Geopolitical, regulatory, economic and technological factors have caused much disruption in organizations and are forcing senior business leaders to prioritize risk management to navigate these disruptions. For many data and analytics (D&A) leaders, risk management is not top of mind. In fact, Gartner’s Chief Data and Analytics Officer (CDAO) Agenda Survey for 2024 found that only 10 per cent of CDAOs in the private sector expect to focus personal time on managing risk aspects of D&A in the next 12 to 18 months.
This has opened up a dangerous gap between what business leaders in organizations expect, and what D&A leaders are positioned to deliver. Closing this gap requires action on two fronts: building better D&A risk management practices and creating a better risk-engaged culture in D&A teams.
Effective risk management is critical for business resilience and needs a risk-engaged culture. In a risk-engaged culture, risk is used to inform business decisions rather than being seen as something to avoid.
Organizations can expect many more disruptions in the future, which means taking mindful steps now to create a culture of better risk engagement offers D&A leaders the opportunity to anticipate and prepare for those disruptions. D&A leaders can begin making cultural improvements by understanding the business impact of behaviors relating to information risk repeated by people, based on their beliefs and experiences. The right balance of opportunity, risk management and culture is needed for a sustainable, data-driven organization.
Understand the Impact of Business and Information Risk
D&A leaders expect their investments to deliver anticipated business outcomes. However, many such investments (e.g., in data management, governance, analytics, business intelligence and AI) are very poorly tracked, reported and measured, falling well short of expectations. Often, this is because D&A leaders do not prioritize or have the right foundations in place for improving data-driven culture in the full context that business leaders expect.
D&A leaders must understand business value and risk in the context of their D&A strategy and operating model. On the strategy side, analyze how internal (e.g., organization redesign, M&As), external (e.g., inflation, new regulations) and technological drivers (e.g., proliferation of GenAI) change the organization’s information risk profile and impact business value propositions. This will help D&A leaders recalibrate how they use their D&A initiatives portfolio to address business outcomes. Changes can then be made to the D&A operating model through updated governance policies, risk controls, rebalancing architectural decisions, and the way that D&A projects, programs and products enable business value.
Analyzing how information risk specifically impacts business outcomes requires a systematic approach, so that D&A leaders can connect mission-critical priorities and operational processes with D&A assets and initiatives, and the D&A risks that impact business success.
Evaluate the Risk Culture
Having understood the interconnected relationship between information risk and business outcomes, D&A leaders now have to ask themselves to what extent they are a part of the problem.
D&A leaders are accountable for the culture within their D&A teams, and play a responsible role in the culture of D&A in the organization. Their leadership matters. Since data, analytics and AI are pervasive throughout the enterprise, aiming to deploy a grand plan to change the entire culture of information risk in the enterprise is unlikely to be successful. Instead, take small steps beginning with evaluating the extent to which there is a risk-engaged culture in D&A teams.
Establish a Strategy to Improve the Risk-Engaged Culture
After identifying the impact of information risk and evaluating the existing levels of risk engagement in D&A teams, D&A leaders are well-positioned to establish a plan for maturing their teams’ risk culture. However, they must encourage and incentivize those team members with higher levels of risk knowledge and risk engagement to train and develop other team members – recognizing that seniority does not necessarily imply greater risk engagement.
Design a contextual plan to drive change in risk culture. Rather than taking a single approach, explore the aggregate and individual awareness of an attitude toward information-related risk, then create a plan that helps members of the team and the team as a whole to be more risk-engaged. Design and implement risk-engagement maturity plans for D&A teams operating within business areas. D&A leaders should leverage the education and training resources they have developed in their risk management journey to help other areas improve their risk engagement.
Analyze how information risk impacts specific business outcomes by understanding and identifying the relationship between business outcomes and processes, business and information risks, and related data, analytics and AI assets. Evaluate D&A team awareness, attitude and knowledge relating to information risk, and assess the potential or actual impact this culture has on achieving business outcomes.
Saul Judah is a VP Analyst at Gartner within the Analytics Apps and Governance team focusing on information governance, data quality and information strategy. Gartner analysts will provide additional analysis on information strategy and D&A teams at the Gartner Data & Analytics Summit, taking place this week in Orlando, FL.