Data governance is as important as money management

Does your board have a firm grasp on your company’s data and technology strategies?

Over the years, boards have developed skills in financial and operational oversight and the practices that allow good governance of finance and operations are well known, firmly regulated, and expected by directors. Boards receive reports from the CEO and CFO. They spend time with these individuals and get to know them. They conduct financial and operational due diligence that allows directors to be confident that they know how much money the organisation has and where it is. They expect to know where the company’s operations are located, what risks they entail, what prospects they hold, and well they perform.

Move from operations and finance to data and technology and the picture is far less clear.

Few boards are confident that they have established process to deliver good governance of of their companies’ data performance. Directors rarely spend time with the Chief Data Officer or Chief Technology Officer and directors would not say that they knew these people well or had clear expectations about how they would perform and be measured. Many directors cannot put a name to the people performing these roles in their organisations.

Confused reporting

Reports on data and technology are not yet standardised and directors are often confused by jargon, unable to understand the measures of success that are used, or the activities that are being undertaken. Ask most directors where the most important data in their organisation is stored, and they will probably mention the financial system. Ask them where the system is located, how the data is protected, who can access it, and how they know that the clouds in which it is stored will neither burst, allowing unauthorised access to the data, or float away, preventing necessary access to the data, and directors will often be stumped for an answer.

Move from the finance system to other data systems, such as the email service, HR records, customer, client, or supplier information, etc. and the situation appears increasingly uncontrolled. Few boards receive meaningful independent assurance that this data is safely held, let alone that it is being responsibly used to create value. Many boards have no process in place for safely disposing of out of date information, or checking that data remains accurate and current.

Move from data to technology and the landscape is even more threatening. Directors are exhorted to be across technological developments and able to add value to the strategies of the organisations that they govern. They are also expected to be fit and proper persons with a track record of success. That track record requirement rules out many promising younger directors with excellent technology skills. Boards need alert and connected persons with knowledge of fast-changing new technologies (many of which will disappear without a trace after consuming significant amounts of investment capital).

Jump to 'Solutions'

Worse, when boards attempt to inform themselves, they are often pushed towards ‘solutions’. Boards need an information and intelligence system – not a set of platforms. An information system should allow directors to know what information is held, how it is used, who is using it, and how it is protected from unauthorised access or use. Just as our financial system allows us to know what money is generated and stored across a number of different activities and locations.

Legislation has been introduced and adopted. Yet, many Australian organisations have no cyber security governance in place, do not provide any cyber awareness training to staff, and deny that they have a problem.

So what can a board do?

First; take stock of the situation. Task management to perform, and report upon, a data audit and identify what information is held, where, for how long, and for what purpose. Next; consider the strategy of the organisation and the data required to effectively implement that strategy. Ask management to draw up a spreadsheet of what data is required for each strategic aim and how that data is quality assured and protected.

In tandem; organise staff training from a reputable provider and ensure that internal audit (or the external auditor as an additional service to the statutory audit) follows up to verify that recommended practices are really practiced.

Finally: have a look at the board skills matrix and succession plan. Ask seriously if there is any possibility of training existing board members or if data and technology oversight should be added to the list of required skills when recruiting new directors.

You wouldn’t allow a board to disregard the company’s financial assets. Why allow them to fail in their duty to safeguard the digital and technology assets that are essential for financial success?