Privacy and protection of personal information is a hot topic in data governance. However, the compliance challenge is in creating audit defensibility that ensures practices are compliant and performed in a way that is scalable, transparent, and defensible; thus creating “Audit Resilience.” Data practitioners often struggle with viewing the world from the auditor’s perspective. This presentation focuses on how to create the foundational governance framework supporting a data control model required to produce clean audit findings. These capabilities are critical in a world where due diligence and compliance with best practices are critical in addressing the impacts of security and privacy breaches. The companies in the news recently drive home these points.
The data exists, but no one is looking at it The policies exist, but enforcement mechanism does not Enforcement mechanism exists, but does not map to the data level
Robustness refers to the ability of the model to produce valid output across the complete range of inputs. A robust model has no use case where the observed behavior (inputs) does not get captured and evaluated correctly (desired outputs.)
Good Deloitte deck https://www.slideshare.net/IrfanAhmedACACICA/coso-internal-control-integrated-framework-58951959
Control System guides executive management and governance entities on relevant aspects of organizational governance
Est 1992 Acceptance following financial control failures of early 2000’s Most widely used framework in the States Widely used around the world
“Machine Learning is the science of getting computers to learn and act like humans do, and improve their learning over time in autonomous fashion, by feeding them data and information in the form of observations and real-world interactions.”
Identify: Is this personal Information? Does it look like a financial #? Does it reside in a financial statement?
Classify: Once data is identified, ML approaches support classifying the data within the data dictionary: data is in finance domain; it is in the “Deliver” phase so the SCOR lifecycle; it is a vendor; etc.
Resolve: The completed data dictionary will support entity resolution by providing a richer feature set against which Master Data or analytical algorithms can be run. If I know data represents a vendor, do I know which vendor?
Link: The resolved entity is linked to internal and external reference sources. ML Techniques may be used to identify and resolve link candidates and specify link type / strength
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for
Compliance & Risk Management
Jonathan Adams, Director of Research, DATUM
• Director of Research that supports customers in
building governance discipline around analytics
and regulatory compliance
• Certified CMMI Enterprise Data Management
• 20+ years of experience in leading requirements,
design and implantation efforts for retailers,
financial organizations and federal agencies
the Federal Reserve barred the bank from
future asset … until it improves
the company not only suffered a breach in
late 2016 … hiding it from the General
Counsel and Board.
Ex-CEO Blames One Employee For Patch Failures … how it was
possible that a business of this size, with an information security team
that reportedly comprised 225 personnel, could have screwed up in such
It's important to understand that what happened …
was not just a technological failure but more
important a failure of management and
We have spent tens of
millions on governance –
why are we receiving
Data Practitioner at major bank
System of controls lack
linkage to data
Controls must be
measurable in the data!
If footprints of good
practices are not
observable in data – did
The Compliance Challenge
Creating Audit Defensibility that ensures
practices are compliant and performed in
away that is transparent, and defensible at
the data level
Building a robust and comprehensive
a: The act or process of complying to a desire, demand,
proposal, or regimen or to coercion
b: conformity in fulfilling official requirements
In data management and governance, Compliance is about
defining the Data Control Model that reduces risk, and
creates “Audit Defensibility”
The degree to which the organization is ready to address the
demands of an auditor:
Operationalized in a Data Control Model
Data Control Model sits within the Control System
• Sets the tone for the organization
• Identification and analysis of relevant risks to the
achievement of objectives
Information and Communication
• Systems or processes that support the identification,
capture, and exchange of information
• Policies and procedures that help ensure
management directives are carried out
• Assess the quality of internal control performance
COSO Internal Control Framework
AICPA: System and Organization Controls
Original COSO Cube
The Data Control Model connects data to
overarching Control System
The configuration of a Data Control model to align impacted
data with compliance requirements and best practices
Policies / SOP
Data Control Model
Best Practice Frameworks define “good” and are
critical input to Control Systems
Mission / Culture
• BCBS 239; GDPR; CCAR; …
• APQC –Petroleum; FIBO; …
• COBIT; CMMI DMM: ISO 27001;
NIST 800; SCOR;…
• Policy / Management Driven
Frameworks can be:
The Challenge is that Control Systems and
Frameworks rarely identify the data!
What does this mean to
a data manager?
• What data?
• What systems?
• Who owns?
• What processes?
• What Controls?
APQC Process Classification Framework
• Best Practices: those activities that one would expect to see high
maturity companies executing in order to be compliant
• Governance Artifacts & Workproducts: Those elements of the Data
Control Model that support the Practices detailed above.
• Alignment to regulatory requirements often formalized in matrix that
cross walks regulation to best practices and work products
Alignment maps regulatory requirements to:
Steps to Setting up a Data Control Model
1. Configure Data Control Model
2. Configure Operating Model
3. Identify Control Points
4. Getting the Data Labelled
5. Automation & Scaling
Set up Data Control Model
Steps Implementation Notes
Identify Compliance Objectives Policies and guidance from risk and compliance teams
Identify relevant best practices
Multiple sources will provide guidance: Industry Associations; Regulators;
Publications; Internal Documentation
Extend best practices framework
Match the detail to your capabilities! Additional detail only makes sense if you
have the use case and capabilities to leverage them
Remember – auditors need observable and measurable artifacts or work product
to support findings. The regulatory alignment matrix discussed is used here.
Identify Processes and Control
Where will you look for evidence of compliance?
Build Control Rules How will you know that you are compliant? What questions must be asked of the
data to validate compliance
Align / Assign Controls to data
and to RACI
Accountability – who is doing what, when and where?
Identify Testing Method for
This may impact your Operating Model. Control Rules may tested as part of an
annual audit, or during ETL, or using a data quality tool.
Create / Update the Operating Model for
Steps Implementation Notes
If a Model exists Are required Functions and Roles supported? What new roles must be
created? Are Roles and Functions resourced for the new activity?
Capability Analysis Does the team have the right capabilities? Tools? Training?
Assign roles to Control Points Assign Roles to those places where the compliance will be enforced: Rules
The alignment of organizational roles, functions, and decision
processes to the Governance Framework
What is a Governance
Data governance roles; Functions aligned to Roles and Teams;
Decision Making Processes
Identify Control Points
Example: Breach Remediation Process
“Control Points” are activities / tasks that are linked to
compliance related Rules, Standards and Data
1. Control Points are where the
auditor will look to validate
compliance / assess risk
2. Control Points are applied to tasks
within each process identified in
the Data Control Model.
3. You cannot “control” all data all
the time! Apply resources
commensurate with compliance
4. How many and where the control
points are placed will depend on:
• Business model
• Risk posture
• Risk mitigation assessment
• Complexity of process
Control Point Tasks3
Steps Implementation Notes
Identify in scope business
This should be available in the Governance Framework. Examples might be
product procurement; loan origination; Order to Cash, etc.
Identify how data in the
business processes will be
This must align with your Governance Operating Model. All data cannot be
controlled in all places (generally speaking). Pick process gates or milestones
that create a natural measurement point.
Be Practical - Whatever is selected must work today, AND will evolve
over time as capabilities evolve.
Build Control Rules Control Rules must relay on observable and measureable data or work
products; and must have roles assigned.
Rules must be supported by a Standard and/or a Policy
Curate your Data – The Data Control Model relies
on well labeled data
Data Classification / Labeling
1. Important data is data that feeds key
performance or compliance metrics
2. Data is labelled to show where it is
in the lifecycle
3. Data is linked to a Data Asset
4. Data has Security Classification
5. Personal Information “Type” label
flags this data as falling under
Do we know enough about the data to know it
is being managed correctly?
Three approaches to labeling your data4
Steward Led Curation:
• People driven
• Source knowledge
• Glossary Driven
• Data structures /
• Machine Learning
• Data meaning drives
Scaling is Challenge: Costs ↑; Quality ↓; Inflexible / Brittle At Scale: Costs ↓; Quality ↑;
a. b. c.
Enable automation & scaling through Machine
Identify Identification of instance data in order to classify the data
Classify Classify the data
Resolve Perform entity resolution
Identify and resolve relationships and specify relationship type /
ML Techniques perform the following functions:
Architecting for Compliance & Risk Management
• Links data to
• Aligns Business
• Bases for
• Addresses issues
Thank you for your time.
• Any questions?
• Visit us at www.datumstrategy.com for more information
• For the latest news follow us on Twitter at @datumstrategy