The discipline of governance, risk and compliance (GRC) has come a long way over the past decade, but in some areas, it has not evolved fast enough. Many firms still struggle with data silos within their GRC programmes. A data silo is created when a data set created within an organisation is not shared – beyond an individual or a small group of individuals – with other parts of the organisation. Within GRC, this can be data about risks, controls, loss events, and key risk indicators (KRIs) or other metrics, for example.
Data silos within GRC programmes can generate significant issues for financial services firms. A failure to share information can mean risks grow larger, controls break down, and loss events emerge. Below we explore three ways in which data silos are often created, and three ways data silos can be broken down, to help firms think more strategically about the role of data within their GRC programmes.
What creates data silos?
Specialization – As financial services firms have sought to understand certain risks and compliance obligations more deeply, specialisation has blossomed. For example, as IT risk began to emerge, it was considered the domain of the IT departments, who were technology specialists. However, while it is right to have specialists involved in managing a particular kind of risk – they have invaluable knowledge and skills – often this can result in a kind of corporate ghettoization of that particular risk. The specialists manage these risks in an internally-facing way, using their own terms-of-art, which hampers communication with other stakeholders in the business. Too, sometimes specialists can seek to “manage the message” about potential risks, control effectiveness, or actual loss events, which can result in senior managers and the board not receiving crucial data. These issues, and others, mean that specialization can often create data silos.
Organizational culture – Many financial services firms do not have “data transparent” organisational cultures. Instead, in many organisations, data is considered to be power, and so it is hoarded. That is, official groups such as formal teams, or unofficial groups such as a handful of executives who have formed a working alliance, will seek to share data amongst themselves, and restrict access to this data in ways that are not part of official organizational policy. This can often happen with risk and control data – which executives can be particularly sensitive of, because it can highlight important issues such as outside revenues gained as a result of excessive risk-taking, or under-investment in process infrastructure, for example. A lack of a data transparent culture can often be a red flag that other cultural issues need to be faced and changed.
Manual GRC processes – An obvious villain here is the spreadsheet. Spreadsheets, by their very nature, create data silos. Access to them is often overly restricted because it isn’t easy to manage permissions. Too, inputting data manually has to be somewhat centralised in order to try and maintain data quality and reduce operational risk, although it remains hard to meet either of those goals. In short, using spreadsheets for collecting, managing and sharing GRC data makes it very hard to break down data silos. The wrong GRC technology can also create data silos – for example, some solutions keep GRC data within its own “swim lane”, making it impossible to look at a single risk – for example, the risk of a data privacy breach – and see controls linked to it across different GRC areas, such as operational resilience, Senior Managers & Certification Regime (SMCR) requirements, and compliance risk. Connecting these using some technology solutions would require manual intervention with the data.
What breaks down data silos?
APIs – Using APIs to automatically bring data into a GRC platform can transform the value that the software delivers. Using APIs makes the data immediately visible to users, eliminating the need for someone to manually enter the data. This removes any potential delay in data entry – for whatever reason – and also significantly reduces the operational risks associated with errors in manual data input. Furthermore, using an API can increase the volume as well as the timeliness of data within a GRC platform, enabling GRC teams to create new metrics and benchmarks that can help to better communicate information about risks and controls to key stakeholders.
Permissions – Breaking down data silos in an organization requires a strong permissioning regime. This may seem counter-intuitive, but it’s not. Within an organization, individuals should be able to see the data that enables them to perform their roles, communicate with their stakeholders, manage their risks, and implement the right controls, for example. There will be other kinds of data – an example might be certain kinds of data around a sensitive legal loss in an unrelated division – that the individual simply doesn’t need to see to carry out their role. For everyone to trust the GRC technology – and not hoard data – they have to know that when they put sensitive data into it, it will be treated with care. Strong permissioning capabilities in a GRC platform are essential to support information sharing.
Reports – Being able to communicate GRC data across the organisation in ways that make sense to individual stakeholders is crucial to breaking down data silos. Dashboards and reports should be able to be tailored to the kinds of decision-making an individual or group of individuals needs to do. This kind of thoughtful data sharing is the fastest way to break down data silos and drive permanent cultural change because of the way it empowers individuals with fresh insights into the risks and controls that they oversee. For example, a person who manages a retail banking credit card product might gain a new perspective on the risks and controls in their part of the business if they can see their own IT metrics in the context of similar sets of metrics from other retail banking teams internally. Moreover, this could generate dialogue among those who look after retail banking technology processes that could lead to improvements in those activities across the business.
In summary, GRC data silos emerge within organizations as a result of a variety of cultural and process issues, and they can lead to significant operational risk events, as well as a failure to meet compliance obligations. However, the right GRC software can help organizations break down their data silos, by supporting the transformation of the culture and processes around data sharing.
To learn more about aCCelerate GRC, contact us.