how you must prove compliance: How will you monitor, measure, and document data to meet federal compliance requirements? Contractual compliance requirements? Internal expectations?
- Establish your Data Governance approach to the rules you’ve developed in Steps 2 and 3: Who will publish these rules? Who will work with technology managers to ensure they incorporate needed controls into their systems and processes? Who will be accountable for monitoring and measuring compliance with rules? Many organizations stumble with Step 2. They realize all data isn’t alike: Certain kinds of data are more likely to face problems, and the impact of a problem depends upon what type of data has the problem. Before they can continue with their risk assessment, they need to classify their data. How should they do this?
Malcolm Chisholm, consultant and author of the book Managing Reference Data in Enterprise Databases, suggests the following classes of data:
- Metadata: data about data
- Reference Data: data used to categorize, classify, or otherwise qualify or constrain transaction data; e.g., Code Tables or Domain Data
- Master Data: - Enterprise Structure Data—data that describes the structure of the enterprise; e.g., Organizational Departments or Chart of Accounts - Transaction Structure Data—data required to create a framework within which transactions occur; e.g., Product, Customer
- Transaction Activity Data: what an operational system is built to record
- Transaction Audit Data: audit information about individual transactions.
Which of these types of data pose the highest risk to an organization? Reference Data and Master Data, because a single error will impact many transactions. For instance, consider the effect of one bad row in a single table—an error that places Orlando in California instead of Florida. This “small” error could have a large impact, affecting shipping, regional sales reports, employee compensation, forecasting, and many other types of business functions.
A key risk principle is that you focus risk management efforts on high-impact risks. And so, consider focusing your early GRC efforts on your Reference Data and Master Data. Address security and privacy, and demonstrate that you have effective Data Governance in place for that data, including an auditable process for resolving issues. If you do, you’ll find you’ve come a long way to satisfying a variety of compliance requirements.
For more information about Data Governance and GRC, visit www.datagovernance.com. Z