Governance professionals can play a key role in helping organisations navigate the digital transformation process. CGj looks at the contributions they can make to ensuring best practice in data governance and ethics.

Mention the word ‘data’ in an organisational context and ‘risk’ immediately comes to mind. With data breaches being routine headlines in media reports, companies are more than ever confronted with the need to have proper data governance practices in place. 

With data being ubiquitous in every organisational aspect, sources interviewed for this article spoke of the importance of having an effective framework for data governance. ‘Data governance is absolutely critical, otherwise there’s no accountability or oversight. Without a data governance framework, you’re basically fighting fires all the time,’ says Jason Lau, Adjunct Professor at the Hong Kong Baptist University School of Business. 

A data governance framework gives a much broader overview and oversight of the assets the company or organisation must protect, says Professor Lau, whose area of expertise includes cybersecurity and privacy. This allows the company to build a good strategy around how to protect the assets and the level of risks it is willing to take. Moreover, in areas like security and/or privacy, good governance helps to safeguard internal assets as well as external customers, he explains. 

Risks from dealing with data either through storage, access or other means have become dramatically different as the digital transformation of all organisations accelerates. Most companies have moved, or are going to move, away from the traditional fixed data centres of the past to embrace cloud providers such as Amazon Web Services and Microsoft Azure. 

Professor Lau adds that, as people are no longer only accessing data in physical offices (they may also need to access it from their homes due to work-from-home practices or on their mobile devices such as iPads and mobile phones), data storage and access are becoming increasingly distributed and decentralised. 

Wendy Ho FCG HKFCG(PE), Institute Council member, and Executive Director, Corporate Services, Tricor Hong Kong, points out that companies are increasingly interested in not only protecting the data and information they have, but also in controlling access to it, even from within the organisation or company itself. 

‘The challenge for organisations is in paying attention to allocating access rights to different tiers of user and making sure all staff are held responsible for the data they keep or use. The people in the organisation also need to know and pay close attention to best practices when doing data searches, analysis or cleansing,’ Ms Ho stresses. Organisations would be well advised to hold town hall meetings or issue codes of conduct so that all employees know what their responsibilities are, and what the best practices are, when dealing with data in their work, she suggests. 

People and processes come first

The information security industry generally focuses on ‘people, processes and technology’, with each of these three elements mutually reinforcing one another to increase information systems’ resilience to attacks. Sources interviewed for this article, however, are in agreement in that people and processes come first.

‘Some argue that technology should come first,’ says Professor Lau. He agrees that having the right technology in place is certainly important in reducing exposure to common forms of cyberattack such as ‘phishing’ – using fraudulent means to persuade individuals to reveal personal information, such as passwords and credit card numbers. However, relying only on technology can expose the organisation to gaps. Good processes, on the other hand, can help flag the risk of phishing, as well as other security threats. Where staff are educated and trained to report any incidents to security teams, organisations can then address those types of risky threats, which could be in the form of ransomware. 

‘Realistically, technology can only help you to achieve what you want, but you need to start with your people and your strategy. One of the biggest issues is overconfidence in the technology that you have. Overreliance on technology can expose you to many different risks. You need to build the processes in place and then you have the technology to support that,’ he adds. 

Ms Ho recommends simplifying and standardising the processes for keeping data where possible. Different departments in the same organisation may have different requirements and responsibilities, and may not pay attention to regulatory requirements in storing or keeping the data, she explains. The departments may also have different standards for keeping data. In addition to ensuring the right access controls for different people and at different tiers in the organisation hierarchy, she emphasises the benefits of keeping data that is consistent organisation-wide, and that is relevant to the organisation so that different teams or departments know what data is being kept.

Moving to an integrated approach to risk

A potential benefit of the increasing focus on data governance is the trend towards a more integrated approach to the management of risks. Anir Bhattacharyya, Co-Head of Integrated Risk Management Asia at AlixPartners, points out that this can be seen in the area of anti–money laundering (AML). 

‘One of the things I think that is evolving as a result of the availability of technology, the increasing sophistication of criminals, the overlap in data used across the management of different risk types and increasing expectations of employees is that it is getting harder and harder to justify why we’re looking at AML risk and the data around AML risk on its own,’ he explains. 

Approaches to data governance, together with improvements in the available technology, are leading to a recognition of the connectivity between many different areas of risk (such as fraud and AML).

Cliff Lam, a Director at AlixPartners, with experience in investigations and financial crime compliance, agrees. ‘From a data management perspective, it makes sense to look at what data is actually available in the organisation and how that can benefit different risk types. If there is a suspicious transaction in terms of money laundering, for example, can you locate the phone or computer used by the criminal to launder the money and apply the data for wider investigations? What is lacking at the moment is really that integration – and the robustness in terms of the risk strategy, process, data and technology platforms to support it,’ Mr Lam says. 

Mr Bhattacharyya advocates using interdisciplinary approaches in data design. ‘We need to be smart about creating data models, aggregating data and thinking about access and the benefits of that data, as well as the benefits of merging across different risk categories,’ he says. 

Both Mr Lam and Mr Bhattacharyya would also like to see data model design becoming more human-centric, moving away from ‘factory’ processes, and putting customers back at the centre of the design. When building a customer journey through a digital retail banking app, for example, you need to anticipate the risks at each part of the process, Mr Lam suggests. The model needs to be ‘secure by design’. ‘This also allows organisations to better manage the customer experience and control the costs of operations in dealing with risk management and data governance,’ he says. 

Mr Bhattacharyya points out that this goes back to the need to put people back at the centre of the design. ‘So many times, the approach to regulatory compliance and risk is designed around policy and systems – the people involved have often been forgotten. We invest so much in these systems, in these policies, why aren’t we investing in the people we want to change and behave in a different way? Let’s stop forgetting the people and bring human-centricity back to the way we design models and projects,’ he says. 

The role of governance professionals 

The renewed focus on the need for better data governance has been highly relevant to the work of governance professionals. Ms Ho, who has a wide experience of board membership in Hong Kong, emphasises the important role governance professionals play in ensuring that the board is well informed, particularly when it comes to the management of risks and understanding any relevant compliance issues.

She adds that governance professionals also help the directors to manage the internal controls of the organisation, and help the board and the organisation cultivate a good governance culture. One aspect of this, she points out, is the establishment of an effective whistleblowing channel, which can play a critical role when it comes to regulatory breaches and misconduct. 

She also highlights the role of governance professionals in promoting good board composition policies– particularly in terms of board diversity. ‘Board diversity is not just about gender,’ she says, ‘but is also about having directors that can bring different experience and backgrounds, such as those in finance, risk management and IT, to the board. It also involves diversity in terms of age, cultural and educational background, and professional experience, such as getting younger people on the board with the new mindsets of the younger generation,’ she adds. This will help cultivate a healthy organisation in the interests of all stakeholders.

Having board members with cybersecurity and privacy management experience on a company board is particularly relevant to data governance, and a practice Professor Lau expects to become more popular. ‘I would like to see regulators locally in the region and globally making it mandatory for certain types of organisations, such as publicly listed companies, to have an experienced Chief Information/Security Officer, and/or an experienced Data Protection Officer on the board of directors. Making these roles mandatory would help drive accountability and would be a key benefit for organisations,’ he says.

The way forward

So how can governance professionals prepare themselves for their role in assisting better data governance in a world of changing technology? Ms Ho believes the key point is to adopt a change-mindset. They need to be more proactive, she explains, and to adopt lifelong learning and training as regulations and technology are ever-changing.

‘Governance professionals need not be expert in all the technical areas, but they should be proactive in keeping abreast of the changes in the rules and governance trends, as well as the new tools available in the market. They should also communicate with different experts, such as the risk compliance officer or the technology officer, so that they can gain new perspectives to support the board,’ she explains. 

Mr Bhattacharyya stresses that governance professionals should not undervalue their role. Technology cannot stand on its own – without the foundations of good governance and data, organisations will leave themselves at a significant competitive disadvantage. Moreover, by embracing their roles in data governance and working in a more integrated way with business and risk colleagues, governance professionals will learn more about the management of risk and will build their own CVs in the process. 

Professor Lau suggests that data governance professionals should also consider getting relevant certifications to enhance their data governance role. These would help demonstrate that they have the right operational background. ISACA, the international professional body associated with IT governance, provides the globally recognised CISA (Certified Information Systems Auditor) and the CGEIT (Certified in Governance of Enterprise IT) certification, for example. The IAPP (International Association for Privacy Professionals) certification for privacy professionals has both CIPP (Certified Information Privacy Professional) and CIPM (Certified Information Privacy Manager), which would also be relevant. 

Mr Lam emphasises that it is important for governance professionals to know both the governance requirements and how IT professionals implement data management controls. In this way they can position themselves as bridging the gap between the business and the IT side.

‘A data governance officer can be an ultimate “span breaker” – someone who manages multiple aspects of the business – because they do not belong to any specific risk type,’ Mr Lam says. ‘In a way they are agnostic to risk types and they deal with data for the whole organisation. They serve as a span breaker and connect the managers in different parts of the organisation, for example, AML, cybercrime and fraud, to build synergy and avoid overlaps in existing or planned projects,’ he adds. 

Poo Yee Kai