Building a Comprehensive Data Controls Framework: Beyond the Basics of Quality Metrics

First published on my website (Building a Comprehensive Data Controls Framework: Beyond the Basics of Quality Metrics — AHUJA CONSULTING LIMITED)

Your Data Quality Indicators Aren't Enough

You've got your Data Quality Indicators (DQIs) tracking completeness, accuracy, timeliness etc.

Great start – but here's the uncomfortable truth: you're still exposed to major data risks.

Why?

DQIs are reactive by nature. They're catching problems after the fact, when your data's already compromised and you're burning resources on fixes.

Even worse, they leave dangerous blind spots in your data flows.

Consider this wake-up call: one of my previous clients discovered their compliance return had been running on incomplete data for months. Despite robust DQIs monitoring accuracy and field completeness, no one noticed an entire data feed had switched off. Their sophisticated metrics couldn't spot what wasn't there.

Building a Bulletproof Framework

The solution isn't more DQIs – it's a comprehensive Data Control Framework that anticipates and blocks problems before they cascade through your systems.

Your Control Arsenal - A Two-Pronged Defence:

1. Primary Controls
2. Compensating Controls

Primary controls are your first-line defenders, custom-built to mitigate against specific risks identified in your critical data flows. These controls form the foundation of your Framework.

Compensating controls, on the other hand, are your safety net when primary controls fail - which they will! They are essentially broader measures to take up the slack.

There are two crucial flavours:

Preventative Controls: ?Your First Line of Defence - these are the bouncers of your data eco-system. ?

These include mandatory fields, which ensure completion, system validations that reject bad data entry, or Master Data Management ensuring consistency across systems.

They're efficient, but they're not infallible. ?For example, a validation might restrict input values but can't guarantee the right value is chosen.?

So, you need to complement these controls.?

Detective Controls: Your Quality Assurance Backbone.? ?

Compensating controls tend to be detective in nature but detective controls are also excellent as part of your primary arsenal.

These might entail Quality Assurance (QA) checks against golden sources to mitigate the risk of data entry errors or “fat fingers”. This could be in the form of a 100% check or a more nuanced partial check, due to their resource intensive nature.

We’ll cover-off some key considerations on effort and cost below.

System-to-system reconciliations are another important detective control to ensure that data being passed through your eco-system retains its integrity and does not result in data loss or corruption. These can be largely automated with manual effort only required in the event of an exception.

Finally, this class of controls also includes those familiar DQIs - yes, they still have an important role, serving as an excellent example of a compensating control over front-line QA checks.

The graphic below depicts a flow of data for the reinsurance recoveries process in an insurance company and depicts a range of primary preventative, detective and compensating controls.

Building Your Framework: The Critical Factors

So we know what the building blocks of your Framework look like. The question is how you put them together to form a tailor made approach for your organisation.

One that provides the right degree of protection for an appropriate cost.

When designing your Control Framework, it is essential to consider the following:

• Compatibility with existing systems & processes
• Cost-effectiveness and feasibility

Compatibility with existing systems and processes

Your controls must interface with your data's entire lifecycle, from creation to consumption. Here's what this means in practice.

Firstly, your controls need precise positioning based on identified risks in critical data flows. This demands more than a surface-level lineage understanding – you need to grasp the business processes that create and transform your data at every step.

Each identified risk should ideally have a primary control right at its source. Too many organisations fall into the trap of quality-checking at the endpoint, but this is like trying to catch water from a broken pipe at the bottom of a building instead of fixing the leak at its source.

Secondly, when designing upstream systems, build them with downstream requirements in mind. This isn't just good practice – it's essential for embedding effective preventative controls from the start. So, ensure that your mandatory fields and system validations are aligned with your downstream use cases. Over time, the downstream consumption requirements will change and your systems need to keep pace.

Thirdly, your compensating controls need strategic placement across the data flow. These aren't just backup measures; they should serve as safety nets for any gaps in upstream primary controls.?

You may choose to build in such compensating measures to the management reviews you carry out on summarised data sets.

Pro tip: In these reviews, don't just compare your summarised data against historical patterns. You might also elect to design the control to include an element of spot-checking of the granular data to catch subtle anomalies that aggregate checks might miss. Yes - it’s extra effort, but the granular level checking could be undertaken by a junior reviewer to relieve the impact of this.

Cost Effectiveness and Feasibility

Every control comes with a price tag – in both time and resources. The key is building a framework that's both robust and realistic:

Your initial risk assessments of use cases are crucial here. Without a detailed analysis of risk levels in your data flows, you're flying blind on control requirements.

Here's the reality check many miss: you don't need to eliminate every risk completely. Instead it's about setting a realistic risk appetite (we'll dive deeper into this in a future piece) and focusing your resources where they matter most.

The Framework in Action

Here are the key takeaways:

• Primary controls target specific, identified risks
• Compensating controls provide broader coverage
• Preventative controls mitigate issues at the source
• Detective measures catch anything that slips through
• Controls are matched to risk levels to ensure efficiency
• Regular reviews ensure the framework remains relevant

Remember: your Framework needs to be strong enough to protect your data but flexible enough to adapt as your systems and requirements evolve.

It's about finding that sweet spot between iron-clad security and operational agility.

The Bottom Line

Stop relying on rear-view mirror metrics.

Instead, build a framework that catches problems before they happen, but stays nimble enough to keep your operations flowing. ?Get this right, and you'll have more than just better data – you'll have a robust defence that regulators and auditors will recognise.

?

Coming Next: How to scope your control framework for maximum impact with minimum overhead.

Subscribe here to get future articles in this series.

--

Need Data Governance help??

Book a call here to discover how we can support you.