GRC Tuesdays: Should We Stop (Just) Talking about Risk Management Part Two
In Part One of this blog, I introduced the idea that we should focus on the outcome of the process of managing risk, which is where the real value is. How a company manages its brand is a good example of this idea and how it might apply to GRC.
A company’s ability to manage its data is a tangible factor influencing brand management. Many CEOs recognize that trust of data handling is an opportunity, not just a risk. In fact, 64% of CEOs (rising to 75% of those who head companies with revenues of more than $10 billion) believe that how their firm manages data will be a differentiating factor in future.
There are a number of dimensions to the topic of data management, as it is also multi-disciplinary. This is part of the challenge—multiple causes and consequences of uncertainty for data management, different deep expertise and owners throughout the business, sometimes opaque impact on business objectives. So here are a few summarized examples (each are large subjects in their own right however).
1)Data is an asset with an economic value.
- Put bluntly, what organisation can continue to function without the data it holds about customers, products/services, initiatives, decision-making, performance?
- The better data quality is managed, and processes that ‘touch’ the data, the less ‘friction’ to operations and success.
- Data is an intangible asset, but the accounting concept of good will can be used to address this (William Schmarzo, Hitachi Vantara) assessing the intangible but quantifiable “prudent value” of data to the business. And good will, of course, is tightly proportional to brand.
2)Data is subject to governmental regulations.
- The geographic location of corporate data, and nationality of any person’s data that is stored and/or accessed, is specifically impacted by regulations such as GDPR, the CLOUD Act, and other country-specific regulations.
- Infringements of these regulations can be costly, but also result in adverse publicity—usually widespread and immediate nowadays—that will impact reputation and share value.
3)Data depends on the resilience of infrastructure.
- The resilience of the infrastructure that stores, processes, transports, and makes data available is critical.
- It covers the ability to resist a data breach, a hack, social engineering, and denial of service attacks.
- Aside from practical business consequences (such as inability to process orders, loss of core data and potential fines) the failure to demonstrate confidentiality, integrity, availability, and resilience of data handling implies gaps in governance, which stems from gaps in leadership.
- Such gaps will impact competitiveness and revenue earning ability.
- This aspect is now so important to the modern business that there are organisations like Bitsight who provide a service with augmented data, objectively ranking a company’s security performance.
4) Integrity of data can be improved with the proper use of automation.
- Protecting the elemental integrity of data is improved with automation, while IoT and big data volume explosions have increased the use of AI/ML tools.
- The ‘businesses interface’ that employees, suppliers, and customers transact with a business is far more complex now than it ever has been, and has to be controlled (which is also more complex than it have ever been before).
- A business’ ability to get the best out of the exponentially growing amount of data it has access to will directly influence its agility and performance.
- Use of automation will affect trust and brand value. So will the business’ ability to test and believe the reliability of their automation.
Brand Factors, Data Management Events, and GRC
A business can correlate combinations of the 10 Brand Factors (discussed in Part One) to business activities in each of the above four data management aspects. The impact and likelihood of one of these activities turning into a data management event is well covered by GRC and security processes.
Combining and aggregating across the business with real-time data and user input provides a demonstrable quantifiable link between the business activities of data management and the business objective of brand management.
Thus, the business has the ability and mechanism to focus on managing the uncertainty of achieving the objective of brand management, as opposed to the process of managing data risk. (Bearing in mind, too, this could be a positive or negative deviation from what is expected…..)
What do you think? Is it time to stop talking about risk management?
Read the rest if our GRC Tuesday blogs for more on risk management topics.