What does a good data governance report look like? How do you make sure it’s on the board’s agenda?
We outline key considerations in the following table. It is not designed to be an exhaustive checklist, rather, it aims to trigger conversations at a senior management and board level in relation to good data governance, and to prompt consideration to both opportunities and threats in terms of ‘preparedness stages’ and ‘capability dimensions’.
The table below provides a small set of examples of possible questions to consider opportunity or threat in terms of organisational capability. The ‘recovery’ stage also includes considerations for continuous improvement and organisational learning.
The example is articulated from a ‘risk’ perspective but could also be seen from an ‘opportunity’ perspective, in which case ‘recovery’ may be replaced with ‘learning’.
Issue | Awareness / Maturity | Planning | Preparedness | Response | Recovery |
Information capabilities | - Is the current state known, visible and documented?
- Is there an inventory of critical assets (including data/systems/infrastructure)?
- Do metrics exist and are they being monitored?
- What is being communicated?
| - Is there a plan or strategy for assets?
- Are there policies covering establishment, procurement, implementation and
acceptable use?
- Are there risk assessments?
- What is being communicated?
| - Is there a plan or strategy for business continuity in the absence of assets?
| - Are incident response plans in place and accessible?
| - What concludes an incident?
- How are learnings captured and communicated?
- How are impacts measured?
- What changes need to be made?
|
People capabilities | - What skills are needed?
- Are specialist roles or responsibilities needed?
- Are staff aware of risks?
| - Do plans identify who is accountable?
- Do plans identify training needs or skills gaps?
- Are plans communicated internally and externally?
| - Who are the relevant contacts?
- Are people educated or trained?
- What scenarios are considered?
| - Are roles and contacts for incidents identified and contactable?
- Are backup plans in place for relief?
- Are internal and external communication plans in place?
- Are rosters needed?
| - How is internal and external people’s recovery assessed?
- What additional help is needed?
- How do people know ‘we’re back to normal’?
- How is feedback captured?
|
Process capabilities | - How do new risks and threats get identified?
- How do new risks get assessed?
| - Do possible impacts form part of an overall business approach?
| | - Are escalation and notification requirements known/accessible and documented?
| - Are learnings documented to feed into continuous improvement?
|
Technology capabilities | - What is the technology portfolio?
- What monitoring exists?
| - Are relevant documents, systems and procedures easily locatable and accessible?
- Are there backups?
- Are systems designed to ‘privacy by design’ and ‘zero trust’?
| - Have backups been tested?
- Are regular tests conducted?
- Do systems have automatic notifications on exceedences?
| - Is mobility available (hardware and networks) if another or ‘on location’ response is needed?
| - Do learnings feed into improvements?
|
Governance and accountabilities | - What does the board need to know and do?
- What does senior management need to know and do?
- When do things need to be escalated from one to the other?
| - Are roles and accountabilities clear and measured?
- Are insurances available or needed?
| - Are insurance covers understood fully?
- Are board and management roles defined for BAU and incident scenarios?
| - Are claims filed promptly?
- Are communication lines and roles to internal stakeholders executed?
- Have legislated notifications been issued (data breach, market announcements)?
| - Are learnings valued as an asset?
- Are identified necessary changes implemented and monitored to execution?
|
Supply chain capabilities | - What is the contract and supply chain landscape?
- Is there concentrated reliance on single providers or countries?
| - Are roles between suppliers and the organisation clear?
- Are service levels defined and monitored?
| - Do escalation clauses/responsibility matrices exist?
- Are out of hours support/response capabilities known?
- Are financial impacts known for out of hours support?
| - Are direct lines and methods of communication and coordination in place?
- Can responders be co-located if needed?
| - Do contracts and service arrangements require amendment or clarification?
|
Courtesy: Karin Geraghty FGIA FCG, Principal Consultant, Stratdigi
For any assistance with addressing the data governance needs of your organisation, do not hesitate to contact your local PKF Audit and data governance expert.