real-world data governance: governance risk and compliance

1

Copyright © 2014 Robert S. Seiner – KIK Consulting & Educational Services / TDAN.com

Non-Invasive Data Governance™ is a trademark of Robert S. Seiner & KIK Consulting

Robert S. SeinerKIK Consulting & Educational Services – KIKconsulting.com

The Data Administration Newsletter – TDAN.com

Real-World Data GovernanceGovernance Risk and Compliance

Monthly Webinar Series Hosted by DATAVERSITYRobert S. Seiner – KIK Consulting / TDAN.com

October 16, 2014 – 2:00 p.m. EST

2



• Real-World Data Governance – Monthly Webinar Series – Third Thursday @ 2pET

– November 20, 2014 – Selecting the Right Data Governance Approach

– December 18, 2014 – Big Data Governance: What it is and why it is necessary

– Register On-Line at DATAVERSITY.net

Real-World Data GovernanceUpcoming Webinars

3



• Non-Invasive Data Governance:

The Path of Least Resistance and Greatest Success– ISBN 9781935504856 / Technics Publishing – September 1

• KIKConsulting.com

New Home of Non-Invasive Data Governance™– Jeremy Seiner (Nephew) Designer – Live June 1

• Data Governance Winter Conference– DATAVERSITY & DEBTECH International

– Ft. Lauderdale, Florida – December 8-12

Risk and ComplianceWhat’s New?

4



• The target of many a Data Governance Program is to nail their regulatoryand compliance requirements first to appease the government and industryregulators before doing anything else.

• Risk Management, as a practice, is already in place in most organizationsunder a variety of names.

• Even though most organizations do not consider Risk Management the samething as Data Governance, the similarities abound.

Risk and ComplianceAbstract

5



• Compliance is not optional.

• Nothing about Regulatory and Compliance mentions optional.

• Governance is therefore not optional either.


6



• The session will cover:

• Risk Management Vs. Data Governance – A Close Comparison

• Risk Management as the Face of Data Governance

• Measuring Success of Governance in terms of Risk Management

• Using Risk and Compliance to Explain Governance

• Using “Not Optional” as Your Crutch


7



• Data Governance

– Data Governance is the Execution and Enforcement of AuthorityOver the Management of Data and Data-Related Resources.

Robert S. Seiner

• Data Stewardship

– Data Stewardship is the Formalization of AccountabilityOver the Management of Data and Data-Related Resources.

Robert S. Seiner

Recent Client Definitions

Formalization of behavior around the definition, production andusage of data to manage risk and improve quality and usability ofselected data.

Formalization and guidance for behavior over the definition,production and use of information and information related assets.

Risk and ComplianceDefinitions

8



• Non-Invasive Data Governance™

– The practice of:

• applying formal accountability & behavior

• through non-invasive roles & responsibilities

• to existing and / or new processes

• to assure that the definition, production & usage of data

• assures regulatory compliance, security, privacy, protection & quality.

– Non-Invasive describes how governance is applied to assurenon-threatening management of valuable data assets.

– The goal is to be transparent, supportive, collaborative.

Risk and ComplianceDefinitions

9



• Governance, Risk Management, and Compliance or GRC is the umbrellaterm covering an organization's approach across these three areas.

Risk and ComplianceGRC Explained

Graphic from Yahoo Graphics

10



• GRC is a discipline that aims to synchronize information and activity acrossgovernance, risk management and compliance in order to createeffectiveness and efficiency, enabling more effective information sharingand reporting and avoiding wasteful overlaps.

• GRC typically encompasses activities such as corporate governance,enterprise risk management (ERM) and corporate compliance withapplicable laws and regulations.


11



• Organizations reach a size where coordinated control over governance, riskmanagement and compliance (GRC) activities is required to operateeffectively.

• Each of these three disciplines creates information of value to / for theother two.

• Each of these disciplines count on each other for support.

• Like the Three Legged Stool.

• Each of the three GRC disciplines

touch and impact the same technologies,

people, processes and data in

any organization.


12



• When governance, risk management and compliance are managedindependently from each other, organizations typically have substantialduplications of tasks.

• Overlapping and duplicated GRC activities negatively impact bothoperational costs, confusion of responsibility and GRC metrics.

• Internal service might be audited and assessed by multiple groups on anannual basis, creating enormous cost and disconnected results.


13



• A disconnected GRC approach will also manifest itself as an inability for theorganization to provide real-time GRC executive reports.

• Like a badly planned transportation system, every individual route willoperate, but the network will not have the qualities that allow them towork effectively together.


14



• Due to the changes in:

– Technologies – Data Warehousing/BI, Big Data, Cloud, Analytics, Social Media

– Increases in data storage – Big Data, VLDB, Unstructured Data

– Market globalization – Different regulations and risks based on location

– Increased regulation – Rules are not optional; There are penalties

the number of GRC related requirements that most organizations must sustain isbecoming unmanageable if tackled in a traditional 'silo' approach.


15



• Is Governance the umbrella under which Risk and Compliance reside?

• Is Risk Management the umbrella …

• Is Compliance the umbrella …

• Takes me back to age-old debates:

– Business Intelligence and Knowledge Management

– Data Management, Information Management, Metadata Management

– Data Management and Big Data …

– Chicken and Egg


16



• Three Different Types of GRC

– Financial GRC

– IT GRC

– Legal GRC

• Does your organization have all three?

• Are the different types of GRC coordinated?

• What are the difference?

Risk and ComplianceDifferent Types of GRC

17



• Financial GRC relates to the activities that are intended to ensure thecorrect operation of all financial processes, as well as compliance with anyfinance-related mandates.

• Most organizations have this.


18



• IT GRC relates to the activities intended to ensure that the IT (InformationTechnology) organization supports the current and future needs of thebusiness, and complies with all IT-related mandates.

• Some organizations have this.


19



• Legal GRC focuses on tying together all three components via anorganization's legal department and chief compliance officer.

• Few organizations have this.


20



• Data Model for GRC

Source: http://www.databaseanswers.org/data_models/governance_risk_mgt_compliance_GRC/index.htm

Risk and ComplianceData Model

21



• A key risk indicator (KRI) is a metric for measuring the likelihood that thecombined probability of an event and its consequence will exceed theorganization's risk appetite and have a profoundly negative impact on anorganization's ability to be successful. Techtarget.com

• Is there such thing as a KDRI – Key Data Risk Indicator?

• Should there be?

Risk and ComplianceKey Risk Indicators

22



• A key data risk indicator (KDRI) is a metric for measuring the likelihood thatthe combined probability of a data event and its consequence will exceedthe organization's data risk appetite and have a profoundly negative impacton an organization's ability to be successful.

• Examples of data breaches:

– Target

– Kmart

– Home Depot

– Dunkin Donuts

– Are organizations becoming more blasé about data risks?

– Or are organizations becoming more diligent?

– Build a 10 foot wall and someone will

develop a 12 foot ladder to get over that wall.

Is the same true for all GRC issues?

Risk and ComplianceKey Data Risk Indicators

23



• Six Questions About Your Risky Data

– Is Risky Data different from the other data in your organization?

– Which data is more heavily regulated than other data?

– Are their more people who handle heavily regulated than other data?

– Is this data used in more decisions than other data?

– Is this data managed any differently than other data?

– Is this data more of a corporate asset than other data?

• Big Question:

– Should we govern heavily regulated any differently than other data?

Risk and ComplianceGoverning to Manage Risk

24



• Is your Financial Data more heavily regulated than other data?

• Is Financial Data different from the other data in your organization?

• Yes or No?

– Yes – because it is a different subject matter.

– Yes – because of where the data comes from.

– Yes – because of how it impacts all other data.

– Yes – because of the rules we have to follow.

– Yes – because without our Financials we go out of business.

– No – because it is just data.

Risk and ComplianceFinancial Data

25



• Is your Financial Data more heavily regulated than other data?

• Yes or No?

– Maybe?

– List of U.S. Fed Rsrve Laws

– International Laws

– Other than Fed Rsrve

– Classification

– Security

– Operations

– Business Rules


26



• Are there more people who handle Financial Data than other data?

• Yes or No?

– Yes – More attention is paid to Financial data.

– No – It is just data.


27



• Is your Financial Data used in more decisions than other data?

• Yes or No?

– Maybe – depends on your organization’s business.

– Yes – at least some people think so.

– No – it is just data.


28



• Is your Financial Data managed any differently or riskier than other data?

• Yes or No?

– Yes – more attention is paid to Financial data.

– No – we don’t manage any data well.

– No – there are multiple occurrences of Financial data.

– No – there is not a single answer to “what is Financial data”.

– No – Financial is just another domain of data.

– No – there are stewards and owners of Financial data.

– No – it is just data.


29



• Is your Financial Data more of a corporate asset than other data?

• Yes or No?

– Yes – Financials are our most important asset so therefore …

– Yes – what we know about our Financials drive our business.

– Yes – we are becoming a “Financial Centric” organization.

– No – it is just another domain of data.


30



• Should we govern Financial Data any differently than other data?

• Could lead to lengthy debate.

• Risk Data Governance Programs

– Focused on increases in touch points.

– Big Data Governance – How is this defined?

– Is Big Data riskier then other data because of its size?

• Or is it just another issue associated with all domains or subject areas?

• The answer to that question is …


31



Risk and ComplianceGovernance Core Principles

32



• Are Risk Management and Data Governance the same thing?

• Risk Management – the techniques used to minimize and prevent accidental loss to a business.

Freedictionary.com

• Risk Management – the identification, assessment, and prioritization of risksfollowed by coordinated and economical application of resources tominimize, monitor, and control the probability and/or impact ofunfortunate events.

Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to FixIt. John Wiley & Sons

Risk and ComplianceRisk Management Vs. Data Governance

33



• Risks can come from:

– uncertainty in financial markets,

– threats from project failures,

– legal liabilities,

– credit risk,

– accidents,

– natural causes and

– disasters as well as

– deliberate attack from an adversary, or

– events of uncertain or unpredictable root-cause.

Wikipedia

• Are Risk Management and Data Governance the same thing?


Compliance?

34



• Data Governance – The execution and enforcement of authority over themanagement of data and data-related assets.

Bob Seiner

• Data Stewardship – The formalization of accountability for management ofdata and data-related assets.

Bob Seiner

• Data Governance can embrace a lot more then just risk management.

• Risk Management is where a lot of organizations start to formalize theirlevels of Data Governance.


35



• Case Studies of Data Governance Focused on Risk Management

– State Department of Health and Welfare – Protection of Sensitive Data

– Investment Management Company – Information Security

– University – Data Classification and Handling

– Medical School at University – Protect Sensitive Data – PII – PHI

– Health Insurance – Data Sharing, Extraction and Vocabulary

– These only cover a sliver of what Risk Management cover.

• Data Governance – The execution and enforcement of authority over theprotection of sensitive data and data-related assets.

Bob Seiner for DHW


36




37



• Compliance – Regulatory compliance, adherence to standards, regulations,and other requirements.

• Are Compliance and Data Governance the same thing?

• Isn’t Data Governance the means to the end?

• “Execution and Enforcement of Risk Management and Compliance Rules”


38



• Risk Management and Compliance can be the “Face of Data Governance”

• Risk Management and Compliance, together or apart, can be the:

– Reason why to do Data Governance in the first place.

– Something we are already doing so lets formalize existing accountabilities.

– Reason our organization is at risk every single day.

– Not optional – Therefore we must have a governance plan to address them both.

Risk and ComplianceFace of Data Governance

39



• How can we make Risk and Compliance the “Face of Data Governance”

– Inventory who does what with data across the organization

– Formalize documentation and availability of the rules

– Link the rules to the data

– Orient / On-Board / On-Going communications to data stewards of the rules

– Build the enforcement of the rules

• into data sharing and extraction activities

• into the reporting and analytical activities

• into operational activities

• into the measurement of the rules

– Encourage audit activities

– Focus Communication on Risk and Compliance


40




41



Operational Level

Operational Data Stewards (existing)

Data Definers, Producers, Users

These people are presently defining,

producing and using data as part of their

jobs. Recording of the Operational Data

Stewards will be an important enabler of

improved communications, coordination

and cooperation among stewards.

Tactical Level

Data Domain Stewards

Per assigned Subject Areas

Data Steward Coordinators

One per Business Unit

Strategic Level

Data Governance CouncilData Governance Sponsors Group

or Group of similar participation. One person, plus

alternate, for each Business Unit represented & IT.

Consider financial services & human resources.

Executive Level

Data Steering CommitteeSenior-most level knowledge of the program.

Leverage existing business structure as possible.

If no structure exists, utilize an IT Steering Committee

or an executive founded board or council.

Operational Level - Business Unit Specific

Strategic -

Enterprise

Tactical Level - Cross Business Unit

Executive

Non-Invasive Data Governance™ Operating Modelof Roles & Responsibilities

Escalation / A

pproval Path

Dat

a G

ove

rnan

ce P

rogra

m T

eam

(D

GPT)

IT S

ubje

ct R

esourc

e Exp

erts

Data Governance Program Team

Data Governance Team ManagerResponsible for Administering the Program,

facilitating use of the Data Governance Council,

communicating program components and value to the Organization.

Advisory assistance from other levels.

IT Subject Resource Experts

System/Data Resource ExpertsIT Staff including Application

Development, Data Design,

Security, and other Data

Resource Management.

Com

munication

EXISTS

EXISTS

EXISTS

NEW

LEVERAGE

NEW


42




43



• Risk Management and Compliance in Terms of Rules

– List of U.S. Federal Reserve Laws

– International Laws

– Classification

– Security

– Operations

– Business Rules

Risk and ComplianceGovernance in Terms of Risk Management

44



• Measuring Governance of Data in terms of Risk and Compliance:

– Rules Documented

– Rules Linked to Data

– Rules Made Available

– Rules Communicated / Refreshed

– Rules Analyzed / Reported

– Rules Broken / Followed

Risk and ComplianceGovernance in Terms of Risk Management

45



• The International Organization for Standardization (ISO) identifies thefollowing principles of risk management:

• Risk management should:

o create value – resources expended to mitigate risk should be less than theconsequence of inaction, or the gain should exceed the pain

o be an integral part of organizational processes

o be part of decision making process

o explicitly address uncertainty and assumptions

o be systematic and structured process

o be tailor-able and take human factors into account

o be transparent and inclusive

o be dynamic, iterative and responsive to change

o be capable of continual improvement and enhancement

o be continually or periodically re-assessed

Risk and ComplianceRisk and Compliance to Explain Governance

Non-Invasive Data Governance™ should:

46



• Consequences of Un-Governed Risk Management and Compliance

– Informal best practices

– Informal roles & responsibilities

– Informal accountability

– Informal communications

– Informal action plan

– Informal rule definition

– Informal enforcement of the rules

Risk and ComplianceRisk and Compliance to Explain Governance

– Break the rules, Get caught, Pay the consequences …

– Tragedy, Despair, Hopelessness, Train Wreck, Really Bad Things …

47



• Final Words:

– Following the rules is not optional.

– Accountability needs to be not optional.

– The accountability is already there.

– Ask your management if accountability is optional.

– Governance include Stewardship

• Formalize it!

• Be Non-Invasive in your approach.

Risk and Compliance“Not Optional” as Your Crutch

48



• Real-World Data Governance – Monthly Webinar Series – Third Thursday @ 2pET

– November 20, 2014 – Selecting the Right Data Governance Approach

– December 18, 2014 – Big Data Governance: What it is and why it is necessary

– Register On-Line at DATAVERSITY.net

Real-World Data GovernanceUpcoming Webinars

49



• The session covered:

• Risk Management Vs. Data Governance

• Risk Management as the Face of Data Governance

• Governance in terms of Risk Management

• Using Risk and Compliance to Explain Governance

• “Not Optional” as Your Crutch

• Questions & Answers

Real-World Data GovernanceWrap Up

50



• Robert S. Seiner

KIK Consulting & Educational Services – KIKconsulting.com

The Data Administration Newsletter – TDAN.com

Post Office Box 112571, Upper St. Clair, Pennsylvania 15241

412.220.9643, 412.220.9644 (Fax)

[email protected]

[email protected]

@RSeiner

Real-World Data GovernanceContact Information

real-world data governance: governance risk and compliance

Business

management of data

big data governance

data governance program

seiner kik consulting

seiner kik consulting

right data governance

trademark of robert

corporate governance