Wednesday, August 3, 2022

A Future-Oriented Approach

Enterprises take on a wide range of projects in the name of “Digital Transformation”. Or seek to set up programs for Data Governance, Master Data Management, Data Catalog, Business Glossary, Data Protection, Data Strategy, etc.

However, legacy systems and technical debt continue to impede many organizations' efforts. And any attempt to use such a burdened environment as a launchpad for future-proof “data” projects and programs is most likely doomed to fail.

Recommendation

The future of informational infrastructure needs to be based on a business-data-driven reference system with well-defined, distinct responsibilities. Prerequisites are

Here is the industry-agnostic approach that I propose:

  1. For each business unit, record the major organizational processing activities
  2. For each processing activity, record the major created & updated (business) data structures
  3. With recorded data structures, derive (business data) entities & relationships
  4. With entities & relationships, build the Enterprise Information Management Map (= high-level concept model)

  5. Example of High-Level Concept Model in Liability Insurance [Click to Enlarge]

  6. In the Enterprise Information Management Map, identify master entities and the relationships among them
  7. In the Enterprise Information Management Map, assign responsibility for modeling master entities & relationships to Chief Data Office(r) as their Data Domain Owner.
  8. Divide the Enterprise Information Management Map by grouping all other entities & relationships into distinct data domains based on similar processing activities and assign modeling responsibility for each data domain (= Data Domain Ownership) to exactly one business division [Note: If necessary, restructure processing activities in a way that each data domain and its creating / updating processing activities belong to only one responsible business division.]
Example of Data Domains in Liability Insurance [Click to Enlarge]

Result

The above approach introduces a reference structure where each data domain within the enterprise concept model is represented by exactly one business division that is responsible to develop & maintain the related business data names, descriptions and constraints for business entities, attributes and relationships.

Outlook

In subsequent posts I will elaborate on this frame to show how to advance enterprise-beneficial data programs and projects.

Sunday, January 16, 2022

Risk Management

Organizations are exposed to business risks in varying degrees. These risks can be categorized as:
  • Operational / strategic risk, which includes anything that could impede the organization's performance due to
    • external events (e.g. pandemics, natural catastrophes, climate change)
    • internal events (e.g. labor issues, strike)
    • technology problems (e.g. increasing technical debt)
    • vendor choice / turnover
    • security issues (e.g. CyberSecurity)
  • Reputational risk, which summarizes potential harm to the organization's
    • internal perception by its employees and shareholders
    • external perception by customers and the general public
  • Compliance risk, which is related to the organization's responsibilities under applicable laws and regulations
  • Environmental, Social and Governance (ESG) risk, which pertains to the organization's business ethics and practices (e.g. environmental management, respect for human rights, anti-bribery/-corruption, financial reporting)
Since risks often affect multiple business units or the whole organization, it is important to centralize risk management, i.e. the responsibility for identifying, assessing and mitigating threats that may significantly impact the organization in its ability to conduct its current and future business. Particular attention needs to be paid to cumulative risks, i.e. the organization’s total exposure that amounts from the existence of several parallel, but independent risk factors with the same impact (e.g. several vendors that process personal data on behalf of a certain organization could independently suffer a data breach).
 
Risk management is typically headed by a corporate executive, the Chief Risk Officer (CRO). Small and medium sized organization may not establish a separate position for risk management, but assign the related responsibility to another executive (for the sake of simplicity, hereinafter also called “CRO”). The CRO should ideally report to the CEO or the Board. As most of the risks have a financial impact, the CRO may instead report to the Chief Financial Officer (CFO).
 
Having a horizontal responsibility (such as the CFO, Chief Human Resources Officer (CHRO), or Chief Data Officer (CDO)), the CRO needs to be an excellent communicator and influencer.
 
The CRO’s responsibility includes the following tasks of risk management:
  • Document process maps with focus on risk to both information and material, both in transfer and in rest
  • Analyze the organization’s risk profile in terms of potential operational, strategic, reputational, compliance and ESG risks
  • Identify risk factors that could have the same impact 
  • Determine and quantify the organization's risk appetite
  • Develop action plans to mitigate risks to the organization – both strategic and tactical
  • Seek insurance coverage for remaining risks 
  • Integrate risk management priorities into the organization's overall strategy
  • Plan and oversee budget for risk management and related projects 
  • Monitor the progress of risk mitigation efforts
  • Communicate risk analysis and mitigation progress to the organization’s executives, board members and heads of business units