The Critical Imperative: Bridging the Gap Between Risk Management and Data Governance

Written By Navin Ahuja

In today's financial services landscape, Chief Risk Officers face an accountability challenge. While they shoulder responsibility for every risk their organisation faces—including data risks—there’s frequently a dangerous disconnect that threatens their ability to manage the risk posed by poor quality data effectively.

The Data Dilemma

Data defies traditional risk management paradigms. Unlike physical assets or discrete systems, data permeates every corner of an organisation. It flows across departments, transforms through countless processes, and exists simultaneously in enterprise systems and countless Excel spreadsheets. This ubiquity creates blind spots that standard risk management approaches frequently fails to capture.

A Tale of Two Departments

The reality is that many Risk departments typically lack the specialised expertise needed to fully grasp data's complexities.  They’re great at developing risk and control frameworks but not necessarily able to understand the intricacies of lineage and rarely delve down to this level of detail. 

For some Risk Departments, data can be a bit of a black box. 

Data Governance teams, on the other hand, do possess deep technical understanding—they can track data lineage and measure quality metrics with precision. Yet they often fall short in risk assessment and control design.

They struggle to construct the robust control frameworks essential for risk mitigation and lack fluency in the critical language of inherent and residual risks, preventative controls, detective measures, and compensating safeguards.

They do not, as a rule, possess the skill sets required for assessing the risks inherent in a data flow and precision engineering an appropriate suite of controls designed to mitigate that risk. 

This is not their domain.

The result?

A dangerous capabilities gap.

The Dangerous Status Quo

Current practices, at least among smaller players in the Financial Services industry, reveal a troubling pattern. Risk Management departments commonly record a single, sweeping risk around data quality and then rely entirely on the Data Governance Framework as their primary control.

This typically translates to a bare-bones approach:

  • A basic Data Governance Framework

  • Nominal data ownership assignments

  • A perfunctory Data Governance Steering Group

This superficial treatment creates a false sense of security that masks serious vulnerabilities.

The Real Cost of Misalignment

The consequences of this disconnect are not theoretical. Consider the Citi "fat finger" catastrophe—a stark reminder of control framework inadequacy that triggered market instability and resulted in a £27.8 million fine.

The findings of the regulator are particularly illuminating.  Whilst acknowledging that some controls existed, there were fundamental design flaws and serious gaps.

The lesson here?

Risk Management and Data Governance must work together, using their combined skill sets in single and seamless methodology that fuses the strengths of each discipline.

Anything less leaves dangerous gaps in your risk framework.

The Integration Imperative

Let’s unpack this.

Firstly, to properly understand the data quality risks faced by your organisation, the data-dependent processes critical to your firm must be identified.  There’s no substitute here. A vague understanding of your risks simply leads to vague controls.  Your first step then is to identify these processes.

But it’s important to go beyond this. Armed with this knowledge, an impact assessment to your firm of the risks of rogue data hitting those use cases is imperative. Understanding your worst-case scenarios is a fundamental prerequisite to designing an effective control suite.

This integrated approach represents a significant leap beyond the current paradigm of vague risk identification and generic quality indicators still prevalent in some firms. It delivers a dynamic system for actively managing data risks with unprecedented transparency and effectiveness.

The Bottom Line

The choice is stark: continue with fragmented, inadequate oversight or implement a truly integrated approach to data risk management.

Given the escalating costs of data failures, can your organisation afford to maintain the status quo?

The real question isn't whether to integrate Risk Management and Data Governance—it's how quickly you can close this critical gap before it becomes a crisis.

 

Coming Next:  Creating a culture of joint accountability for data risk

 

Subscribe here to get future articles in this series.

--

Need Data Governance help?


Book a call here to discover how we can support you.

Navin Ahuja
Previous

Bridging Data Governance and Risk Management Through Culture Change: An Imperative for Financial Services and Insurance Organisations
Next

Beyond Design: Who’s Ensuring Your Data Controls Do What They Say On The Tin?