I had originally meant to devote my next (14th) book to Data Risk Management with Agents. However, after writing the first 20 pages and talking to industry practitioners, it became clear to me that there is a real gap in the industry. Data Risk is a jump ball between the Data Management and Risk Management teams in a typical organization.
What is Data Risk?
According to PwC, data risk is the exposure to financial or reputational harm caused by loss, limitations (e.g., inaccurate and poor data quality) and related issues to an organization’s ability to acquire, store, transform, move, protect and use its data assets.
Chief Data & AI Officers Must Partner with their Risk Management Counterparts
The above mentioned definition of data risk is from PwC’s Cybersecurity Practice. With the possible exception of highly-regulated financial services companies, data risk is largely the domain of cybersecurity teams. Within financial services, data risk is largely driven by compliance with regulations such as BCBS 239.
Chief Risk Officers Need to Partner with CDAIOs to Focus on Data Controls
Data risk is a sub-set of Operational (Non-Financial) Risk. CROs need to partner with CDAIOs to operationalize data risk compliance. For example, the Truth in Lending Act (TILA) regulates the marketing of credit cards to underage consumers. This regulatory requirement needs to be operationalized with the appropriate data controls for Critical Data Elements (e.g., Date of Birth) and Data Quality (to ensure that customers under the age of 21 have the correct date of birth).
Operationalizing Data Risk
Data risk has multiple operational elements:
- Data Readiness of AI / Bridging Data & AI Governance
Organizations are spending huge sums on AI use cases. However, the data in their source systems is not ready for prime time. In a recent AI Governance presentation, Nicole Janeway Bills relayed concerns from a multinational company who had just released an AI chatbot. In the words of the data manager, “we spent 80 percent of our time fixing the data to make the chatbot work.” - Data Mapping into Process Risk & Controls Inventory (PRCI)
Data risks and controls need to be mapped into the overall inventory of processes, risks and controls. There is a lot of discussion about whether data risks need to be a specific risk category versus mapped into other, more generalized risks relating to regulatory compliance and cybersecurity. However, that is for another discussion for another day.
- Data-Focused Controls with Automated Testing and Evidence Using Agents
The PRCI needs to contain data-focused controls such as for Metadata Management and Critical Data Elements (CDEs). These controls need to be tested based on evidence such as a metadata management standard, a data catalog with CDEs, and a process for data certification. AI agents can automate the gathering and assessment of evidence to support controls testing.
- Data-Focused Key Risk Indicators (KRIs)
The percentage of Certified Tier 1 CDEs is a useful KRI to support Metadata Management Risks. KRI metrics may be extracted from the data catalog. - Data Mapping into Risk & Controls Self-Assessments (RCSAs)
A business executive (First Line of Defense in banking parlance) may need to conduct a RCSA on the Credit Card Marketing Campaign process. The purpose of the RCSA is to identify any risks, controls, and mitigants within this process. The business executive needs to map any data-related risks and controls into the RCSA with support from the data management teams. - Value Realization is Also a Data Risk
Inability to quantify the financial benefits of data management is also a very real risk. Based on work with a large multinational company, we developed an AI agent to auto-generate the first draft of business cases in Collibra. The approach would serve as evidence to support testing against the Value Realization Control.
The Elephant in the Room: Do We Care About Data Risk Given that the Pendulum Has Swung Towards a Light Regulatory Touch?
Let’s face it. The pendulum has swung at least in the U.S. towards a lighter regulatory touch. Notwithstanding this development, there are a few reasons to continue to focus on data risk:
- Organizations are already spending huge sums of money on data risk. There are significant opportunities for operational efficiencies with the use of AI agents
- Data risk controls improve AI readiness, and that has the attention of board rooms
Sanjeev Varma and I spent the past few months building out the Tavro Data Risk Manager Platform, which reimagines Data Risk with Agents. We already have customers in production and have received excellent feedback. Ping me if you want to learn more.
And yes, I am still working on the book. The publication date has just moved out a bit!
