In Ancient Greek Mythology, a Hydra is known as a serpent-like monster with many heads. If you cut off one hydra head, two more would grow back in its place… As you can probably imagine, defeating the hydra is not any easy task…
If you happen to be a data leader active in the financial sector, the challenges you are facing right now are probably of a similar nature: let’s take for example the BCBS239 compliance.
Due to siloed reporting processes, bad data quality and exploding data volumes, it can often seem as if you are trying to defeat a mythological data-hydra every day.
You solve a problem, and two new ones appear right away… Sounds familiar? We get it.
The risk of significant fines for non-compliance can cause a lot of frustration inside the organization.
Moreover, such issues like the lack of visibility of data flows, siloed business terminology, inefficient reporting processes and bad data quality can also lead to suboptimal decisions being made by the management, with a direct effect on the costs of your entire organization.
Compliance and data: it is complicated…
An important role in clarifying this entire picture would be played by the compliance team. But we cannot expect this team to become data experts overnight or take over the role of the data office.
Understanding data management implications by executing data impact assessments is a task that is simply not part of a traditional compliance team – in a classical organization.
That is why – in many organizations – the data team is dragged into the discussion long after the kick-off of regulatory related initiatives, because of a lack of a holistic approach.
The long road to implementation
There is often a long way between requirements being articulated and their implementation…
You know what we mean, right?
It starts off with discussions with top management and peers, and at the same time you’re convincing everybody on the utility of data governance. And then you still must secure a budget and avoid getting yourself lost in translation.
The staying alive part
And now you’re probably asking yourself: how do I make sure that I survive the journey up to implementation?
Well, based on various experiences in rolling out these types of projects, we have identified a few steps that will ensure you survive and even thrive after the regulatory journey ends:
Ø Decode the regulatory requirements and translate them into risk requirements, IT requirements, finance requirements, data governance requirements. This exercise cannot be done alone, you will need to put all the concerned parties around the table – representatives of risk, finance, data governance, IT, senior management – agree on deliverables and their ownership, clarify the budget aspect and then plan everything accordingly.
Ø Focus on the data governance requirements and articulate them in a draft of the future data related deliverables, starting from the basic structure matching the regulatory requirements: report inventory, business glossary, data traceability, data quality and corresponding ownership/ stewardship. Like the first step, this one requires the involvement of the right stakeholders as well, in this case specialized data professionals, together with whom the data specific requirements can be articulated in data deliverables.
Ø Agree on the data related deliverables together with the stakeholders involved in the first and the second step, to make sure you setup expectations from the very beginning. The data related deliverables consist of:
- a business glossary and report inventory which will offer visibility on the data and report scope
- data traceability and data quality which will build upon the inventories and offer data insights
- roles and responsibilities that will package all that and ensure sustainability in the long run
Later on in the process, you can also reassess the deliverables on a regular basis, to make sure that they are refined accordingly in case of scope change and that they are closed in perfect alignment with the guardians of the requirements’ implementation.
Ø Create data awareness for all the involved stakeholders by preparing and delivering data literacy packs. These packs should be incorporated into the bigger picture, making sure that all dependencies are well considered, like the stakeholders’ involvement in the different data related tracks, with different timelines and different deliverables.
Ø Identify the relevant data stakeholders by identifying the experts of the data in scope, the experts of the data related processes and the experts of the IT applications where the data can be found.
Ø Document the current state of the data by implementing a clear process that specifies the data scope, the roles and responsibilities and the tool(s) to be used for implementing that, preferably a tool managed centrally, that can be accessed by the entire organization.
Ø Validate the data delivered points against the agreed deliverables at the end of the exercise by involving the people that were part of the requirements’ definition. The organization has now a process to handle data that is part of regulatory risk reporting.
Ø Propose a future state of data maturity by performing a gap analysis between current state and data requirements, by adding the missing parts of the future data capabilities and propose an action plan to implement them.
This way, the delivered data points will cover clear report documentation, visibility on data traceability, stamped data quality and articulated ownership and stewardship.
Ready, steady, go!
This represents the minimum viable product required by the regulator on the data governance aspect of the risk reporting and data aggregation.
On top of that, this minimum setup perfectly matches the foundation of a data governance program. With this in place, the organization can move forward, evolve, be more efficient, will start getting value out of data and can better control and manage the risks.
If you are interested to find out more about how to assess your data governance maturity or how to articulate data related requirements based on regulatory generic requirements, please contact us for a free-of-charge assessment & discovery call at info@datatrustassociates.com