How can managing data risks become possible with the help of data governance?

In July 2021, a major global bank reported a loss of $5.5 billion as a result of one of its customers defaulting. The bank found that the investment banking branch had failed to manage and control the situation, which was the root cause of the loss. This event highlights the critical importance of having a solid governance framework to manage data risks in the banking industry. The framework should be based on the right combination of people, processes, and data.

Technological advancements have created expectations for banking services catering to customers’ on-demand needs, which is crucial for sustainable growth. By adopting digital banking solutions such as mobile banking, internet banking, kiosks and even WhatsApp, it has become easier to serve customers on the go. It is worth noting that a typical bank offers its services through 70 to 100 channels. Moreover, banks can leverage the insights obtained from big data generated by customers’ interactions with multiple channels.

The implementation of digital solutions in traditional processes has brought significant gains, but it also poses several risks. Financial institutions must proactively address these risks related to data as part of their overall risk management strategy. Insights gained through data analysis can help make informed decisions, ultimately reducing operational, regulatory, and credit risks. Although traditional information security frameworks help mitigate some of these risks, a robust Data Governance program can further strengthen banks’ risk mitigation strategies. This will help unlock significant gains from data analysis.

Are you aware of the potential dangers associated with data risks? It’s not just about avoiding data breaches, but also about ensuring your credibility and avoiding legal repercussions. By taking proactive steps to manage data risks, you can protect your sensitive information and safeguard your valuable assets. Let’s work together to mitigate data risks and keep your data secure.

Data is a valuable asset for any business organization and needs to be managed actively along with technology and human resources. As open-source software has evolved, so have the data management offerings, such as cloud warehouses or lakes, and the technology to analyze big data. However, managing data involves several risks, including confidentiality, integrity, and availability. There could be additional risks related to data privacy, regulatory sanctions, and contractual obligations when using third-party providers.

Traditional “command and control” IT control models may not meet digital businesses’ demands. According to a survey conducted in 2021, 61% of respondents aim to optimize their data for business processes and productivity. Therefore, a flexible, responsive, and customized model that caters to a business’s specific data needs and objectives would be more suitable than a one-size-fits-all, center-out model.

With the recent focus on customer privacy coupled with the evolution of public policy, banks are forced to acknowledge data privacy risks across the lifecycle of personal data. Generally, policies, guidelines, and regulations emphasize maintaining accurate personal information within the system so that it can be retrieved whenever a customer requests it.

Traditional risk management frameworks that focus on maintaining data availability, integrity, and confidentiality without addressing classification, quality, and privacy concerns may leave banks struggling to meet legal and regulatory compliances. For instance, privacy laws require organizations to provide data subjects with copies of personal data they collect/process/store. With a robust Data Governance framework where all such data are appropriately classified and centrally stored, banks could spend precious resources collating this data manually and responding within the set timelines. Therefore, banks must look at their risk management strategies to secure and derive value from their data.

Building Blocks for a Robust Data-Centric Risk Mitigation Framework

Defining Key Performance Indicators

Risk reporting: To ensure accurate reporting of data risks to the board, sponsoring programs that strengthen data operations is essential. For instance, if the risk management team sets a goal of 100% compliance for data operations, all compliance-related risks must be actively managed within the appetite and tolerance levels. However, before resolving questions related to acceptable data delinquency levels of customers (e.g. whether it’s 10% or 30%), it is crucial to identify them first.

Management oversight and commitment: Banks’ board and senior management are responsible for promoting the identification, assessment, and management of data risk through policy. A risk policy should guide the scope of data risk, provide guidelines for identifying it, and define the role of personnel along with their responsibilities and accountability. The impacts of data risk can often be noticed if it is formally managed. For example, data risk scenarios can be identified in a business where data, architecture, quality, and meaning can impact important metrics such as customer reachability, satisfaction in operations change, and time-to-market.

Governance Models 

Capability-based risk assessment: It is essential to use both quantitative and qualitative risk assessment methods to manage data-related risks. One possible solution is a capability-based data risk assessment. This technique can be used to plan and develop a data risk strategy. To help banks in their initial risk journeys, a registry of data risks can be created across various areas such as data management, operations, contracts, project management, privacy, and security. However, data risk assessment may not be accurate if limited characteristics are analyzed. Therefore, collecting more risk event characteristics can improve the risks’ predictability in data operations. Various tools and techniques for data risk management can also be utilized.

Data Governance framework: Organizations utilize a specific framework to implement Data Governance within their organization. The primary purpose of this framework is to enable various stakeholders across the organization to differentiate Data Management activities from Data Governance activities. By doing so, they will be able to realize the full benefits of data.

This Data Governance framework distinguishes Data Management activities as enablers. Each Data Management activity, such as Data Quality assessment, metadata management, and data privacy impact analysis, is considered an improved capability made available to the organization to fulfil a specific need. These enablers can be classified into three types: business, process, and technology. For example, “policy making” is a business enabler, “metadata service management” is a process enabler, and “data profiling” is a technology enabler.

One comprehensive way to manage data risk in an organization is to use the Control Objectives of Information Technology (COBIT) framework. COBIT has three main components: benefits enablement, program delivery risk and operations, and service delivery risk. These components can be applied to the organization’s data risk landscape to provide a holistic view of data risk management.

One can have metrics formally stated as key risk indicators (KRIs) for every Data Management dimension. The KRI for Data Quality-Data Management can detect process breaks, such as “mobile number getting updated even though it’s not verified through one-time-password” or “overwriting a current email address with an older one in core systems due to incorrect pipelining.”

Most of these changes must be recovered by adding people to recover faulty data on an application form. However, by using information technology systems, data issues can be permanently resolved. Risk can be managed entirely when technology and people control are combined in operational processes. Similarly, Data Quality risk-based indicators (KRIs) can detect process breaks that can be used to recover faulty data.


The Deputy Governor of the Reserve Bank of India, in his keynote address at the Centre for Advanced Financial Research and Learning, reiterated the need for senior leadership of the banks to focus on bridging the disconnect between the risk appetite framework approved by boards and actual business strategy and decision making, weakening the risk culture that was amplified by the absence of guidance from senior management, improper risk assessment, repeated exceptions to risk policies, conflict of interest especially in related party transactions, and absence or faulty enterprise risk management.

Banks can manage the tightrope between ensuring higher customer satisfaction and experiences through innovation, undertaking regulatory compliance, and safeguarding against breaches through a robust risk management framework that focuses on mitigating risks about confidentiality, availability, integrity, and data privacy and quality.

Leave a Comment

Your email address will not be published. Required fields are marked *