Bridging Data Governance and Risk Management Through Culture Change: An Imperative for Financial Services and Insurance Organisations

First published on my website (Bridging Data Governance and Risk Management Through Culture Change: An Imperative for Financial Services and Insurance Organisations — AHUJA CONSULTING LIMITED)

CROs in Financial Services organisations are increasingly concerned about data quality risk.?

The regulatory landscape is becoming ever tighter with hefty fines and reputational damage being distinct possibilities.

More than this, though, is the recognition that data must be viewed as a strategic asset if firms are to keep pace with their competitors.

Clearly, In today's data-driven landscape, managing data risk requires far more than just establishing policies and controls.

It demands a collaborative culture where data governance and risk management teams share responsibility and work together seamlessly. This article explores how organisations can foster joint accountability for data risk between these crucial functions.

The Current Challenge: A Tale of Two Teams

Traditionally, Data Governance and Risk Management have operated in distinct spheres.

Data Governance teams focus on data quality, accessibility, and standardisation, while Risk Management teams address broader organisational risks, including those related to data breaches and compliance.

But this siloed approach leads to gaps in risk coverage, duplicated efforts, and missed opportunities for comprehensive risk management.

Why is this?

Typically, data is seen as a black box by Risk Management teams.?

Whilst they are experienced at identifying and mitigating risks, they typically do not have the skills necessary to create a detailed data lineage to be able to identify the risks inherent within it.

Data Teams, on the other hand, are more adept at understanding the data flows, but they lack the skills to identify and assess risks, or to design an effective Data Controls Framework, complete with fail-safes and calibrated to the inherent risks.?

These gaps in skill sets can be understood if we take a moment to consider the historical development of both disciplines. In the early days, Risk Management emerged from the fundamental need to understand and quantify uncertainty. Actuaries and statisticians developed sophisticated mathematical models to gauge risks. The focus was primarily on the technical aspects of risk assessment and the establishment of clear decision-making hierarchies for risk acceptance and pricing.

Meanwhile, Data Governance followed a distinctly different path. It began in the 1960s and 1970s with the advent of computerised record-keeping, initially focusing on basic data management practices like maintaining records. As technology advanced through the 1980s and 1990s, Data Governance expanded to encompass a wider set of data quality controls. However, these efforts were often led by IT departments, operating independently from risk management functions.

This separation was feasible in an era when data volumes were manageable and firms were not as reliant on it as is now the case. Financial Services and insurance companies could effectively operate with Risk Management and Data governance as distinct domains, each with their own objectives, processes, and organisational structures. Risk teams focused on understanding and quantifying financial, operational and trading risks, while Data teams concentrated on maintaining and protecting information assets.

The contemporary business environment has fundamentally altered this landscape. Several forces have converged to make the integration of Risk Management and Data Governance an imperative for the modern Financial Services and insurance industry.

Firstly, Financial Services organisations are now far more data driven than was previously the case.? There are increasing pressures to automate, with all of the benefits that brings in terms of time and resource efficiencies.? Accordingly, data is now relied upon more than ever to feed downstream processes that are relied upon by firms.?

Take an insurer’s facultative recoveries process.? In the past, this would have been administered manually.? Now, insurers increasingly adopt a straight-through process, which is automatically instigated by the direct claims payment.? But for this to operate optimally, accurate and complete data entry on both the direct and reinsurance policies is a necessity.? The price of not having done so is missed reinsurance recoveries, impacting overall book profitability.

Secondly, regulatory requirements have evolved to recognise the interconnected nature of risk and data management. Regulations like Solvency II and BCBS239 now demand comprehensive approaches that span both domains. Regulators expect a well-designed control environment spanning the entire data flow, from upstream source to downstream usage.? Firms must demonstrate not only sound Risk Management practices but also robust Data Governance frameworks that ensure that data is materially accurate, complete and appropriate.

Bridging The Culture Gap

So, the question, then, is how do we harmonise Data Governance and Risk Management?

There are several facets to this.?

Clearly, there is a need to develop and roll out a unified framework with a RACI outlining which teams are responsible for each component. But a framework is just one side of it and, on its own, is not likely to be sufficient in bridging the gap.

Given the historical development of both Risk Management and Data Governance, there is a clear imperative for firms to bridge the culture gap.?? There is a distinct need to ensure that the operating culture between the two teams is consistent in a way that goes beyond a mere framework.

This is an essential first step once the need for closer alignment has been recognised. Clearly, this is a huge topic but I’m going to suggest two practical ways in which you can start to address it that will yield immediate benefit.

Solution 1: Elevate Data Risk on the Risk Radar

First and foremost, there is a need to ensure that data quality risk features as an essential component of the Risk Department’s Key Risk Indicators (KRIs).

It’s got to be on the radar.?

Here are some powerful metrics to consider:

• Critical Data Quality Issues: One of the most important is a view of how many data quality issues have been raised that are judged to impact a critical business outcome.??? As a KRI, this metric provides us with a view of how data is currently impacting the firms “must do” operations.? It can be augmented with commentary on the level of impact, as well as how the firm is currently working around this.? The work-arounds themselves will probably entail a level of risk, which needs to be transparent.?
• Issue Resolution Time: The above metric can also be supplemented with a view showing the average time these issues take to fix.?? This yields an important view into the firms' data culture.? Very often, temporary work-arounds end up becoming part of the permanent landscape.? As such, time to fix can be a useful rule of thumb gauge of the data culture and immensely useful when assessing the overall enterprise data risk.?
• Number of Mapped Data Flows:? Mapping of the data flows is fundamental to ensuring that inherent risks are identified and mitigated.? But this takes time.? To undertake this properly, at the level required, involves considerable effort and resource, often involving multiple teams. All the more reason why unmapped and partially mapped flows feeding those critical use cases need to be reported on the firm's KRI’s.? This can also be augmented with commentary over the specific critical use cases currently unmapped and their respective risk ratings, to provide the Risk Committee with the level of transparency they need to understand the data risks faced by the firm.

Solution 2: Build Risk Literacy in Data Teams

A second facet of culture change is focused on raising the level of literacy within the business over data risk. Specifically, that of the Data Governance Team.?

Just as data literacy programs exist, which aim to improve the level of competency around data throughout the organisation, there is a need for those concerned with governing data to be literate in the language of risk.?

What does this mean?

The Data Governance team and data owners need to have an appreciation of the following:

• Inherent Risk
• Residual Risk
• Risk Appetite

An understanding of these vectors will help them better assess the risks buried within the data flows and to opine more effectively on control adequacy and the likelihood of unforeseen risks that would otherwise fall through the gaps.?

More than that, though, a common language shared between the Data Governance Team, as well as data owners, and the Risk Team will help break down silos and robust the entire data landscape.?

The Way Forward: Commitment to Collaboration

Creating a culture of joint accountability for data risk is not a one-time initiative but a continuous journey. Success requires commitment from leadership as well as clear structures, processes and ongoing effort to maintain collaboration.

Firms are already starting to embark on this journey with data risk teams becoming more common, a recognition of the criticality of this niche. Organisations that successfully bridge the gap will be better positioned to handle the complex data challenges of the future.

The rewards of this integrated approach include more effective risk management, improved data quality, enhanced compliance, and better business outcomes. As data continues to grow in importance, organisations that embrace joint accountability will have a significant competitive advantage in managing data-related risks and opportunities

Coming Next: More on how to deliver a closer and more collaborative culture between Risk Management and Data Governance.

Subscribe here to get future articles in this series.

--

Need Data Governance help?

Book a call here to discover how we can support you.