Introduction

The Data Management Operations, Risk & Control refers to the state of operation in which the data assets of an organization are holistically managed throughout the organization. There are three elements of a successful data management environment.

1. The data management (DM) objectives and capabilities described within this document have been embraced and adopted throughout the organization.
2. The data lifecycle is fully supported by all stakeholders. These stakeholders ensure understanding, awareness and control of data throughout the data supply chain–from source to consumption to disposition.
3. DM is part of the organization’s data ecosystem. It is integrated and coordinated with all other control functions organization-wide.

The Data Management Operations, Risk, and Control component addresses the organization’s operational implementation of Data Management through the coordination of resources, processes, and technology in a cohesive and consistent set of practices. The Data Development Life Cycle is a key capability for managing data throughout its entire lifespan of data within an organization. It ensures confidentiality, integrity, and availability of data, and the storage, usage, analysis, and disposition of data, while maximizing its value and meeting business objectives. Data development life cycle management enables better data risk and control management, while providing coordination and collaboration of resources, practices, and methods for other DCAM concepts including data requirements, data architecture, data quality, and data governance. The extent to which the Data Development Life Cycle is achieved impacts the improvement of data risk management results. Data risk should be defined and managed in alignment with the organization’s risk management framework. Well-coordinated Data Management is foundational for organizations striving to optimize Data Management Operations, comply with regulatory requirements, and unlock business value from data.

Definition

The Data Management Operations, Risk & Control component consists of capabilities that form a data management environment to oversee and control an organization’s data assets. It incorporates consistent life cycle practices, data risk and controls management, and necessitates organizational collaboration, accountability, and alignment with strategic objectives.

Scope

• Establish consistent data development life cycle practices to enable a sustainable business-as-usual environment for data management.
• Align the people, processes, technologies, and Data Management practices across the organization to achieve a coherent, end-to-end data ecosystem.
• Align Data Management with the organization’s over-arching risk management to establish data risk management approach and plan.

Value Proposition

The DCAM framework enables a comprehensive approach to managing data throughout its life cycle, with controls based on detailed data requirements, a cohesive risk mitigation strategy, and a clear accountability structure. These capabilities enable individuals at all organizational levels to participate effectively in data management. Strategic and operational objectives that depend on data are supported by this approach, which allows organizations to balance the creation of value from data with the management of data risk. Such an approach fosters a high-quality and sustainable data ecosystem that can be critical to delivering the organization's business strategy and regulatory obligations.

Overview

Enabling the DCAM framework means embedding core data management components—Architecture (Business, Data and Technology), Data Quality, and Data Governance—across all stages of an organization's Data Development Life Cycle. The diagram below presents a visual representation of the DCAM Framework Components aligned to manage data from requirements through disposition.

Diagram 7.1: Operationalizing DCAM

The diagram serves as a visual representation reinforcing the importance of data requirements, Data Development Life Cycle management and data control in achieving data excellence. Key characteristics of operationalizing DCAM include:

• Collaboration, culture accountability: Success in data management relies on a data-driven culture, clear accountability, strong leadership, data literacy, and active engagement from everyone. Collaboration across the organization is vital for maintaining an effective data ecosystem. For example, teams that manage information security, storage management, legal and compliance, privacy, and vendor management all have responsibilities that impact how data is managed.
• Data Development Life Cycle: orchestrates Data Management activities across the organization leveraging a standard, consistent, repeatable methodology. Data Development Life Cycle aligns Data Management activities in an operational flow, ensuring each is resourced, prioritized, and supported by business, data, and technology functions. Coordinating teams across these activities is crucial for the success of the Data Management initiative.
• Business Driven: a business-driven data management organization ensures that data is trusted, accessible, and actionable, which enables the company to make informed decisions, optimize operations, and gain a competitive edge. Instead of data being a byproduct of operations, it becomes a core driver of business success.
• Curated metadata: serves as the foundation of data life cycle management, allowing organizations to define, track, and manage data requirements, risks, controls, and accountabilities. Metadata facilitates data management automation.
• Requirement traceability: should be comprehensive to capture a full set of business needs, for example, data processing rules, retention, disposal, quality dimensions, ownership, ethical use, and other operational aspects of DCAM capabilities. This is particularly critical for data that is shared among multiple data consumers and for core data attributes that are used as a baseline for onward expression in operational calculations or business formulas.
• Standardized Data Management controls: are consistently applied to data throughout life cycle stages ensuring best practice for designing, deploying, executing, and documenting controls. This enhances efficiency and reuse across the organization. An inventory of all data controls is essential for data availability, accountability, quality, risk mitigation and alignment with business goals.
• Aligned to Data Management Policy and Standards: A standard Data Development Life Cycle ensures adherence to Data Management best practices and coordination with organizational processes like Software Development Life Cycle and business architecture. Operating collaboratively within an ecosystem acknowledges interdependence.

The goal is to create a secure, scalable, and sustainable data ecosystem that controls and provides data for business needs. The Data Development Life Cycle orchestrates the Data Management components to manage data effectively across the organization. A consistent Data Development Life Cycle aligns capabilities in an operational flow, ensuring each element is resourced, prioritized, and supported by business, data, and technology functions. Coordination and collaboration are crucial for the success of the Data Management initiative. It is the responsibility of the Data Management organization and the senior data officer at each level of the organization to coordinate and manage the Data Development Life Cycle model. This properly defines data meaning, ensures data quality, facilitates data governance, and supports the delivery of data in a timely and efficient manner. Evidence of the processes and their adoption must be documented and compiled through demonstration of organizational structures, charters, policies, and senior management directives.

Core Questions

• Is a data life cycle management approach used to control data management of in-scope data?
• Is the data life cycle aligned and supported by data management policies and standards?
• Are appropriate controls applied across the full data life cycle?
• Are the concepts of data control aligned across the full organization ecosystem (people, process and technology)?
• Is Data Management aligned with Enterprise Risk Management practices in support of data risk management?
• Are data risks aligned to the business data requirements?
• Are data contract and sharing agreements identified and managed?

Core Artifacts

• Data Development Life Cycle
• Data Requirements Inventory
• Data Risk Taxonomy
• Data Controls Inventory
• Data Risk Issues Log
• Data Sharing Agreement

Data Management Operations must identify, understand, and prioritize the delivery of requirements for curated data, and mitigate data risk through effective controls. Data Management Operations are based around ensuring the data assets are managed properly throughout the data development life cycle, is a strategic imperative for any data centric organization. This calls for a standard data development life cycle approach to be applied consistently both to structured and unstructured data across the organization, holistic data requirements, and proper management of data providers. A standardized approach to managing data throughout its life cycle, can optimize an organization’s operations. This includes ensuring that data is properly created, processed, stored, maintained, and disposed, thus limiting redundancy, achieving data minimization and optimizing storage costs.

Description

The Data Development Life Cycle is a comprehensive model to manage data from initial creation to final disposition. It involves a series of phases that ensure data is handled efficiently, securely, and in support of established business requirements and objectives.

Objectives

• Establish a standardized data development life cycle to ensure consistent data management practices and processes.

Advice

The Data Development Life Cycles of individual organizations will vary, but each will typically encompass data acquisition, processing, storage, maintenance, distribution, consumption, archiving, and disposal. Holistic data requirements must be captured to support control of the data at each successive life cycle stage. Implementing the data life cycle approach requires careful prioritization and planning typically executed on an iterative basis over an extended timeframe. Implementation of the data development life cycle approach can be highly complex, especially in large organizations with multiple data domains, diverse data types, and cross jurisdiction needs. It may be prudent to phase the roll-out of the data development life cycle, based on well-understood organization priorities and carefully planned scope that may be incrementally expanded. The Data Development Life Cycle Approach should consider and address the alignment and enablement of DCAM components through the life cycle stages as necessary. It should reflect the use and application of resources (people, process and technology) across the stages of the data life cycle.

Questions

• Does the organization use a Data Development Life Cycle for its model to consistently manage data?
• Is the data development life cycle supported by policy, standards, and processes for use in managing data (structured and unstructured) with provision for handling exceptions

Artifacts

• Data Governance Approach & Plan
• Data Lifecycle Process and Standards

Scoring

Description

Data is managed through the data development life cycle stages based on data requirements that are established and tracked to meet specific business objectives. Data Requirements Management requires processes and procedures to identify, define, prioritize, validate, track and document the data needs of the business.

Objectives

• Capture and manage data requirements consistently in support of business objectives.
• Manage data requirements according to established processes and procedures.
• Document the alignment of data requirements to business and technology processes, the data life cycle stages, data risks, and data controls.

Advice

Data is managed throughout the data life cycle stages using processes and controls that satisfy holistic, detailed data requirements. The data management organization facilitates the process in collaboration with all stakeholders including but not limited to, business, architecture, and technology. Data requirements address the organization’s strategic and operational objectives such as data quality, availability, cost efficiency, business value creation and regulatory compliance. Requirements may be defined at any level of data including impacting single physical elements, business elements, classifications, data domains, regional or application-based data sets, and data products. Requirements may relate to one or more life cycle stages and must reflect specific operational constraints. Data requirements must be reviewed and curated consistently with the organization’s data governance practices. Requirements can be mapped to business and technology processes, data life cycle stages, risks and controls and should be made discoverable as metadata for use by automated and manual processes.

Questions

• Are data requirements identified, captured, evaluated and verified with stakeholders?
• Are data requirements mapped to business objectives and stakeholders?
• Are data requirements regularly reviewed and updated?
• Are data requirements validated against standards?

Artifacts

• Data requirements standards, processes, procedures, and user guide for curating data requirements

Scoring

Description

Data Provider Management involves a set of practices designed to organize and manage third-party contractual agreements and Data Sharing Agreements. Key objectives include ensuring the data source is suitable to meet the business data requirements of the consumer and that quality data delivery is established and maintained. It is important to consistently manage and maintain agreements with data providers whether internal or external.

Objectives

• Ensure a formal consistent approach to management of data sharing that covers internal and external providers based on service level agreements, data sharing agreements, or third-party contracts.
• Comply with internal policies, relevant laws, rules, and regulations related to data collection, storage, management, usage and retirement of the data.
• Ensure that data requirements communicated to data providers are aligned to and driven by business requirements, reflecting any data risk management, data quality, or data life cycle needs.

Advice

The approach to managing and coordinating data providers should be embodied in a common set of practices ensuring consistency in how the organization engages with data providers both internal and external. Effective provider management relies on mapping data requirements to the appropriate sources (internal or external) and establishing, managing and monitoring service level agreements to meet business objectives. The process for identifying and selecting data providers should ensure that the organization does not duplicate data acquisition and establishes measurable service levels and data quality criteria between the parties. The approach should specify how a provider’s performance will be evaluated, how remediation requests will be reported and tracked, and how quality or process issues will be remediated. Data Provider Management should be aligned with the organization’s data development life cycle and relevant DCAM components. Data assets with associated agreements must be governed through the organization’s standard data life cycle, ensuring formal management of agreement obligations. The third-party contracting process should involve assessing the provider’s data practices to ensure they align with business requirements. If a dedicated vendor management function exists, consider incorporating data provider due diligence controls into the procurement processes.

Questions

• How are data sourcing requirements captured, validated and prioritized?
• Are detailed aspects (e.g., timing, use limitations, content) of agreements or contracts captured, understood, stored and managed?
• How is data provider service, content quality and performance assessed and managed?
• Has the Data Governance function been granted authority to implement the Approach?
• Do data sharing standards exist that can be used internally and with external data providers?

Artifacts

• Data Provider Management Process
• Data Sharing Agreement Templates
• Data Provider Reporting
• Repository of Data Sharing Agreements

Scoring

Continuous assessment of data risk and enhancement of the organization’s response to threats is the basis of effective data management. It is crucial to identify, categorize, mitigate, and track the inherent data risks and the residual risk after mitigation actions.

• Inherent data risks pertain to the potential data vulnerabilities present within an organization’s data management processes and infrastructure before any data risk controls are implemented. Inherent data risks may include the possibility of data being lost or stolen, erroneous or missing, wrongly retained, wrongly deleted, used illegally, or used inappropriately. Organizations should define their data risk requirements to define the appropriate mitigation efforts.
• Residual data risks refer to the levels of risk that persist after risk mitigation measures have been enacted.

By understanding inherent and residual data risk alongside data risk policy, the organization can implement targeted mitigation measures that align with its broader data management strategy and data life cycle. This alignment ensures consistency in data risk management, leverages data governance for accountability and oversight, integrates risk considerations into data-related business decisions, and enables proactive identification and management of issues. When establishing and maintaining a data risk management approach, the organization should consider factors such as its objectives, industry specifics, regulatory landscape, financial implications, reputation, stakeholder expectations, operational capabilities, risk culture, potential impact, and likelihood of risk events. Effective data risk management practices ensure the quality, integrity, availability, and security of data assets while maintaining regulatory compliance and supporting informed decision-making across the enterprise.

Description

The organization's Data Risk Management Approach provides a foundation to identify, assess, and mitigate data-related risks. The approach must also address that classes and levels of risk may be redefined over time and that can impact the efficacy of both planned and already implemented mitigation approaches.

Objectives

• Establish a Data Risk Management Approach aligned with the organization’s Risk Management Framework.
• Establish mechanisms for measurement, reporting, and escalation of data risk.

Advice

The Data Risk Management Approach must encompass a set of policies, standards, roles and responsibilities designed to manage data risk across the organization. The management of data risk should be integrated or aligned with the organization's overall approach to risk management (as appropriate to the nature of the organization) using a complete representation of data risk. Data risk is a critical component of the organization’s risk profile that must be clearly defined, as data supports all business activities and can have significant impacts. Without a clearly defined sense of data risks, determining the most appropriate data controls for mitigation becomes impossible. Once controls are in place to address identified data risks, a data management issue reporting process should be established to facilitate risk identification, assessment, and prioritization of remedial actions.

Questions

• Does the organization have a defined Data Risk Management Approach
• Has the organization defined its data risk policies including key risk indicators?
• Does the organization have a detailed data risk taxonomy?
• Does the organization define data risk within the broader risk taxonomy or risk management framework?
• Are data risks aligned to data context(s) such as business processes, data life cycle stages or chart of accounts?
• Is there an inventory of data risk controls documented within the organization, and have they been mapped based on the data risk taxonomy and data life cycle?

Artifacts

• Data Risk Management Approach
• Data risk policy, standards and procedures
• Data Risk Requirements (using key risk indicators)
• Data Risk Taxonomy
• Inventory of data risk controls

Scoring

Description

The team responsible for data risk review in the organization needs to develop and maintain a plan and the appropriate methods for reviewing data risk management. It manages the relevant plan and methods for conducting data risk reviews for compliance by those accountable for actively managing and handling data.

Objectives

• Establish and maintain the data risk management oversight plan and methodology.
• Ensure provision of policies, standards, procedures and guidance on data risk best practices.
• Data Risk review methods are aligned with Data Governance processes.
• Establish a systematic approach to identify, assess, and measure potential data related risks.

Advice

The goal for data risk review is to understand the Data Risk Management Approach to develop a plan to perform regular ongoing reviews to ensure that the defined data risks and associated mitigations are meeting the organization expectations. The review responsibility should be independent of the responsibility for direct data management. The plan should consider reviewing the activities of identifying, measuring and reporting of data risk confirming compliance to data risk policy and standards. The review process may leverage defined data risk management tools and standard artifact templates for identifying, measuring and reporting data risk, based on the risk taxonomy. If appropriate, review for the alignment with the organization’s wider risk management protocols should be performed. The data risk review process should help facilitate the organization’s comprehension of why data risk is important as well as improving overall compliance with data risk management. This should also facilitate a common understanding of the materiality of the data risk across the organization’s operations.

Questions

• Is there a designated person or team responsible for executing the data risk oversight process?
• Is there a standard methodology for determining scope and execution of data risk oversight?
• Are Data Risk Key Performance and Key Risk Indicators established and reported?
• Is there a defined Data Risk Policy and risk reporting model?
• Are data risk issues logged, monitored, and reported using standard Data Management Issue management processes?
• Is there a regular cadence for reviews of data risk management across the organization reporting to stakeholders, senior executives, and risk committees?

Artifacts

• Data Risk Oversight Methodology
• Roles and responsibilities for data risk management
• Data Risk Management Oversight Plan
• Data Risk Issue Report
• Data Risk Reports

Scoring

A comprehensive and integrated set of data controls enables data to be managed in alignment with business objectives and requirements. Rather than focusing on any single point in a process, it should encompass the entire data life cycle, ensuring seamless management as data moves through various processes within an organization. These processes will have diverse needs and expectations for data, making comprehensive control essential. Maintaining consistency in data control standards enhances operational efficiency by streamlining the management of various types of controls, including data quality rules, data protection measures, and data disposal, among others. However, a strong approach must include the automation of data controls, which is becoming an essential aspect in modern data management. Beyond data processing controls, there should also be controls to support other key capabilities, such as architecture and governance. The goal is an optimized and common approach to data controls that is applicable across all data management activities, and which is aligned with comprehensive cross-organizational control function requirements.

Description

The Data Controls Approach emphasizes consistency in implementing and managing effective data controls while enabling maximum reuse of controls across the data life cycle and throughout the organization.

Objectives

• Ensure clear definition of policy, standards and processes for data controls, along with their applicability across the organization.
• Facilitate the alignment of data controls to the organization’s taxonomies for capabilities, processes, data risks and data life cycle.
• Ensure alignment of the data controls approach with operational control requirements, cross-organizational control functions, and Internal Audit, as appropriate.
• Capture control results for measurement over time allowing for effectiveness analysis.

Advice

Defining processes and practices for data control requires collaboration among all relevant stakeholders. These processes and practices should be clearly communicated across the organization to ensure consistency and accountability. Key aspects of data control include:

• Control Definition & Ownership: Success in data management relies on a data-driven culture, clear accountability, strong leadership, data literacy, and active engagement from everyone. Collaboration across the organization is vital for maintaining an effective data ecosystem. For example, teams that manage information security, storage management, legal and compliance, privacy, and vendor management all have responsibilities that impact how data is managed.
• Preventive vs. Detective Controls: orchestrates Data Management activities across the organization leveraging a standard, consistent, repeatable methodology. Data Development Life Cycle aligns Data Management activities in an operational flow, ensuring each is resourced, prioritized, and supported by business, data, and technology functions. Coordinating teams across these activities is crucial for the success of the Data Management initiative.
• Types & Application: a business-driven data management organization ensures that data is trusted, accessible, and actionable, which enables the company to make informed decisions, optimize operations, and gain a competitive edge. Instead of data being a byproduct of operations, it becomes a core driver of business success.
• Standardization & Automation: serves as the foundation of data life cycle management, allowing organizations to define, track, and manage data requirements, risks, controls, and accountabilities. Metadata facilitates data management automation.
• Governance & Integration: should be comprehensive to capture a full set of business needs, for example, data processing rules, retention, disposal, quality dimensions, ownership, ethical use, and other operational aspects of DCAM capabilities. This is particularly critical for data that is shared among multiple data consumers and for core data attributes that are used as a baseline for onward expression in operational calculations or business formulas.
• Control Inventory Management: are consistently applied to data throughout life cycle stages ensuring best practice for designing, deploying, executing, and documenting controls. This enhances efficiency and reuse across the organization. An inventory of all data controls is essential for data availability, accountability, quality, risk mitigation and alignment with business goals.
• Control Measurement & Reporting: A standard Data Development Life Cycle ensures adherence to Data Management best practices and coordination with organizational processes like Software Development Life Cycle and business architecture. Operating collaboratively within an ecosystem acknowledges interdependence.

By embedding data controls into operational processes, organizations can mitigate data risk, enhance data governance, facilitate regulatory compliance, and increase overall data management efficiency. Data controls are established based business needs and should support structured and unstructured data types.

Questions

• Is there a set of policies, standards and processes for data controls management?
• Is there an inventory of data controls compiled and verified?
• Are data controls mapped to key organizational concepts such as processes, risks, business capabilities, and processes to support proper data management for these?
• Are there processes or tools in place for monitoring the execution of data controls through metrics, based on data controls inventory details and monitoring-related metadata?

Artifacts

• Data Control policy, standards, and processes
• Inventory of data controls
• Data Control Mapping
• Data Control Monitoring and Reporting

Scoring