No one-size-fits-all approach to risk management and data compliance
By Gary Allemann, MD of Master Data Management
In an era of increasing risks and the challenges of increasing regulation and legislation and ongoing economic uncertainty, companies need a comprehensive risk management strategy that incorporates data governance. Companies need to combine strategic technology, consulting and educational services to enable effective risk management.
There is no doubt that South Africa faces a business climate of uncertainty that is currently spreading through society and business. There is a perceived lack of transparency of what the future holds for the public and private sectors, and this is where risk management comes into play. In addition to adhering to corporate governance and mitigating risks associated with sudden changes in market conditions, risk management today should be an integral part of an organisations’ operational fibre to ensure business survival.
Increasingly, risk management requirements are being defined by legislation. At the highest level, King III recognises the importance of information to an effective risk management strategy and requires that ‘the board should ensure that information assets are managed effectively’. While there are a number of other legislations, such as the Protection of Personal Information (PoPI) Act, the Consumer Protection Act (CPA), the Foreign Account Tax Compliance Act (FATCA), and the Solvency and Asset Management (SAM) Roadmap, require adherence to specific data management principles, the basic fundamentals for sound risk management and data governance remain the same. To achieve this South African organisations need to have a systematic approach with the ‘checks and balances’ in place to measure the quality of their enterprise data. This will ensure that the risk calculations they derive from them are based on a solid foundation.
Risk management is generally defined as the better understanding the potential operational and business risks and minimising potential negative impacts on the business. Organisations have to identify which information they are using to derive critical decisions so that, for example, when they sign off their financial results at the end of the year, the correct data was used. Risk management needs to be underpinned by data quality, which is the process of ensuring that the data suits the business purpose and is of a sufficient standard so that companies can be confident in their results.
Therein lies the rub, there is no one-size-fits-all approach to risk management and data compliance. Although there are similarities between organisations, each organisation is unique in terms of the level of maturity of enterprise data management. For most businesses, individual departments still operate in silos where systems are patched together and information is duplicated, or not coordinated to get the overall view and control necessary for effective enterprise risk management
In addition, while much of this legislation requires similar data management principles to be addressed, organisations tend to treat each Act as separate projects with the goal to achieve minimal compliance. In many cases this creates substantial rework, even when simply evolving from an early version of legislation to a later, more robust enactment.
Organisations should explore how they can optimise their information architecture in ways that enable them to address each of these individual pieces of legislation as part of a common framework.
Organisations should look at holistic opportunities, such as enterprise data quality, that cover all legislations and that can be leveraged to address the requirements of future legislation as this is enacted. An enterprise data governance strategy should incorporate risk management elements that identify opportunities apply existing policies, metrics and procedures to address similar challenges in emerging legislation in order to reduce the overall cost of compliance.