How do we identify Data Risk?

Written By Navin Ahuja

Data Lineage as an enabler

When I hear the words, Data Risk, it’s usually in the context of a conversation about the consequences of inappropriately sharing personal data.   

Data Privacy Risk is an important consideration for all of us.  However, we also need to think about data risk in the context of data quality.

In a previous article, I touched on the importance of a Data Control Framework that takes into account the risks that your data is exposed to across its flow from point of origin to point of consumption; its lineage.

I gave some examples to illustrate that every time data is touched, manipulated or augmented, represents an opportunity for error or corruption.

Why you need to Risk Assess your Lineage

One such example, which I came across during a previous engagement, concerned a key data pipeline that had stopped feeding one of the Compliance reporting systems for several months before it was discovered. 

The eventual discovery led to considerable effort in undertaking an impact analysis, alerting stakeholders and re-creating reports. 

The risk should have been easily identifiable, yet no due diligence had been undertaken to do so and no controls were put in place as a result.

This, of course, is a simple example.  It can become more challenging when reviewing highly complex data flows, with intricate manipulations and multiple points of convergence, whilst ensuring that you have properly identified and assessed the key risks. 

Yet, to have confidence in your material data flows, this is precisely what you should be doing.   My experience with the insurance industry’s Solvency II Regulation and the BCBS239 principles for banking is that identification of the risks present within your data flows is a key consideration for regulatory authorities.

What’s interesting is how few organisations are doing this well.  Instead, they may have a series of controls which they will point to but no clear rationale as to why those controls are deemed adequate.

With one well-known financial institution having had to pay over US$130 million earlier this year for issues related to data quality management and risk controls, this approach clearly won’t cut it.

In this article, I would like to share with you an approach for assessing the risks inherent in your key data flows, that I have found beneficial when working with clients. 

Inherent and Residual Risk

Before we delve into this, let’s take a moment to explore what we mean by risk.

Whenever we look at risk, whether data-related or not, we need to think about Inherent and Residual Risk.

The Inherent Risk is simply the “raw” risk identified, before taking into account the effect of any controls designed to mitigate it.

The Residual Risk, on the other hand, is the risk that remains after the effect of controls is taken into account. 

We can break this down further and look at both types of risk through the matrix of Impact and Likelihood.

 A risk may have a high impact, but a very low likelihood of occurring.  Equally, it could have a low impact but a very high likelihood.  Your assessment of the combination of these factors determines the level of control required and the types of controls deemed appropriate.

Taken together, these elements enable us to perform a robust analysis of the risks posed as data is created and flows toward the point of consumption. 

Risk & Control Analysis

Here’s the template I use, which you may find useful to analyse the risks and controls over your most material data flows.  

I’ve deliberately used a simple example based on the data used in the insurance claims registration process. 

The process starts with the preparation of the policy booking instructions, which are then used for keying data into the policy registration system, prior to being retrieved by the Claims Technician at the point of setting up a new claim. 

 It can be seen that articulating the process in this way helps in enabling a clear description of the risk.  This, in turn, facilitates a clearer understanding of the Impact and Likelihood.

Why does this matter?

Without an understanding of these elements, we can’t properly design our compensating controls. 

However, armed with this analysis, we can now assess the controls in place to determine their suitability and whether any gaps exist.

Control Gaps

We can immediately see that the key unmitigated risk is the preparation of the booking instructions.  No formal control exists to ensure this information is accurate, yet the data generated due to this process is perpetuated and relied upon downstream.

We can also see that, whilst there are Quality Assurance controls over the data entered by the Policy and Claims Technicians, this only covers 50% of risks entered and 100 claims per month respectively.  Whilst this may not be unreasonable, we need to factor this into the residual risk rating to determine whether we are satisfied with the level of remaining risk.  

As with all control activities, we need to balance the need for robust checks with cost and efficiency.  How you achieve this balance is a point of debate. 

However, looking at the controls across the data flow in this way allows you to tweak your control environment to better understand how it impacts the residual risk and to ensure that your controls are situated in the right place within the flow.  Could you, for example, adjust the policy data entry QA to incorporate not just a check over what is entered against the Front Sheet, but also to incorporate the contents of the slip to increase the control scope across the flow?

I find using the template a powerful tool in facilitating this fine-tuning.

Give your Auditors and the Regulator Confidence

Equally, breaking down your data risk analysis in this way also provides you with a useful artefact that can be used when articulating the basis of your Data Control Framework with your auditors or the Regulator. 

It demonstrates thought about why you have the right controls in place and why you may have elected to retain a degree of risk.  More than that, though, it also provides you with a basis for improving your processes and systems to simplify the flows and reduce your data quality risk.

 

In the next article, we’ll look at how you can create a meaningful and relevant Data Governance Framework that enables your organisation to better manage its data risk and obtain real and lasting value. 

Subscribe to get future articles in this series.

--

Is your organisation still suffering from poor data quality after initiating a data governance programme? Are you struggling to ensure that you have the right controls in place?

Book a call to discover how we can help you implement a robust data governance framework and mature your implementation.

Navin Ahuja
Previous

Designing a Data Governance Framework that drives change for your organisation
Next

How do we define data controls that adequately mitigate risk?  Part 2