Executive Summary
Data Risk Management is a component of Operational Risk. This article provides an approach to align the ORX Operational Risk and the EDM Council Data Management Capability Assessment Model (DCAMTM) frameworks. The paper also discusses the applicability of Data Risk Themes and Data Risk Dashboards to provide a consolidated view across the organization.
Data Risk Management
According to Wikipedia, Risk Management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. Data Risk Management is the management of Data Risk. Data Risk is a component of Operational Risk.
ORX Framework for Operational Risk Management
The ORX group in Geneva, Switzerland is the largest Operational Risk Management association in the financial services sector. ORX maintains an overall framework including a reference taxonomy of operational risk events (see Figure 1 for partial list).
The ORX framework also includes a small section on Data Risk Management (see Figure 2).
The ORX Reference Taxonomy
EDM Council & DCAM
The EDM Council is a global association created to elevate the practice of data management as a business and operational priority. The EDM Council maintains the DCAM framework, which is an industry standard to assess an organization’s data maturity. The DCAM v2.2 Framework has eight components, 38 capabilities, and 136 sub-capabilities (see Figure 3).
Whereas most Data Risk frameworks tend to focus primarily on Data Protection and Data Privacy, DCAM assesses the data strategies, organizational structures, technology, and operational best practices needed to successfully enable and sustain a mature data management discipline across the organization.
Alignment of ORX & DCAM Frameworks for Data Risk Management
The ORX and DCAM frameworks are complimentary with the latter providing a more granular level of detail with respect to Data Risk Management. Here are a few areas where both frameworks can be combined (not an exhaustive list):
1. Use DCAM to identify additional Data Risks within the ORX framework (e.g., Inadequate Data Stewardship)
2. Leverage DCAM to drilldown on existing Data Risks within the ORX framework (e.g., Inadequate Data Architecture, Incomplete Metadata)
3. Add Data Risk Theme to provide consolidated view across Operational Risks 4. Build Data Risk Dashboard
Use DCAM to Call Out Inadequate Data Stewardship Risk within ORX
Inadequate data stewardship is not called out explicitly within the ORX reference taxonomy. The lack of established ownership of data through skilled data stewardship can result in critical business operations being disrupted, improper data usage, as well as negative financial, regulatory, and/or reputational issues. Data stewardship roles should be sta ed for data assets and data domains. Stewards are responsible for data management and data governance activities to ensure data assets are accessible, usable, safe, trusted, and fit for purpose. DCAM references data stewards in multiple data management components.
For example, DCAM Component 3.0 – Business & Data Architecture demonstrates the critical importance of business and technical data stewards in bridging business requirements with the technical environment to address data usage data restrictions and data ethics considerations across all regulatory and internal policies to mitigate risk.
In addition, DCAM Component 5.0 – Data Quality Management requires the identification of a network of data stewards with the accountability to ensure data is properly captured, processed and delivered.
Use DCAM to Drilldown on Inadequate Data Architecture Risk within ORX
Inadequate Data Architecture is a level 2 risk within the ORX reference taxonomy. The lack of a framework for data domains and an approach to Authoritative Systems of Record (ASORs) is a data architecture risk. For example, a bank needs to call out data domains relating to Retail Banking, Corporate Banking, Treasury, Finance, and Human Resources. The Retail Banking data domain includes sub-domains relating to Deposits and Credit. These data domains are foundational to downstream data management activities relating to data stewardship, Critical Data Elements (CDEs), and data quality.
DCAM Component 3.0 – Business & Data Architecture focuses on both business and data architecture capabilities instrumental in the design of information content. Component 3.0 ensures integration between business process requirements and the execution of the data architecture function. This includes identifying, designing, and executing capabilities to support the organizational business processes, in conjunction with establishing data domains, taxonomies, and the designation of CDEs and documentation of metadata. Data Architecture establishes clear definition and appropriate use of data and ensures that proper governance is in place to manage data on a sustainable basis.
Use DCAM to Extend Poor Data Quality Risk within ORX Relating to Incomplete Metadata
Incomplete Metadata may be considered a part of the level 2 risk around Poor Data Quality within the ORX reference taxonomy. Metadata Management is critical to any organization looking to optimize the use of its data. It ensures data is trusted and accessible to appropriate data consumers giving them visibility into what data is available and information about data lineage. Risks associated with poor metadata management range from financial impacts, competitive disadvantages, and potential regulatory impacts. The risk of inadequate business and technical metadata and data lineage can result in inaccurate, inconsistent, incomplete, delayed, or irrelevant Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).
DCAM speaks to Metadata Management in Component 3 – Business & Data Architecture, which states that business and technical metadata (including data lineage) should be defined, modeled, and standardized, and that metadata should be inventoried and maintained in a metadata repository and accessible to stakeholders in a data catalog.
Data Risk Theme
A Data Risk Theme is an appropriate mechanism to tag data-related risks, which are mapped to di erent areas of the Operational Risk taxonomy. For example, several ORX Non-Data Risks have a strong data management flavor (see Figure 4).
Data Risk Dashboard
A Data Risk Dashboard provides a suitable view into the organization’s progression over time. The Data Risk Dashboard should contain KPIs and KRIs. For example, the Data Quality Index is an appropriate KRI to assess risks relating to data quality. In addition, the number of data issues raised by the First, Second, and Third Lines of Defense is also an appropriate KRI. A sample Data Risk Dashboard is shown in Figure 5.