SlideShare a Scribd company logo

Architecting the Framework for Compliance & Risk Management

Download as PPTX, PDF
J
jadams6

Privacy and protection of personal information is a hot topic in data governance. However, the compliance challenge is in creating audit defensibility that ensures practices are compliant and performed in a way that is scalable, transparent, and defensible; thus creating “Audit Resilience.” Data practitioners often struggle with viewing the world from the auditor’s perspective. This presentation focuses on how to create the foundational governance framework supporting a data control model required to produce clean audit findings. These capabilities are critical in a world where due diligence and compliance with best practices are critical in addressing the impacts of security and privacy breaches. The companies in the news recently drive home these points.

Data & Analytics
1 of 23
Architecting the Framework for Compliance & Risk Management Jonathan Adams, Director of Research, DATUM
Jonathan Adams • Director of Research that supports customers in building governance discipline around analytics and regulatory compliance • Certified CMMI Enterprise Data Management Expert (EDME) • 20+ years of experience in leading requirements, design and implantation efforts for retailers, financial organizations and federal agencies
Risk the Federal Reserve barred the bank from future asset … until it improves corporate governance https://www.thestreet.com/story/14508322/1/wells-fargo-directors-retire- after-federal-reserve-slams-governance.html the company not only suffered a breach in late 2016 … hiding it from the General Counsel and Board. https://www.forbes.com/sites/forrester/2017/12/05/ubers-uber-breach-a- stunning-failure-in-corporate-governance-and-culture/#ec10cf459fc5 Ex-CEO Blames One Employee For Patch Failures … how it was possible that a business of this size, with an information security team that reportedly comprised 225 personnel, could have screwed up in such spectacular fashion. https://www.bankinfosecurity.com/blogs/equifax-ex-ceo-blames-one-employee-for-patch-failures-p-2551 It's important to understand that what happened … was not just a technological failure but more important a failure of management and corporate governance. https://www.bloomberg.com/gadfly/articles/2017-10-03/equifax-can-t-protect-data-but- it-can-keep-a-secret We have spent tens of millions on governance – why are we receiving MRIA’s?! Data Practitioner at major bank System of controls lack linkage to data Controls must be observable and measurable in the data! If footprints of good practices are not observable in data – did they happen?
The Compliance Challenge Creating Audit Defensibility that ensures practices are compliant and performed in away that is transparent, and defensible at the data level Building a robust and comprehensive Control Model
Compliance a: The act or process of complying to a desire, demand, proposal, or regimen or to coercion b: conformity in fulfilling official requirements Merriam Webster In data management and governance, Compliance is about defining the Data Control Model that reduces risk, and creates “Audit Defensibility”
Audit Defensibility 6 The degree to which the organization is ready to address the demands of an auditor: • Observable • Measureable • Repeatable • Robust • Transparent • Defensible Operationalized in a Data Control Model
Data Control Model sits within the Control System Control Environment • Sets the tone for the organization Risk Assessment • Identification and analysis of relevant risks to the achievement of objectives Information and Communication • Systems or processes that support the identification, capture, and exchange of information Control Activities • Policies and procedures that help ensure management directives are carried out Monitoring-processes • Assess the quality of internal control performance over time. COSO Internal Control Framework AICPA: System and Organization Controls Original COSO Cube Internal Control Integrated Framework
The Data Control Model connects data to overarching Control System The configuration of a Data Control model to align impacted data with compliance requirements and best practices Rules Data Standards Processes Objectives; Policies / SOP Metrics Data Control Model
Best Practice Frameworks define “good” and are critical input to Control Systems 9 Control System Best Practices Organizational Mission / Culture Operating Model Regulatory • BCBS 239; GDPR; CCAR; … Industry • APQC –Petroleum; FIBO; … Functional • COBIT; CMMI DMM: ISO 27001; NIST 800; SCOR;… Internal: • Policy / Management Driven Frameworks can be:
The Challenge is that Control Systems and Frameworks rarely identify the data! What does this mean to a data manager? • What data? • What systems? • Who owns? • What processes? • What Controls? APQC Process Classification Framework https://www.apqc.org/
Creating Alignment • Best Practices: those activities that one would expect to see high maturity companies executing in order to be compliant • Governance Artifacts & Workproducts: Those elements of the Data Control Model that support the Practices detailed above. • Alignment to regulatory requirements often formalized in matrix that cross walks regulation to best practices and work products Alignment maps regulatory requirements to:
Implementing the Data Control Model
Steps to Setting up a Data Control Model 1. Configure Data Control Model 2. Configure Operating Model 3. Identify Control Points 4. Getting the Data Labelled 5. Automation & Scaling
Set up Data Control Model Steps Implementation Notes Identify Compliance Objectives Policies and guidance from risk and compliance teams Identify relevant best practices framework Multiple sources will provide guidance: Industry Associations; Regulators; Publications; Internal Documentation Extend best practices framework as needed Match the detail to your capabilities! Additional detail only makes sense if you have the use case and capabilities to leverage them Compliance objectives alignment Remember – auditors need observable and measurable artifacts or work product to support findings. The regulatory alignment matrix discussed is used here. Identify Processes and Control Points Where will you look for evidence of compliance? Build Control Rules How will you know that you are compliant? What questions must be asked of the data to validate compliance Align / Assign Controls to data and to RACI Accountability – who is doing what, when and where? Identify Testing Method for Control Rules This may impact your Operating Model. Control Rules may tested as part of an annual audit, or during ETL, or using a data quality tool. 1
Create / Update the Operating Model for Accountability 2 Steps Implementation Notes If a Model exists Are required Functions and Roles supported? What new roles must be created? Are Roles and Functions resourced for the new activity? Capability Analysis Does the team have the right capabilities? Tools? Training? Assign roles to Control Points Assign Roles to those places where the compliance will be enforced: Rules and Processes The alignment of organizational roles, functions, and decision processes to the Governance Framework What is a Governance Operating Model? Operating Model Components Data governance roles; Functions aligned to Roles and Teams; Decision Making Processes
Identify Control Points Example: Breach Remediation Process “Control Points” are activities / tasks that are linked to compliance related Rules, Standards and Data 1. Control Points are where the auditor will look to validate compliance / assess risk 2. Control Points are applied to tasks within each process identified in the Data Control Model. 3. You cannot “control” all data all the time! Apply resources commensurate with compliance needs. 4. How many and where the control points are placed will depend on: • Business model • Risk posture • Risk mitigation assessment • Complexity of process 3
Configure Control Points for Transparency Confidential and Proprietary. Copyright© 2018. DATUM LLC Transparency requires a clear line of site between: a. Task Owner b. Task detail c. The data required d. The Standard that guides the execution e. The Control Rule that enforces the Standard f. The Metric that measures compliance 17 Confidential and Proprietary. Copyright© 2017. DATUM LLC 3 Tasks Data Standard Control Rule Metric … which provides task level accountability a c d e f Accountability is defined for each Control Point… b Task Owner
Control Point Tasks3 Steps Implementation Notes Identify in scope business processes This should be available in the Governance Framework. Examples might be product procurement; loan origination; Order to Cash, etc. Identify how data in the business processes will be controlled This must align with your Governance Operating Model. All data cannot be controlled in all places (generally speaking). Pick process gates or milestones that create a natural measurement point. Be Practical - Whatever is selected must work today, AND will evolve over time as capabilities evolve. Build Control Rules Control Rules must relay on observable and measureable data or work products; and must have roles assigned. Rules must be supported by a Standard and/or a Policy
Curate your Data – The Data Control Model relies on well labeled data 4 Data Classification / Labeling 1. Important data is data that feeds key performance or compliance metrics 2. Data is labelled to show where it is in the lifecycle 3. Data is linked to a Data Asset 4. Data has Security Classification 5. Personal Information “Type” label flags this data as falling under privacy regulations Do we know enough about the data to know it is being managed correctly?
Three approaches to labeling your data4 Steward Led Curation: • People driven • Source knowledge drives classification Systemic Curation: • Glossary Driven • Data structures / location drives classification Semantic Curation: • Machine Learning driven • Data meaning drives classification Scaling is Challenge: Costs ↑; Quality ↓; Inflexible / Brittle At Scale: Costs ↓; Quality ↑; Flexibility Maintained a. b. c. Governance Maturity Source Files; Transaction Systems
Enable automation & scaling through Machine Learning Identify Identification of instance data in order to classify the data Classify Classify the data Resolve Perform entity resolution Link Identify and resolve relationships and specify relationship type / strength ML Techniques perform the following functions: 5
Architecting for Compliance & Risk Management 1 Data Control Model Update Operating Model Define & Configure Control Points Architect, Automate, Scale Label Data 5432 • Links data to Control System • Aligns Business Objectives • Builds Defensibility • Ensures Accountability • Creates Transparency • Bases for Governed Data • Addresses issues of “completeness”
Thank you for your time. • Any questions? • Visit us at www.datumstrategy.com for more information • For the latest news follow us on Twitter at @datumstrategy

Recommended

A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .
A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .
A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .jadams6
 
Building a Strategy customers and Auditors Love
Building a Strategy customers and Auditors LoveBuilding a Strategy customers and Auditors Love
Building a Strategy customers and Auditors Lovejadams6
 
Optimization as a Golden Layer - Chris Diener, SVP Analytics, Absolutdata
Optimization as a Golden Layer - Chris Diener, SVP Analytics, AbsolutdataOptimization as a Golden Layer - Chris Diener, SVP Analytics, Absolutdata
Optimization as a Golden Layer - Chris Diener, SVP Analytics, AbsolutdataAbsolutdata Analytics
 
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DATUM LLC
 
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DATUM LLC
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Kannan Subbiah
 

Recommended

A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .
A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .
A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .jadams6
 
Building a Strategy customers and Auditors Love
Building a Strategy customers and Auditors LoveBuilding a Strategy customers and Auditors Love
Building a Strategy customers and Auditors Lovejadams6
 
Optimization as a Golden Layer - Chris Diener, SVP Analytics, Absolutdata
Optimization as a Golden Layer - Chris Diener, SVP Analytics, AbsolutdataOptimization as a Golden Layer - Chris Diener, SVP Analytics, Absolutdata
Optimization as a Golden Layer - Chris Diener, SVP Analytics, AbsolutdataAbsolutdata Analytics
 
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...DATUM LLC
 
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DATUM LLC
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Cyber fraud and Security - What risks does family office's face in today's wo...
Cyber fraud and Security - What risks does family office's face in today's wo...Kannan Subbiah
 
it grc
it grc it grc
it grc 9535814851
 
Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Alex Todd
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsJim Merrifield, IGP, CIP
 
Governance Risk and Compliance - in Higher Education - Australia
Governance Risk and Compliance - in Higher Education - AustraliaGovernance Risk and Compliance - in Higher Education - Australia
Governance Risk and Compliance - in Higher Education - AustraliaMarissa McCauley
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013FixNix Inc.,
 
Ten Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCTen Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCBill Graham CP.APMP
 
Implementing an Effective Third-party & Vendor Risk Management Program
Implementing an Effective Third-party & Vendor Risk Management ProgramImplementing an Effective Third-party & Vendor Risk Management Program
Implementing an Effective Third-party & Vendor Risk Management ProgramKannan Subbiah
 
Data governance
Data governanceData governance
Data governanceMD Redaan
 
Data governance guide
Data governance guideData governance guide
Data governance guideAstalapulosListestos
 
What CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data GovernanceWhat CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data GovernanceDATAVERSITY
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 
Drive conf_final
Drive conf_finalDrive conf_final
Drive conf_finalJie Wu
 
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureEVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureMichele Collu
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...DATAVERSITY
 
Salesforce1 data gov lunch toronto deck
Salesforce1 data gov lunch toronto deckSalesforce1 data gov lunch toronto deck
Salesforce1 data gov lunch toronto deckBeth Fitzpatrick
 

More Related Content

What's hot

Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Alex Todd
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsJim Merrifield, IGP, CIP
 
Governance Risk and Compliance - in Higher Education - Australia
Governance Risk and Compliance - in Higher Education - AustraliaGovernance Risk and Compliance - in Higher Education - Australia
Governance Risk and Compliance - in Higher Education - AustraliaMarissa McCauley
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013FixNix Inc.,
 
Ten Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCTen Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCBill Graham CP.APMP
 
Implementing an Effective Third-party & Vendor Risk Management Program
Implementing an Effective Third-party & Vendor Risk Management ProgramImplementing an Effective Third-party & Vendor Risk Management Program
Implementing an Effective Third-party & Vendor Risk Management ProgramKannan Subbiah
 
Data governance
Data governanceData governance
Data governanceMD Redaan
 
What CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data GovernanceWhat CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data GovernanceDATAVERSITY
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 
Drive conf_final
Drive conf_finalDrive conf_final
Drive conf_finalJie Wu
 
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureEVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureMichele Collu
 

What's hot (19)

it grc
it grc it grc
it grc
 
Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)Governance, Risk, Compliance & Trust (OCEG graphics removed)
Governance, Risk, Compliance & Trust (OCEG graphics removed)
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law Firms
 
Governance Risk and Compliance - in Higher Education - Australia
Governance Risk and Compliance - in Higher Education - AustraliaGovernance Risk and Compliance - in Higher Education - Australia
Governance Risk and Compliance - in Higher Education - Australia
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013
 
Ten Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRCTen Slides in Ten Minutes - Company Realities - GRC
Ten Slides in Ten Minutes - Company Realities - GRC
 
Implementing an Effective Third-party & Vendor Risk Management Program
Implementing an Effective Third-party & Vendor Risk Management ProgramImplementing an Effective Third-party & Vendor Risk Management Program
Implementing an Effective Third-party & Vendor Risk Management Program
 
Data governance
Data governanceData governance
Data governance
 
Data governance guide
Data governance guideData governance guide
Data governance guide
 
What CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data GovernanceWhat CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data Governance
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environment
 
Drive conf_final
Drive conf_finalDrive conf_final
Drive conf_final
 
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureEVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
 

Similar to Architecting the Framework for Compliance & Risk Management

TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...DATAVERSITY
 
Salesforce1 data gov lunch toronto deck
Salesforce1 data gov lunch toronto deckSalesforce1 data gov lunch toronto deck
Salesforce1 data gov lunch toronto deckBeth Fitzpatrick
 
Ibm test data_management_v0.4
Ibm test data_management_v0.4Ibm test data_management_v0.4
Ibm test data_management_v0.4Rosario Cunha
 
Data Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better ReportingData Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better Reportingaccenture
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and ComplianceSPC Adriatics
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and ComplianceAlistair Pugin
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
TOP_407070357-Data-Governance-Playbook.pptx
TOP_407070357-Data-Governance-Playbook.pptxTOP_407070357-Data-Governance-Playbook.pptx
TOP_407070357-Data-Governance-Playbook.pptxSabrinaLameiras1
 
Introduction to Data Governance
Introduction to Data GovernanceIntroduction to Data Governance
Introduction to Data GovernanceJohn Bao Vuu
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques Jim Kaplan CIA CFE
 
Akili Data Integration using PPDM
Akili Data Integration using PPDMAkili Data Integration using PPDM
Akili Data Integration using PPDMrnaramore
 
Salesforce1 data gov lunch anaheim deck
Salesforce1 data gov lunch anaheim deckSalesforce1 data gov lunch anaheim deck
Salesforce1 data gov lunch anaheim deckBeth Fitzpatrick
 
Best Practices of Data Governance.pptx
Best Practices of Data Governance.pptxBest Practices of Data Governance.pptx
Best Practices of Data Governance.pptxpreludesyscloudmigra
 
Data-Ed Webinar: Data Quality Success Stories
Data-Ed Webinar: Data Quality Success StoriesData-Ed Webinar: Data Quality Success Stories
Data-Ed Webinar: Data Quality Success StoriesDATAVERSITY
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Ydemikaelyde
 
Quality management best practices
Quality management best practicesQuality management best practices
Quality management best practicesselinasimpson2201
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 
Introduction to DCAM, the Data Management Capability Assessment Model - Editi...
Introduction to DCAM, the Data Management Capability Assessment Model - Editi...Introduction to DCAM, the Data Management Capability Assessment Model - Editi...
Introduction to DCAM, the Data Management Capability Assessment Model - Editi...Element22
 

Similar to Architecting the Framework for Compliance & Risk Management (20)

TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
How Ally Financial Achieved Regulatory Compliance with the Data Management Ma...
 
Salesforce1 data gov lunch toronto deck
Salesforce1 data gov lunch toronto deckSalesforce1 data gov lunch toronto deck
Salesforce1 data gov lunch toronto deck
 
Ibm test data_management_v0.4
Ibm test data_management_v0.4Ibm test data_management_v0.4
Ibm test data_management_v0.4
 
Data Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better ReportingData Quality Management: Cleaner Data, Better Reporting
Data Quality Management: Cleaner Data, Better Reporting
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and Compliance
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and Compliance
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
TOP_407070357-Data-Governance-Playbook.pptx
TOP_407070357-Data-Governance-Playbook.pptxTOP_407070357-Data-Governance-Playbook.pptx
TOP_407070357-Data-Governance-Playbook.pptx
 
Introduction to Data Governance
Introduction to Data GovernanceIntroduction to Data Governance
Introduction to Data Governance
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 
Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques
 
Akili Data Integration using PPDM
Akili Data Integration using PPDMAkili Data Integration using PPDM
Akili Data Integration using PPDM
 
Salesforce1 data gov lunch anaheim deck
Salesforce1 data gov lunch anaheim deckSalesforce1 data gov lunch anaheim deck
Salesforce1 data gov lunch anaheim deck
 
Best Practices of Data Governance.pptx
Best Practices of Data Governance.pptxBest Practices of Data Governance.pptx
Best Practices of Data Governance.pptx
 
Data-Ed Webinar: Data Quality Success Stories
Data-Ed Webinar: Data Quality Success StoriesData-Ed Webinar: Data Quality Success Stories
Data-Ed Webinar: Data Quality Success Stories
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde2016-06-08 FDA Inspection Readiness - Mikael Yde
2016-06-08 FDA Inspection Readiness - Mikael Yde
 
Quality management best practices
Quality management best practicesQuality management best practices
Quality management best practices
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen Christian
 
Introduction to DCAM, the Data Management Capability Assessment Model - Editi...
Introduction to DCAM, the Data Management Capability Assessment Model - Editi...Introduction to DCAM, the Data Management Capability Assessment Model - Editi...
Introduction to DCAM, the Data Management Capability Assessment Model - Editi...
 

Recently uploaded

Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...amitlee9823
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusTimothy Spann
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...shivangimorya083
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...amitlee9823
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 

Recently uploaded (20)

Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 

Architecting the Framework for Compliance & Risk Management

  • 1. Architecting the Framework for Compliance & Risk Management Jonathan Adams, Director of Research, DATUM
  • 2. Jonathan Adams • Director of Research that supports customers in building governance discipline around analytics and regulatory compliance • Certified CMMI Enterprise Data Management Expert (EDME) • 20+ years of experience in leading requirements, design and implantation efforts for retailers, financial organizations and federal agencies
  • 3. Risk the Federal Reserve barred the bank from future asset … until it improves corporate governance https://www.thestreet.com/story/14508322/1/wells-fargo-directors-retire- after-federal-reserve-slams-governance.html the company not only suffered a breach in late 2016 … hiding it from the General Counsel and Board. https://www.forbes.com/sites/forrester/2017/12/05/ubers-uber-breach-a- stunning-failure-in-corporate-governance-and-culture/#ec10cf459fc5 Ex-CEO Blames One Employee For Patch Failures … how it was possible that a business of this size, with an information security team that reportedly comprised 225 personnel, could have screwed up in such spectacular fashion. https://www.bankinfosecurity.com/blogs/equifax-ex-ceo-blames-one-employee-for-patch-failures-p-2551 It's important to understand that what happened … was not just a technological failure but more important a failure of management and corporate governance. https://www.bloomberg.com/gadfly/articles/2017-10-03/equifax-can-t-protect-data-but- it-can-keep-a-secret We have spent tens of millions on governance – why are we receiving MRIA’s?! Data Practitioner at major bank System of controls lack linkage to data Controls must be observable and measurable in the data! If footprints of good practices are not observable in data – did they happen?
  • 4. The Compliance Challenge Creating Audit Defensibility that ensures practices are compliant and performed in away that is transparent, and defensible at the data level Building a robust and comprehensive Control Model
  • 5. Compliance a: The act or process of complying to a desire, demand, proposal, or regimen or to coercion b: conformity in fulfilling official requirements Merriam Webster In data management and governance, Compliance is about defining the Data Control Model that reduces risk, and creates “Audit Defensibility”
  • 6. Audit Defensibility 6 The degree to which the organization is ready to address the demands of an auditor: • Observable • Measureable • Repeatable • Robust • Transparent • Defensible Operationalized in a Data Control Model
  • 7. Data Control Model sits within the Control System Control Environment • Sets the tone for the organization Risk Assessment • Identification and analysis of relevant risks to the achievement of objectives Information and Communication • Systems or processes that support the identification, capture, and exchange of information Control Activities • Policies and procedures that help ensure management directives are carried out Monitoring-processes • Assess the quality of internal control performance over time. COSO Internal Control Framework AICPA: System and Organization Controls Original COSO Cube Internal Control Integrated Framework
  • 8. The Data Control Model connects data to overarching Control System The configuration of a Data Control model to align impacted data with compliance requirements and best practices Rules Data Standards Processes Objectives; Policies / SOP Metrics Data Control Model
  • 9. Best Practice Frameworks define “good” and are critical input to Control Systems 9 Control System Best Practices Organizational Mission / Culture Operating Model Regulatory • BCBS 239; GDPR; CCAR; … Industry • APQC –Petroleum; FIBO; … Functional • COBIT; CMMI DMM: ISO 27001; NIST 800; SCOR;… Internal: • Policy / Management Driven Frameworks can be:
  • 10. The Challenge is that Control Systems and Frameworks rarely identify the data! What does this mean to a data manager? • What data? • What systems? • Who owns? • What processes? • What Controls? APQC Process Classification Framework https://www.apqc.org/
  • 11. Creating Alignment • Best Practices: those activities that one would expect to see high maturity companies executing in order to be compliant • Governance Artifacts & Workproducts: Those elements of the Data Control Model that support the Practices detailed above. • Alignment to regulatory requirements often formalized in matrix that cross walks regulation to best practices and work products Alignment maps regulatory requirements to:
  • 12. Implementing the Data Control Model
  • 13. Steps to Setting up a Data Control Model 1. Configure Data Control Model 2. Configure Operating Model 3. Identify Control Points 4. Getting the Data Labelled 5. Automation & Scaling
  • 14. Set up Data Control Model Steps Implementation Notes Identify Compliance Objectives Policies and guidance from risk and compliance teams Identify relevant best practices framework Multiple sources will provide guidance: Industry Associations; Regulators; Publications; Internal Documentation Extend best practices framework as needed Match the detail to your capabilities! Additional detail only makes sense if you have the use case and capabilities to leverage them Compliance objectives alignment Remember – auditors need observable and measurable artifacts or work product to support findings. The regulatory alignment matrix discussed is used here. Identify Processes and Control Points Where will you look for evidence of compliance? Build Control Rules How will you know that you are compliant? What questions must be asked of the data to validate compliance Align / Assign Controls to data and to RACI Accountability – who is doing what, when and where? Identify Testing Method for Control Rules This may impact your Operating Model. Control Rules may tested as part of an annual audit, or during ETL, or using a data quality tool. 1
  • 15. Create / Update the Operating Model for Accountability 2 Steps Implementation Notes If a Model exists Are required Functions and Roles supported? What new roles must be created? Are Roles and Functions resourced for the new activity? Capability Analysis Does the team have the right capabilities? Tools? Training? Assign roles to Control Points Assign Roles to those places where the compliance will be enforced: Rules and Processes The alignment of organizational roles, functions, and decision processes to the Governance Framework What is a Governance Operating Model? Operating Model Components Data governance roles; Functions aligned to Roles and Teams; Decision Making Processes
  • 16. Identify Control Points Example: Breach Remediation Process “Control Points” are activities / tasks that are linked to compliance related Rules, Standards and Data 1. Control Points are where the auditor will look to validate compliance / assess risk 2. Control Points are applied to tasks within each process identified in the Data Control Model. 3. You cannot “control” all data all the time! Apply resources commensurate with compliance needs. 4. How many and where the control points are placed will depend on: • Business model • Risk posture • Risk mitigation assessment • Complexity of process 3
  • 17. Configure Control Points for Transparency Confidential and Proprietary. Copyright© 2018. DATUM LLC Transparency requires a clear line of site between: a. Task Owner b. Task detail c. The data required d. The Standard that guides the execution e. The Control Rule that enforces the Standard f. The Metric that measures compliance 17 Confidential and Proprietary. Copyright© 2017. DATUM LLC 3 Tasks Data Standard Control Rule Metric … which provides task level accountability a c d e f Accountability is defined for each Control Point… b Task Owner
  • 18. Control Point Tasks3 Steps Implementation Notes Identify in scope business processes This should be available in the Governance Framework. Examples might be product procurement; loan origination; Order to Cash, etc. Identify how data in the business processes will be controlled This must align with your Governance Operating Model. All data cannot be controlled in all places (generally speaking). Pick process gates or milestones that create a natural measurement point. Be Practical - Whatever is selected must work today, AND will evolve over time as capabilities evolve. Build Control Rules Control Rules must relay on observable and measureable data or work products; and must have roles assigned. Rules must be supported by a Standard and/or a Policy
  • 19. Curate your Data – The Data Control Model relies on well labeled data 4 Data Classification / Labeling 1. Important data is data that feeds key performance or compliance metrics 2. Data is labelled to show where it is in the lifecycle 3. Data is linked to a Data Asset 4. Data has Security Classification 5. Personal Information “Type” label flags this data as falling under privacy regulations Do we know enough about the data to know it is being managed correctly?
  • 20. Three approaches to labeling your data4 Steward Led Curation: • People driven • Source knowledge drives classification Systemic Curation: • Glossary Driven • Data structures / location drives classification Semantic Curation: • Machine Learning driven • Data meaning drives classification Scaling is Challenge: Costs ↑; Quality ↓; Inflexible / Brittle At Scale: Costs ↓; Quality ↑; Flexibility Maintained a. b. c. Governance Maturity Source Files; Transaction Systems
  • 21. Enable automation & scaling through Machine Learning Identify Identification of instance data in order to classify the data Classify Classify the data Resolve Perform entity resolution Link Identify and resolve relationships and specify relationship type / strength ML Techniques perform the following functions: 5
  • 22. Architecting for Compliance & Risk Management 1 Data Control Model Update Operating Model Define & Configure Control Points Architect, Automate, Scale Label Data 5432 • Links data to Control System • Aligns Business Objectives • Builds Defensibility • Ensures Accountability • Creates Transparency • Bases for Governed Data • Addresses issues of “completeness”
  • 23. Thank you for your time. • Any questions? • Visit us at www.datumstrategy.com for more information • For the latest news follow us on Twitter at @datumstrategy

Editor's Notes

  1. The data exists, but no one is looking at it The policies exist, but enforcement mechanism does not Enforcement mechanism exists, but does not map to the data level
  2. Robustness refers to the ability of the model to produce valid output across the complete range of inputs. A robust model has no use case where the observed behavior (inputs) does not get captured and evaluated correctly (desired outputs.)
  3. Good Deloitte deck https://www.slideshare.net/IrfanAhmedACACICA/coso-internal-control-integrated-framework-58951959  Control System guides executive management and governance entities on relevant aspects of organizational governance Est 1992 Acceptance following financial control failures of early 2000’s Most widely used framework in the States Widely used around the world
  4. “Machine Learning is the science of getting computers to learn and act like humans do, and improve their learning over time in autonomous fashion, by feeding them data and information in the form of observations and real-world interactions.” Identify: Is this personal Information? Does it look like a financial #? Does it reside in a financial statement? Classify: Once data is identified, ML approaches support classifying the data within the data dictionary: data is in finance domain; it is in the “Deliver” phase so the SCOR lifecycle; it is a vendor; etc. Resolve: The completed data dictionary will support entity resolution by providing a richer feature set against which Master Data or analytical algorithms can be run. If I know data represents a vendor, do I know which vendor? Link: The resolved entity is linked to internal and external reference sources. ML Techniques may be used to identify and resolve link candidates and specify link type / strength