If I were to ask you, “Do you know, worry about, or understand data risk as it relates to your job or organisation?”, most people might switch off immediately.
This question contains two words that many struggle to fully comprehend: data and risk. Sure, everyone knows what data is at a high level and uses it daily, but do they truly understand how data works, how it is stored, or the terminology like data management, data lakes, or data fabrics? Probably not.
Risk adds even more complexity. While most people can complete the sentence, “Within my day-to-day job, there is a risk that…,” they can become confused when the conversation shifts to risk management or enterprise risk.
I come back to the same conclusion repeatedly: Are we asking the wrong questions? Working in data risk, I constantly challenge myself to simplify data risk so that, first, people understand it, and second, they care about it.
I find it helpful to start with simple questions that almost anyone can relate to. Whether you’re a senior executive responsible for a part of the organization, someone managing the data, or a user of data (e.g., data entry clerks, data analysts, or front-line associates), consider the following questions:
- Do you ever worry that your data might be hacked or accessed by unauthorized persons?
- Data ransom is a new threat—hackers can hold your data hostage. Does that concern you in your role?
- Do you worry that the data you use is incorrect and could negatively impact processes, customers, or colleagues?
- Are you interested in using more AI but worry that it could introduce trust or ethical issues?
If you answered yes to any of these questions, then you care about data risk—and there are many more questions to be asked!
By asking questions in a language others can clearly understand and analyzing the responses, we can identify the specific data risks relevant to your organization. Taking this further, what if we ask more detailed, business-specific questions in each department? This could help uncover data risks in a way that resonates with your team and even guide proactive actions.
Now, if I were to explain data risk in a more complex, technical way—“You need to implement data risk using a risk framework with a defined risk library, taxonomy, and a set of controls to manage and mitigate those risks, followed by an issue management process…”—would it resonate with you? Or would you tune out?
I certainly would. After years of writing and managing risks at the business level, and later implementing data risk frameworks, I’ve seen firsthand how time-consuming and ineffective this process can be. Simplifying this, using everyday language and focusing on the business impact of data risk, would be a huge improvement.
Finally, data risk is becoming ever more prominent. Any organization that aspires to be data-driven should care. The increasing number of high-profile data ransoms and breaches hitting the news daily should be enough to make anyone sit up and take notice. New risks, such as those introduced by cloud technologies and AI, create even greater exposure.
If this has sparked any thoughts or interest, please reach out. There is undoubtedly a better way to manage data risk and make it more accessible for everyone. And if this approach works, why not apply it to other difficult-to-understand risks, like AI?
I would love to hear your ideas and thoughts!
A Personal Perspective on Data Risk by Caroline Lewis
