Data governance and the board

An interesting feature of the survey results is its insight into boards and other organisation leaders' understanding of ‘data governance’. Significantly, there was strong consensus in this area, with 70 per cent agreeing that data governance formed part of ICT governance, with a further 68 per cent agreeing that it relates to privacy and security and 68 per cent agreeing that it forms part of information and records management. 

But there was no such consensus when it came to the more contentious issue of whether the board has ‘sufficient’ understanding of the organisation’s current data governance strategies. Fifty-eight per cent of respondents said ‘no’ to this question. It would have been useful to have also seen how the ‘yes’ and ‘no’ responders align with specific industry sectors.

The main reason for this lack of understanding is perceived to be a lack of formal technology skills and education (51%). This is reassuring as it reflects an understanding of the complexity of data governance and the need for specific education. However, it is relevant to note that the reason of ‘lack of confidence’ in dealing with data governance scored is only 34 per cent, suggesting the level of training and capability is not necessarily aligned to confidence in this area.

A second cluster of reasons for a lack of understanding relate to priorities. Data governance not being a priority of boards and the board having more pressing prioritises both scored 39 per cent, presumably from the same responders as these options are probably related. A common reason for a lack of board action is a lack of consensus. In the case of data governance, only 22 per cent of the no responders cited different opinions about strategy or approach as being a reason for a lack of understanding.

Understanding of data assets

While boards and organisations lack an understanding of data governance, a clear majority of respondents (61%) were of the view that their board understood the organisation’s most important data assets and how they are protected. Such confidence was strongest for ASX listed companies and lowest for non-profit and government organisations.

The value of data

There are a range of reasons why data is valued by organisations, some relating to intrinsic value and other relating to perception and reputation. Seventy two per cent of respondents believe data is a ‘core business asset’, echoing the often-quoted Clive Humby words ‘data is the new oil’. However, only 47 per cent rated data as a ‘financial asset,’ suggesting that the value of data is larger than its commercial value. This is supported by the fact that 41 per cent believe its value to be intangible. The much-publicised reputational risks of failing to responsibly deal with data is, not surprisingly, reflected in the 62 per cent who cited reputation as a facet of data value.

Reporting to the board

Concerns have been raised in the mainstream media and scholarly literature as to the lack of board oversight of data-related decisions. There is concern that important data related matters are routinely made by technical experts with limited understanding of relevant laws and principles of accountability and transparency. On the whole, the findings of this survey justify this concern.

While an overwhelming 71 per cent responded that their organisation’s data governance was ‘linked’ to the organisation’s overall governance and risk management strategy, there was no such consensus on the related question of reporting to the board. Fifty-one per cent responded that data governance was not reported to the board. This suggests that while there may be some formal mechanisms for reporting to the board, this is not happening in practice. This is a concerning revelation.

The above problem is exacerbated by the fact that a staggering 78 per cent of those responsible for data governance only report to the full board on a quarterly or less frequent basis. Given the substantial damage that can be caused to individuals through data mismanagement or breach, such lack of regular oversight is of concern. Thirty-six per cent of those responsible for data governance only report to the full board on a quarterly basis, with 20 per cent doing so annually and 16 per cent doing so bi-annually. Seven per cent report less than once a year (Figure 5 below).

Use of a data governance framework

Compounding this lack of reporting, is the lack of data governance frameworks. Only 46 per cent of respondents reported that their organisation has a data governance framework. Lack of capacity was the clear reason for this failure (64%). While the nature of this lack of capacity is not interrogated, the fact that only 25 percent said it was due to a lack of skill may suggest it is a problem of inadequate financial investment. This is consistent with prevalent organisational under-investment in other data related areas such as cybersecurity.

Impact of data breaches on data governance

The reputational damage caused by highly publicised data breaches may opportunities greater action on data governance in the future. Fifty-six per cent responded that the management team or board has ‘changed … data governance since the Medibank, Optus, Latitude data breaches’.

For any assistance with addressing the data governance needs of your organisation, do not hesitate to contact your local PKF Audit and data governance expert.