Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Architecting the Framework for Compliance & Risk Management

76 views

Published on

Privacy and protection of personal information is a hot topic in data governance. However, the compliance challenge is in creating audit defensibility that ensures practices are compliant and performed in a way that is scalable, transparent, and defensible; thus creating “Audit Resilience.” Data practitioners often struggle with viewing the world from the auditor’s perspective. This presentation focuses on how to create the foundational governance framework supporting a data control model required to produce clean audit findings. These capabilities are critical in a world where due diligence and compliance with best practices are critical in addressing the impacts of security and privacy breaches. The companies in the news recently drive home these points.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Architecting the Framework for Compliance & Risk Management

  1. 1. Architecting the Framework for Compliance & Risk Management Jonathan Adams, Director of Research, DATUM
  2. 2. Jonathan Adams • Director of Research that supports customers in building governance discipline around analytics and regulatory compliance • Certified CMMI Enterprise Data Management Expert (EDME) • 20+ years of experience in leading requirements, design and implantation efforts for retailers, financial organizations and federal agencies
  3. 3. Risk the Federal Reserve barred the bank from future asset … until it improves corporate governance https://www.thestreet.com/story/14508322/1/wells-fargo-directors-retire- after-federal-reserve-slams-governance.html the company not only suffered a breach in late 2016 … hiding it from the General Counsel and Board. https://www.forbes.com/sites/forrester/2017/12/05/ubers-uber-breach-a- stunning-failure-in-corporate-governance-and-culture/#ec10cf459fc5 Ex-CEO Blames One Employee For Patch Failures … how it was possible that a business of this size, with an information security team that reportedly comprised 225 personnel, could have screwed up in such spectacular fashion. https://www.bankinfosecurity.com/blogs/equifax-ex-ceo-blames-one-employee-for-patch-failures-p-2551 It's important to understand that what happened … was not just a technological failure but more important a failure of management and corporate governance. https://www.bloomberg.com/gadfly/articles/2017-10-03/equifax-can-t-protect-data-but- it-can-keep-a-secret We have spent tens of millions on governance – why are we receiving MRIA’s?! Data Practitioner at major bank System of controls lack linkage to data Controls must be observable and measurable in the data! If footprints of good practices are not observable in data – did they happen?
  4. 4. The Compliance Challenge Creating Audit Defensibility that ensures practices are compliant and performed in away that is transparent, and defensible at the data level Building a robust and comprehensive Control Model
  5. 5. Compliance a: The act or process of complying to a desire, demand, proposal, or regimen or to coercion b: conformity in fulfilling official requirements Merriam Webster In data management and governance, Compliance is about defining the Data Control Model that reduces risk, and creates “Audit Defensibility”
  6. 6. Audit Defensibility 6 The degree to which the organization is ready to address the demands of an auditor: • Observable • Measureable • Repeatable • Robust • Transparent • Defensible Operationalized in a Data Control Model
  7. 7. Data Control Model sits within the Control System Control Environment • Sets the tone for the organization Risk Assessment • Identification and analysis of relevant risks to the achievement of objectives Information and Communication • Systems or processes that support the identification, capture, and exchange of information Control Activities • Policies and procedures that help ensure management directives are carried out Monitoring-processes • Assess the quality of internal control performance over time. COSO Internal Control Framework AICPA: System and Organization Controls Original COSO Cube Internal Control Integrated Framework
  8. 8. The Data Control Model connects data to overarching Control System The configuration of a Data Control model to align impacted data with compliance requirements and best practices Rules Data Standards Processes Objectives; Policies / SOP Metrics Data Control Model
  9. 9. Best Practice Frameworks define “good” and are critical input to Control Systems 9 Control System Best Practices Organizational Mission / Culture Operating Model Regulatory • BCBS 239; GDPR; CCAR; … Industry • APQC –Petroleum; FIBO; … Functional • COBIT; CMMI DMM: ISO 27001; NIST 800; SCOR;… Internal: • Policy / Management Driven Frameworks can be:
  10. 10. The Challenge is that Control Systems and Frameworks rarely identify the data! What does this mean to a data manager? • What data? • What systems? • Who owns? • What processes? • What Controls? APQC Process Classification Framework https://www.apqc.org/
  11. 11. Creating Alignment • Best Practices: those activities that one would expect to see high maturity companies executing in order to be compliant • Governance Artifacts & Workproducts: Those elements of the Data Control Model that support the Practices detailed above. • Alignment to regulatory requirements often formalized in matrix that cross walks regulation to best practices and work products Alignment maps regulatory requirements to:
  12. 12. Implementing the Data Control Model
  13. 13. Steps to Setting up a Data Control Model 1. Configure Data Control Model 2. Configure Operating Model 3. Identify Control Points 4. Getting the Data Labelled 5. Automation & Scaling
  14. 14. Set up Data Control Model Steps Implementation Notes Identify Compliance Objectives Policies and guidance from risk and compliance teams Identify relevant best practices framework Multiple sources will provide guidance: Industry Associations; Regulators; Publications; Internal Documentation Extend best practices framework as needed Match the detail to your capabilities! Additional detail only makes sense if you have the use case and capabilities to leverage them Compliance objectives alignment Remember – auditors need observable and measurable artifacts or work product to support findings. The regulatory alignment matrix discussed is used here. Identify Processes and Control Points Where will you look for evidence of compliance? Build Control Rules How will you know that you are compliant? What questions must be asked of the data to validate compliance Align / Assign Controls to data and to RACI Accountability – who is doing what, when and where? Identify Testing Method for Control Rules This may impact your Operating Model. Control Rules may tested as part of an annual audit, or during ETL, or using a data quality tool. 1
  15. 15. Create / Update the Operating Model for Accountability 2 Steps Implementation Notes If a Model exists Are required Functions and Roles supported? What new roles must be created? Are Roles and Functions resourced for the new activity? Capability Analysis Does the team have the right capabilities? Tools? Training? Assign roles to Control Points Assign Roles to those places where the compliance will be enforced: Rules and Processes The alignment of organizational roles, functions, and decision processes to the Governance Framework What is a Governance Operating Model? Operating Model Components Data governance roles; Functions aligned to Roles and Teams; Decision Making Processes
  16. 16. Identify Control Points Example: Breach Remediation Process “Control Points” are activities / tasks that are linked to compliance related Rules, Standards and Data 1. Control Points are where the auditor will look to validate compliance / assess risk 2. Control Points are applied to tasks within each process identified in the Data Control Model. 3. You cannot “control” all data all the time! Apply resources commensurate with compliance needs. 4. How many and where the control points are placed will depend on: • Business model • Risk posture • Risk mitigation assessment • Complexity of process 3
  17. 17. Configure Control Points for Transparency Confidential and Proprietary. Copyright© 2018. DATUM LLC Transparency requires a clear line of site between: a. Task Owner b. Task detail c. The data required d. The Standard that guides the execution e. The Control Rule that enforces the Standard f. The Metric that measures compliance 17 Confidential and Proprietary. Copyright© 2017. DATUM LLC 3 Tasks Data Standard Control Rule Metric … which provides task level accountability a c d e f Accountability is defined for each Control Point… b Task Owner
  18. 18. Control Point Tasks3 Steps Implementation Notes Identify in scope business processes This should be available in the Governance Framework. Examples might be product procurement; loan origination; Order to Cash, etc. Identify how data in the business processes will be controlled This must align with your Governance Operating Model. All data cannot be controlled in all places (generally speaking). Pick process gates or milestones that create a natural measurement point. Be Practical - Whatever is selected must work today, AND will evolve over time as capabilities evolve. Build Control Rules Control Rules must relay on observable and measureable data or work products; and must have roles assigned. Rules must be supported by a Standard and/or a Policy
  19. 19. Curate your Data – The Data Control Model relies on well labeled data 4 Data Classification / Labeling 1. Important data is data that feeds key performance or compliance metrics 2. Data is labelled to show where it is in the lifecycle 3. Data is linked to a Data Asset 4. Data has Security Classification 5. Personal Information “Type” label flags this data as falling under privacy regulations Do we know enough about the data to know it is being managed correctly?
  20. 20. Three approaches to labeling your data4 Steward Led Curation: • People driven • Source knowledge drives classification Systemic Curation: • Glossary Driven • Data structures / location drives classification Semantic Curation: • Machine Learning driven • Data meaning drives classification Scaling is Challenge: Costs ↑; Quality ↓; Inflexible / Brittle At Scale: Costs ↓; Quality ↑; Flexibility Maintained a. b. c. Governance Maturity Source Files; Transaction Systems
  21. 21. Enable automation & scaling through Machine Learning Identify Identification of instance data in order to classify the data Classify Classify the data Resolve Perform entity resolution Link Identify and resolve relationships and specify relationship type / strength ML Techniques perform the following functions: 5
  22. 22. Architecting for Compliance & Risk Management 1 Data Control Model Update Operating Model Define & Configure Control Points Architect, Automate, Scale Label Data 5432 • Links data to Control System • Aligns Business Objectives • Builds Defensibility • Ensures Accountability • Creates Transparency • Bases for Governed Data • Addresses issues of “completeness”
  23. 23. Thank you for your time. • Any questions? • Visit us at www.datumstrategy.com for more information • For the latest news follow us on Twitter at @datumstrategy

×