Getty Images/iStockphoto
Improve business outcomes by managing data and analytics risk
An effective data and analytics risk and control environment requires a full understanding of data, analytics and AI risks, related risk decisions and their impact on business outcomes
No data and analytics leader would appreciate being told that they’re asleep at the wheel. Indeed, most of their waking hours are spent leading data, analytics and artificial intelligence (AI) teams and programmes for business value, or communicating this to senior business leaders.
Yet, there’s a problem. While data and analytics leaders rightly address business value through their investments, they typically neglect to effectively address the risks that can cause these investments to fail.
In Gartner’s 2023 Chief data and analytics officer (CDAO) agenda survey, respondents identified data, analytics or information governance as the top critical enabler for success in their organisation’s data and analytics initiatives. Recognition that governance, through accountability, decision rights and behavioural change, is a key contributor to enabling successful business outcomes is good news.
However, only 19% of CDAOs identified improving compliance and risk management as a top five objective to focus on for their data and analytics initiatives over the next 12 months. In sharp contrast, 64% of non-executive boards of directors expect to increase their risk appetite in 2023 and 2024, according to the 2023 Gartner board of directors survey.
Understanding the relationship between key performance indicators, mission-critical priorities and data and analytics assets is certainly crucial — but so is the need to understand key risk indicators in exactly the same context. Simply put, risk and value are opposite sides of the same coin, yet in most cases, that’s not the way that data and analytics leaders think about it.
Most recently, hype and interest in generative AI has increased the focus of internal audit teams on data and analytics. But that can’t be the only reason to act. An effective risk framework for data and analytics is needed because it makes good business sense.
Understand the risk context
Data and analytics risk must be understood in context of business outcomes. Start by understanding your organisation’s strategic business outcomes, identifying the key stakeholders and operational processes that support achievement of those outcomes. Since they are different for each organisation, so too are the risks.
Business outcomes rely on the creation, consumption and control of data and analytics assets, such as customer contact data, in your ecosystem. Analyse your outcomes for the risk scenarios that you face. All risks are not equal, so evaluate them and prioritise them in terms of their potential severity and your risk tolerance levels.
Risk treatment options
Develop a set of options for treating risks that have the greatest impact on your business outcomes. Essentially, this requires several candid conversations with key business, data and analytics and technology stakeholders to find the right balance between the ideal risk solution, what you can afford and what is organisationally and culturally possible.
These conversions will help to identify several risk treatment options, such as specific control mechanisms and risk transference. Consider how risk culture, governance, education and training, communication, technology and process improvements can change the way your risk requirements can be met.
Risk and control environment
Deploying a data and analytics risk management capability is typically a resource and time-intensive process and shouldn’t be underestimated. If you’re able to deploy a data and analytics risk framework into an already existing enterprise risk and control environment, your life will be much easier.
Nevertheless, understand the deployment tasks that must be performed, how these will be done and by whom, and the parts of the organisation that need to be engaged.
Monitor risks and take action
An effective data and analytics risk and control environment requires a full understanding of data, analytics and AI risks, related risk decisions and their impact on business outcomes. Since these risks are dynamic, however, their changing relationship with stakeholders’ risk appetites as risk decisions move across risk thresholds must be monitored so the right action can be taken.
As a result, the provision of continuous risk analytics through always-on monitoring and closed-loop execution of risk action using technology capabilities, can play a key role in the risk response process.
However, prioritise understanding risk culture and improving behaviours over the implementation of risk management technologies. Certainly, using technologies for monitoring and control help, but effective risk and response is primarily about understanding people and the root causes of their risk-related behaviours.
Saul Judah is a vice-president analyst within Gartner’s analytics apps and governance team focusing on information governance, data quality and information strategy.
