What the CEO needs to know about data
December 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
It is time to put data in a less technical and more current and urgent context. The threats to an organisation’s reputation and sustainability posed by cyber threats (e.g., exposing sensitive customer information, disrupting critical business processes, and stealing intellectual capital) are too great to continue the current siloed approach to managing the enterprise’s technical and information assets.
Over the years, several C-suite functions have been created for a variety of reasons: everyone is doing it; seemed like a good idea at the time; or, a regulator or reputational issue required it. Even when the new position seemed important and it might help, most surveys indicate that CEOs do not think they have delivered any real value to the enterprise and that they have not been accepted by their ‘peers’ in the C-suite.
Unfortunately, based on the recent performance of Chief Data Officers (CDO) it does not look like this potentially strategic new function is going to fare any differently – at least not how it is currently being implemented.
So where to begin?
If the organisation wants a unified vision for its technology and information assets, the CEO needs to create one, and then hold one person accountable for defining and overseeing the resources necessary to achieve it. The need to respond to the very real dangers posed by the rising frequency and complexity of cyber threats provides the ‘crisis’ opportunity to make the necessary organisational changes to finally get control of the enterprise’s data.
If the organisation wants a ‘C’ position to be effective then she needs to really be a ‘chief’ and occupy a seat at the CEO’s table, and given how few people actually sit at the table there is more than enough room for the right person. The fact that most organisations have chiefs not in the C-suite or reporting to the board is probably a good indication that they are not considered strategic to the future of those firms. Based on the position description, the one that seems to make the most sense to assume this responsibility is a new one: the CDO.
It begins with recognising that: (i) data has no intrinsic value except to support business decisions and processes; (ii) technology and infrastructure have no intrinsic value except to deliver customer value; (iii) applications and analytics have no intrinsic value except to capture the data and deliver the information that supports the business model; and (iv) governance, risk and compliance activities have no intrinsic value unless they produce measurable results.
While the responsibilities of a CDO seem fairly well-defined, opinion is split when it comes to where she should be positioned in the organisation, if positioned there at all. Some industry experts suggest that the chief data officer position should reside alongside the chief information officer or the chief technology officer. Early adopters of the CDO position tended to place the role under the CIO, or somewhere else in IT, and on occasion under the CFO.
More recently, the argument has been raised for the responsibility to be moved out of IT and under the COO or into the business side of an organisation where the ownership of data and systems really reside. Even more fundamentally, there are those that argue that the CEO as the ‘chief decision officer’ is responsible for creating and sustaining the enterprise’s strategic view of data, and thus needs help to understand this role or be replaced by someone who does. In this last instance, the CDO is more of a contracted position that works with the CEO to identify and implement the necessary changes, and their success is measured by the CEO not needing to renew the contract.
Governance – necessary but not sufficient
The term ‘governance’ has been a hot consulting topic for years and is generally viewed as covering all the processes that coordinate and control an organisation’s resources and actions, which includes ethics programmes, resource-management processes, accountability and management controls. Historically, good governance is considered an attribute of the management of the firm, or policy of the government, as reflected by successful outcomes. However, in almost every case it is the quality of the leader not the size, composition or diversity of the governing committees that is credited for any positive outcomes, while the committees are blamed for any failures. In the end, someone has to make the decision and be accountable for its outcome, and committees usually operate by consensus recommendations meaning no one person on them can be held or actually even feels accountable.
Meaningful data governance is defined as the overall management of the availability, usability and security of the data used in an organisation. However, while it has always been the case, firms only recently have begun to realise that data is an enterprise asset and cannot be left in isolated silos and managed in a way that does not consider upstream and downstream business and customer impacts.
Billions of dollars of misallocated capital and hundreds of millions of dollars of costs have been attributed to bad data. These are hard dollars that do not include the reputational, business and stockholder impact that could also be attributed to decisions based on bad data. There have been various attempts over the years to address the issues caused by ‘poor data governance’ and currently the CDO is the most popular term to describe the person designated to govern the enterprise’s data.
But, as has become apparent, from an enterprise perspective only the CEO can really assure that data gets to the right person, at the right time, and in the right form to be actionable. For those that truly ‘get it’ but did not previously have a ‘crisis’ they could exploit to drive the necessary change, now is a great time to act.
Déjà vu or the opportunity to get it right
The latest ‘crisis’ event that institutions have to deal with, is how to react to real threats posed by the increase in cyber attacks. From a risk based approach, the proper response and budgeting should be directly related to understanding and protecting the organisation’s most valuable data and the systems that create or use it. The latest C-suite entrant created to deal with this crisis is the chief information security officer (CISO). Despite the almost daily headlines, and maybe because of the sense of inevitability they may be creating, that job is also starting to lose relevance and budget – despite a few headlines to the contrary. However, unlike the other reasons for a C-suite creation, this one actually is important to the survival of financial institutions given the greatest threat to these firms is destroying the integrity of the data in their systems.
While annual cost estimates of cyber attacks vary widely from $100bn to $1 trillion, there are clear signs of the growing cyber threat, both in terms of sophistication and complexity and a disturbing shift to more destabilising motives from monetary ones. Based on several recent regulatory assessments of the threats and vulnerabilities of the sector, it is time for CEOs and boards to be more proactive. Unfortunately, due to the lack of data sharing necessary for accurate cost and impact assessments, the propensity of some to hyperbole, and the fact that no one has brought down the system or a piece of the critical infrastructure yet, all seem to be undermining the sense of urgency necessary to meaningfully address the threat.
There are examples of cyber attacks that: use social media to manipulate stock prices; simultaneously compromise thousands of a bank’s computers to steal and then delete data; conduct extended disruptions of ATMs and online portals cutting off public access to funds; secretly steal and wire money from corporate accounts that go undetected for weeks; and inject software in our most secure systems that remains hidden for months or years, stealing customer and business data while looking for weakness that can be exploited in the future.
The financial regulatory community is also struggling with how to help the vast majority of smaller institutions without dedicated cyber expertise respond to the growing threats, and is under increasing criticism for vague, overlapping and contradictory guidance that is diverting resources to compliance activities that do not reduce actual risks. As for those relatively few experienced CISOs that do exist, they are primarily technical and come from the intelligence community, have to rely on the business units to identify and prioritise the data and systems that need to be protected, and then have to rely on the CEO to support and implement the required security measures. Once again, the data that needs to be protected is housed in multiple lines of business and supporting systems, and not under the control of anyone one individual – except the CEO.
Given the primary reason for a CDO is to bridge business and IT and make sure the organisation monetises or optimises the strategic value of its data, the need to respond to the increase in cyber threats is a perfect time for CEOs to reorganise around this role to assure they get the advice and support they need to protect their organisations.
A prudent risk based approach to the identification and protection of high value data assets requires a unified strategy, however very few C-level executives have the business experience and skills to do so. At the same time, because markets continue to evolve, businesses must continue to evolve, meaning data that has decision and business value today may not have any value tomorrow – or conversely much more. Trying to hold a set of ‘non-executives’ scattered throughout the organisation accountable for how the business decides to value, manage and protect its data is not going to work, because the only one who can hold a business unit accountable on really anything is the CEO.
As headlines continue to push data quality, availability and security up the list of key C-level and board priorities, the importance of having the skills and experiences in the job descriptions of today’s chief data officers becomes more apparent and imperative. This individual requires a unique blend of domain, business and technical capabilities to carve out a successful career and deliver real value to their institutions.
Therefore, the route to this role requires developing or finding people with experience in all the key parts of an organisation – a proven leader with a hybrid understanding of the domain, risk management, marketing, IT and finance – who can hold their own in the C-suite. In other words, someone from the pool of potential future CEOs – those who are now coming of age in a world dominated by data, analytics and technology. The ultimate measure of success may be that there is no need for the CDO role in a few years, or that this role is truly a part of the C-suite and one of the final proving grounds for an institution’s next CEO – the organisation’s only chief decision officer.
Dr Shaun Brady is a leadership consultant. He can be contacted on +1 (410) 212 2013 or by email: firstname.lastname@example.org.
© Financier Worldwide
Dr Shaun Brady