Enterprise Data Management: data is everywhere, how can it be managed effectively to harness its power?

Nearly two years ago, one of our previous blogs asked a question on whether data was being managed effectively to harness its power. This question is still pertinent today; data is still very much a hot topic and there is a continued desire for organisations to make better use and derive value from the extensive data they have available.

Enterprise Data Management (EDM) can be defined as how an organisation governs the meaning, use and protection of data. For an organisation to achieve this and enable growth, maximise efficiency and minimise risk, requires a comprehensive EDM programme with associated accountability agreed and documented. The desire to drive growth from data needs to be balanced against compliance with regulatory requirements (e.g., GDPR and BCBS 239) and having appropriate strategy, policy, controls and monitoring over the management of data. Keeping on top of the evolving regulatory requirements can become more straightforward with a clear EDM structure.

Challenges to developing and embedding EDM:

Whilst there are significant benefits in establishing effective and sustainable EDM, achieving this can be difficult and there are many barriers to success which need to be considered:

• Resourcing – Developing, embedding and maintaining an ongoing EDM programme requires sufficient dedicated budget and resource to make it effective and sustainable.
• Leadership – An organisation needs a dedicated member of the executive, with experience in data management, to provide focus and guide EDM. Without this, an organisation may not fully perceive the value of EDM, resulting in a lack of management commitment.
• Siloed data – This can happen due to numerous reasons including new data sources, rapid-fire pace of data collection, organisational structures and internal friction between teams.
• Data quality – It is important that an organisation acquires the right data that it needs to grow and meet shareholder expectations. Effective decisions cannot be made using poor quality data.
• Data control and ownership – There needs to be clear definition of ownership and associated controls, as without these it becomes more challenging to effectively embed EDM and obtain the associated benefits. Data ownership may be a new concept within an organisation which can make this more difficult to achieve.
• Obtaining data without considering the risks – Everyone across the organisation needs to be aware of the costs or risk associated with obtaining and using data, including the ethical access and use of this data.

Data strategy and programme:

To effectively implement EDM, many organisations will create a programme to effectively deliver and embed it. There are many approaches that can be taken to an EDM programme, which in general include some common themes. The vision and overall strategy for data management should be defined, approved and adopted by stakeholders. The strategy should be well understood and used. It should include communication and training requirements to enable all levels of the organisation to have a clear understanding of why EDM is important and their associated responsibilities.

It is also important that these are aligned to industry accepted practice as well as the strategic goals of the organisation. Examples of industry accepted practice covering all aspects of EDM would include, the Data Management Capability Assessment Model (DCAM) and the Cloud Data Management Capabilities (CDMC) framework, both from the EDM Council.

Data governance and controls:

The data governance model is a key component of a successful EDM initiative. There needs to be an appropriate structure and implementation plan to embed this across the organisation. The model should embed EDM as an established business function, prescribing guidelines for data movement, formalise oversight and enable EDM principles to be detailed and adopted. Some key considerations should include how access to data (including third party data), how data is controlled, and how this is reflected in policies and standards. Also, data ethics should be explicitly covered in such policies and standards.

There should be appropriate organisation structures, and associated components to ensure the implementation of data management. This should include cross-functional collaboration (e.g., with information security and third-party management) that enables integration of EDM with the rest of the organisation. It is necessary that effective controls have been designed and are operating. Consideration also needs to be given as to how these controls are tested and monitored.

Data quality:

It is vital that there is timely delivery of accurate, consistent and complete data. An organisation should define the approach to achieving this along with how they will measure the effectiveness of associated processes. Regulators take a keen interest in this area, for example, the focus from the PRA through their Dear CEO letter on the reliability of regulatory reporting.

Platform and architecture:

To integrate data into business processes, the associated technical requirements and architectural framework need to be defined. The platform should enable secure access to data and allow for it to be easily searched and understood. This will require collaboration between the EDM programme and both business and technology architecture functions.

Internal audit’s response

Internal audit needs to be able to provide assurance over how the organisation is managing its data risk. To achieve this, it needs to have the appropriate levels of skills and knowledge to interact credibly with the Chief Data Officer and Chief Technology Officer (or equivalents) as well as the wider business.

Consideration should be given to where the use of data analytics can assist in obtaining assurance, for example, in re-performing and validating metrics in reporting on EDM or on compliance with key controls. It could automate and create a dashboard to allow for more continuous validation and auditing.

An understanding of the organisation's level of maturity in relation to EDM should be obtained, which could be achieved through a specific audit of the area. This can help to create a more focused and beneficial series of audit engagements to reflect where the organisation is on the EDM journey. Examples of targeted reviews could include:

• Programme review to assess readiness as EDM elements are being implemented
• Data governance policy review and compliance assessment
• Review of data ownership and data lineage in line with policy and best practice
• Platform review to establish appropriateness and whether this is being managed effectively
• Data quality review which could cover alignment of framework with overall goals and which should be linked to business requirements as well as measurement and assessment

Disclaimer: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.