Providing a Context for Oversight:
How Boards Should Consider Data
Data is a recognized asset. Companies are increasingly looking to leverage data as a revenue stream, to enhance existing products and services, or to increase efficiency. Risks related to data misuse and breaches, however, can derail an organization’s data-related goals. Boards need to understand the opportunities and risks related to data, which can elevate a company to new heights or create irreversible brand damage. Becoming “data literate” will help boards fulfill their responsibilities to the organizations they oversee.
The compound annual growth rates in the next several years for data itself, the analytics business, and big-data software sales are projected at 61, 30, and 10 percent, respectively. An astounding 97 percent of CEOs surveyed by New Vantage Partners view the reuse and leveraging of data as critical to their company’s growth, and for 25 percent or so, survival. That 25 percent is also greatly concerned about the impact that an external data-dependent disruptive technology will have on their organization. Yet 85 percent of big data projects fail, according to Gartner.
Meanwhile, breaches continue to occur at an alarming rate. Recognizing the potential impact and in an effort to protect individuals’ privacy, regulators worldwide are imposing requirements on companies that gather, process, store, and leverage data. The European Union (EU) led with passage of General Data Protection Regulation (GDPR), which placed significant requirements on any company processing personal information for EU data subjects and
heavy fines—up to 4 percent of annual revenue. California followed with the California Consumer Protection Act, and other states and countries are following suit. Hefty fines have already been imposed on violators, including Facebook ($5 billion), Equifax ($700 million), British Airways ($230 million), and Marriott ($124 million).
Boards have an important and challenging role. Among other duties, they are responsible to stakeholders for the performance of the organizations they oversee. This includes not only helping to enable business directions and objectives, but also ensuring management properly identifies, manages, and mitigates risks. They can also serve as the conscience—a moral compass and ethical sounding board—which, when it comes to data, is a
Two key numbers—that 97 percent of CEOs expect to leverage data and that 85 percent of data projects fail—are a red flag. How can so many projects fail in an area that is so important to CEOs? The following points are intended to help board members consider data in a new light. When evaluating the company’s use of data, board members and business leaders should weigh how data is being leveraged and managed. Consider:
- Governance. Many companies are racing to implement data leverage plans, and in their haste to develop those plans, many have been hiring data scientists in leadership roles. As a result, fundamentals such as vision and strategy—core elements of governance—are often overlooked. However, without proper governance, it is hard to create a credible vision and strategy that reflects the needs of the business, as well as identify all the opportunities, priorities, and costs.
- Scientific method. Many genuinely talented people are calling themselves data scientists and are proposing initiatives in which they requisition increasing volumes of data to see what opportunities they can find. This approach introduces risk, since the company may not have a clear idea of what it is getting for its investment. Companies seeking to leverage data should do so following some formal methodology, analogous to the scientific method.
- Ethics. The $5 billion fine levied on Facebook in July was tied to the Cambridge Analytica matter, where one commercial entity used data analytics on a massive scale to manipulate voters and affect the outcome of an election. Data science is evolving at such a pace that ethicists can’t keep up. The lack of transparency and governance creates a risk that companies will develop and deploy solutions that, in hindsight, they might wish they hadn’t. Boards are in a position to question whether certain initiatives should be pursued, just because they can.
- Inventory. Most companies have sizeable volumes of data, and many are asking how they can monetize and leverage it. An inventory is critical if the company is going to leverage its data, since it provides insight into what is on hand as well as any relevant obligations. Knowing the obligations is key to understanding what can be done with data and structuring proportional protections.
- Data organization and classification. Most data classification schemes are very basic—only two or three classifications. While these are simpler to implement for security purposes, they aren’t useful for determining the relative value of data or what data is key, and can interfere with otherwise appropriate use and access.
- Appropriate access. Without proper data governance, you can’t reliably know whether access to data is appropriate. Knowing who has access to sensitive data is required under certain privacy and banking regulations.
- Making data available to the people who need it. Leveraging data means that the right people can access it. But even while it’s being processed, certain safeguards still need to be in place, and these may be different than for data “at rest.”
- Risk assessments. Some privacy regulations require that risk assessments be conducted on a regular basis. Risks should be assessed based on the business processes that manipulate data, not just IT repositories holding data or applications touching data. People are the biggest cause of data incidents, and are responsible in some way for most “insider threat” incidents.
- Yes, be aware of breaches. Most companies invest in initiatives to prevent the theft or misuse of data, but it’s extraordinarily difficult to know when data has actually been breached. Most of the time, companies find out when an outside agency—such as law enforcement, the press, or a “hacktivist” group—tells them. Proper data governance and inventory can help reduce the risk of data loss and allow the company to focus protection efforts on more important data assets.
Many enterprise risks concerning data that are elevated to the board level focus on the technology, perhaps because that is how the companies are organized—anything loosely connected to data is directed to the chief information officer and the chief information security officer. When dissected, however, the underlying concern is often data use and the consequences of an incident. Taking a step back, if the concern is data, it may be helpful to separate its oversight from the information technology platform it sits on, and from there, zero in on both opportunities and risks.
Increasingly, companies are appointing chief data officers (CDOs), who are tasked with implementing governance over the data initiatives and aligning activity to execute data strategy. The responsibilities of the CDO vary across organizations, but in general, these individuals can help the board understand and navigate data-related matters. An effective CDO focuses on all aspects of data—opportunity, risks, and obligations. They are
conversant in the technology tools that process, store, and transmit data, and can help board members understand the topic with clarity so they can engage with executive leadership. Board members should consider seeking support and advice from experienced CDOs to help them navigate data-related matters in the organizations they oversee.
With the prominence of data as part of the growth strategy for companies, boards should understand and provide direction toward the use of data and the management of related risks. CDOs can serve as a valuable resource to help boards fulfill their responsibilities and narrow the gap between the CEO’s expectation for the use of big data and the 85 percent project failure rate.
James Howard helps organizations design, build, and lead data management capabilities, focused on leveraging information assets, while providing protection and managing risk. He is the former chief data officer and chief privacy officer for a Big Four professional services firm