Data Life Cycle and Data Governance: What CDOs and CISOs Can Learn from Recent Regulatory Enforcement Actions

Enforcement Actions Underscore the Need for Data Governance

Financial institutions (FIs) face unprecedented challenges and a volatile economy—effectively managing data is paramount to success. The recent Office of the Comptroller of the Currency (OCC) enforcement actions show the increasing regulatory scrutiny on data governance, and shed light on the lackluster data controls. Deficiencies in data quality and third-party data management were penalized with $460 million in OCC fines in October 2020. In addition, the Consumer Financial Protection Bureau (CFPB) identified data-mapping errors as a root cause for a Regulation Z violation, resulting in inaccurate billing. Mature and comprehensive data management capabilities can pave the way for advanced analytics, help to reduce data risks, and minimize the likelihood of regulatory findings and penalties. 

Data Governance Improving, but Gaps Remain

FIs have invested significant resources to manage their data assets. Many have made impressive progress, but as recent regulatory enforcements have shown, there is still work to be done as technology and data usage accelerates in a digital world. 

Data is vulnerable at each stage of the data life cycle. The complexity of data management and risk of security and privacy breaches increase with each new data source, each new individual helping to manage data, or an external data provider not adequately vetted. As data leaders, chief data officers (CDOs) and chief information security officers (CISOs) should identify and act upon the early warning signs of fractures in the data life cycle, some of which include: 

• Enterprise-level data governance structures that do not include representation from key functional areas, such as IT, cybersecurity, and privacy
• Data and security policies, standards, processes, and procedures are either not clear or not known throughout the organization
• Lack of key performance indicators and key risk indicators to effectively monitor, identify, mitigate, and remediate data issues
• Delays and inefficiencies in executing critical activities across the data life cycle—especially handoffs between one team and another
• Data consumers routinely complain about poor data quality
• Inconsistent, incomplete, and stale metadata hinder the institution’s ability to effectively manage, protect, and use data assets

Data Leaders Play Pivotal Role in Addressing Governance Challenges

Guidehouse offers some insightful perspectives to help data leaders such as CDOs and CISOs navigate these challenges.

Understand the Handoffs

Governance programs are critical to the success of data management, whether an organization is starting its data management journey or has a relatively mature governance program. The CDO and CISO should lead or strongly influence data governance processes. Still, there is an overarching question of where these roles fit within the enterprise, and oftentimes confusion is generated over roles and responsibilities at key points across the data life cycle. This confusion often creates issues with handoffs between different functional areas (e.g., CDO to CISO) resulting in inefficiencies, rework, delays, and even missed important activities. For example, the OCC recently imposed a $60 million penalty for failure to exercise proper oversight of a third party hired to purge data from decommissioned systems. This lack of oversight was likely attributed to confusion of roles and responsibilities or gaps in the governance process. 

CDOs, CISOs, and chief information officers should identify and analyze current-state processes and procedures that support the data life cycle to ensure that handoffs between different roles and functional areas, accountability, and responsibilities are clear and understood. More importantly, appropriate controls that identify process bottlenecks, gaps, and role clarity issues should be in place. Improving these issues can help reduce the data risks due to process and procedure misfires.

Develop outcome metrics and reporting to enable risk-informed decision-making for frontline stakeholders and senior executives. For example, CDOs should design data control metrics to measure and manage data quality controls' effectiveness, the life cycle of data quality issue management, and cybersecurity and privacy risks across the data life cycle.

Fill the data governance voids
While many FIs likely have a data governance program, a more critical review of these capabilities should occur to identify potential data governance voids, such as:

• Missing representation on data governance bodies
• Lack of or inaccurate decision-making authority
• Not accounting for organizational structure nuances (e.g., federal and centralized versus hybrid organizational model)
• Overemphasis on enterprise-level governance versus an integrated structure from enterprise down to data domain-level governance
• Not weaving data governance activities into the data life cycle

To address these challenges, organizations should have a robust data governance program that effectively eliminates data issues at these life cycle stages:  

Creation/Collection—There needs to be an operating model that avoids the capture of “dirty” data (e.g., inaccurate, incomplete, inconsistent, or untimely data). Operational risks arise as end users leverage self-service capabilities to pull data sets into their silos and use them as input for their specific business analysis and decision-making, e.g., regulatory reporting and billing statement. Checks should be in place to ensure that data (structured or unstructured) are reliable and complete at the point of origin. 

Synthesis—The combination of existing data sources into new data points should also have safeguards so that newly derived values are free of ambiguity and do not create a privacy issue.

Usage—Once ready for use, data will be accessed and consumed using various data reporting and analytical tools, as well as exchanged internally and published to external parties. Protecting the confidentiality of data via encryption and other tooling is paramount to a holistic security strategy. 

Archival—Many organizations fail to effectively apply the proper safeguards from the enterprise-level security policies and procedures during this stage. If third parties are a component of offsite backup and restoration exercises, they need to understand their responsibilities to enforce the enterprise-level security policies and controls necessary to protect the data.

Purging—A data destruction strategy lets the enterprise remove data from servers, while remaining compliant. Ensuring storage media erasure or taking steps to make information unreadable or indecipherable (by reformatting, for instance) and should not be overlooked.  

Making Data Work for—Not Against—You

For FIs to effectively manage their data assets, CDOs and CISOs should work in tandem to create a risk-based, proactive, and collaborative approach to managing data across the data life cycle. Here are some steps to start to more effectively manage your data as assets:

• Conduct a detailed review of the data, cybersecurity, and privacy policies, processes, and procedures used to support data life cycle activities with a keen focus on handoffs between different teams and address any gaps/issues
• Identify and fix the voids in the existing data governance program—if one exists. Otherwise, establish an enterprise data governance program that puts governance in action
• Establish key risk indicators to provide early warning indicators across the data life cycle 
• If using a third party for any of the stages, you should have a certification process to determine their competencies in data protection and privacy before allowing them access to your data

Special thanks to contributing authors: Savannah Xiao, Stephen Singham and Lwanga Phillip.