Executive Summary
It usually takes a scandal to spur reform. Companies are slow to address vulnerabilities until, at last, it’s too late. Today, most companies are failing to take data security seriously, and will likely pay the price — through both missed opportunities and embarrassing, costly breaches. Proactive companies should create a Data Integrity Committee on their board, following these three principles: 1) data integrity requires a cross-functional team, 2) data handling practices need to be company-wide, and 3) the Data Integrity Committee’s responsibilities should reinforce the company’s strategic goals.
Sometimes it takes something bad to instigate something good. A hard lesson — a scandal, a breach, a product failure — can make us look at a problem head-on and ask ourselves how to fix it. More often than not, we knew the problem was there but didn’t act. For example: In 1938, the SEC discovered that pharmaceutical firm McKesson & Robbins had made up the 2020 equivalent of more than $300 million in inventory and receivables. Although it was among the most brazen scams of its era, the McKesson & Robbins saga followed numerous schemes of accounting fraud during the Great Depression. In response to them, Congress passed the Investment Company Act of 1940, which recommended that companies form audit committees on their boards to oversee financial reporting and disclosure — a safeguard that later became a requirement. The mandate was clear: Corporate boards must oversee the accounting function to ensure reliable financial reporting, thus protecting free markets and guarding the corporation against bad internal actors and blind spots.
Right now, data integrity is a good that we know we need — and it’s not too late for action. The audit committee envisioned by the Investment Company Act would oversee people and process, not technology and data (the modern computer was not used for company accounting functions until 1955). Today, data integrity is foundational to advanced manufacturing, cybersecurity, and operational agility. Like financial reporting in the 1930s, data forms a central basis for profitability but lacks an honest broker. The result? An asymmetric control of information that distorts competitive decision-making both within and outside companies. Companies that want to stay ahead of the curve can — and should — proactively create a Data Integrity Committee.
Reform tends to happen only after disaster strikes, but we’ve arguably already seen the kinds of scandal that should spur this expansion of corporate governance duties. CEOs and chairpeople at companies from Equifax to Sony to Target have lost their jobs because IT breaches leaked customer and employee data. Data security breaches cost U.S. companies about $8.64 million per incident on average, according to the Ponemon Institute and IBM’s Cost of a Data Breach Report 2020. Two-thirds of leaders reported in a recent KPMG survey that they lack a high level of trust in the way their organization uses data. And in a study at Cork University Business School, just 3% of companies met basic data quality standards, hampering their ability to generate valuable data insights.
Few corporations have responded to the pervasive risks and rewards of data integrity. In most C-suites, data integrity has no specific guardian in the corporate governance structure; audit committees see it as sitting on the periphery of their financial reporting responsibilities. Industrial giants have struggled to leverage or monetize data, eroding their competitive strengths and exposing themselves to disruption from data-first tech firms such as Uber, Airbnb, and Amazon. Companies that invest in a data integrity team save $2 million per breach, according to the Data Breach Report, yet far too few institutions have one.
Reliable strength in data security, data optimization, and underlying data integrity is a reasonable expectation for shareholders of public corporations. Yet history shows that the expanded scope of corporate governance most often comes from regulation, not innovation. In this case, I believe that reliance on regulators is not the answer; the complexity of data is best grasped and contextualized by practitioners. The solution is to create a data integrity committee on corporate boards to ensure that operational data — a company’s most undervalued and risk-embedded asset, and its least-scrutinized one — is accurate, complete, and secure. The committee would protect sensitive data from internal misuse, hackers, and foreign state actors. It would hold leaders accountable for making data-driven decisions, encourage executives to leverage existing troves of enterprise data, and build defensible moats buried in the data.
You might be asking yourself, “How do I start?” Here are three guiding principles around personnel, practices, and strategic goals.
- Data integrity requires a cross-functional team.
The data integrity oversight team needs to include experts from across the company — IT leaders, managers of activities that produce the highest data volumes and the most valuable data, subject matter experts, divisional business managers, regulatory specialists, and general counsel. The team’s goal is to discern what data to collect, establish best practices for ensuring its accuracy, and set guidelines for how to value, protect, and use it to serve both stakeholders and the company. Day-to-day decision-making should not happen at the board committee level but should be overseen by the data integrity committee to which this cross-functional data-integrity team reports.
Take a global rail-services company that collects data from sensors on trains and wants to establish the value of various types of data. IT may have cybersecurity concerns about geospatial data, reliability leaders may need that geospatial data to direct trains to the nearest repair shop, and general counsel may have to report compliance for both types of data to regulatory boards and railroads. The decision about how to organize the data for streamlined reporting and business use involves stakeholders whose obligations vary and need ironing out at the highest company levels.
Building a data integrity team does not need to be done without reference. Models of best practices, such as the Data Management Association’s Guide to the Data Management Body of Knowledge, can serve as a template for building out the personnel and policies of the data integrity committee.
- Data-handling practices need to be companywide.
In the absence of a clear, companywide policy, corporate divisions are likely to act in self-interest and create idiosyncratic and divergent data-management practices. The result is often a confusing and siloed approach or the restriction of knowledge about data integrity to a single person who is unfamiliar with the procedures and risks of the broader operation.
The committee should set forth policies on internal data use and best practices, including employee training, standards for cooperating with third-party data processors, procedures for incident reviews, preparation for extraordinary risks, and even processes to revise the committee’s scope, if necessary.
The data integrity governance solution created by the committee should be ongoing and industry-specific. Ideally, it would include the input of specialists within the organization to maintain coordination of separate processes. Developing training and continuing education initiatives — both general and division-specific — makes data integrity a company priority.
- Committee responsibilities should reinforce strategic goals.
Data integrity benchmarks belong among accounting metrics and operational KPIs in measuring company health and its underlying foundation. The top-down committee perspective is invaluable when leveraging data integrity to support the strategic use of data. The committee should confirm compliance with regulatory requirements regarding data, maintenance of industry-specific data-quality standards, and diligent mitigation of cybersecurity risks. It should also monitor the quality of data used for operational decisions, confirm the diligence of activity to mine data that can produce impactful insights, ascertain the value of the company’s data investment, and understand the business decisions made to generate revenue from data. And it must bring this comprehensive view of data into top-level decision-making.
***
Data integrity, along with data protection and leverage, is the foundation of future excellence. Are our data and our consumers’ data safe? What data-centric possibilities are not visible? Better yet, what data-oriented opportunities must emerge to inspire activity? Corporate boards must take the lead in resolving these questions to bring about this new reality. After 30 years of creating and growing global businesses, I have a refined appreciation for the ability of board committees to accelerate activities within their purview. The data integrity committee would enforce a baseline preparedness in facing a threat against data integrity and ensure maximum leverage of data investments.
"board" - Google News
October 21, 2020 at 08:07PM
https://ift.tt/34ePQUD
Your Board Needs a Data-Integrity Committee - Harvard Business Review
"board" - Google News
https://ift.tt/2KWL1EQ
https://ift.tt/2YrjQdq
Bagikan Berita Ini
0 Response to "Your Board Needs a Data-Integrity Committee - Harvard Business Review"
Post a Comment