Nimble Risk Management (NRM)

The Many Org Structures Companies Use for Compliance & Data Governance

The Many Org Structures Companies Use for Compliance & Data Governance

Rob Bowman

GRC stands for Governance, Risk and Compliance and the acronym is being heard much more frequently recently. A GRC framework is a model for managing compliance and governance risks in a company. The framework has been named GRC because many business risks have been found to originate with how regulatory compliance is being managed or how data is being governed (or not governed). Business Rules guide the everyday decision-making within a business by outlining the relationships between objects, such as customer names and their corresponding orders. Internal Controls are accounting and auditing processes used to ensure the integrity of financial reporting and regulatory compliance.

Startups and small companies often have few or no Internal Controls (accounting and auditing processes used to ensure the integrity of financial reporting and regulatory compliance) or standardized and formalized Business Rules. A lack of or incomplete GRC, Internal Controls and formalized Business Rules can result in inconsistent disjointed processes and communications within a company. This opens companies up to risk due to possible liabilities and profit loss on many fronts. decreased business efficiency and undesirable outcomes.  

Regulatory Compliance and Business Efficiency Needs Drive Data Governance

Regulatory compliance drives a lot of data governance efforts within a company, but data governance is also heavily driven by business efficiency and competitive needs.  A GRC framework involves identifying the key policies that can drive the company toward its goals. By adopting a GRC framework, a company can take a proactive approach to mitigating risks, making well-informed decisions, and ensuring business continuity.

Whatever GRC and data governance frameworks a company used, companies also utilize many organizational structures for managing their GRC and data governance efforts. The org structures they use are often dictated by many of the following factors, among others:

  1. How fast the company has grown.
  2. How many acquisitions of other companies the company has made.
  3. How similar the company org structures of the companies they acquired were to their own.
  4. How much effort the company puts into standardizing their processes across the various parts of their company.
  5. The type of business space the company operates in.
  6. The regulatory compliance issues the company has because of the nature of their business or the way they run their business.

An effective GRC framework and effort helps organizations minimize the impact of negative events while maximizing opportunities. The process typically includes:

  1. Risk Identification: Recognizing potential risks that could affect the organization.
  2. Risk Analysis and Assessment: Evaluating the likelihood and impact of these risks.
  3. Risk Mitigation and Monitoring: Developing strategies to reduce or manage the risks and continuously monitoring their effectiveness.

Some Companies Have No Specific GRC Roles

Most companies have the roles of CEO, CTO and CIO. But many companies do not have the roles of CISO (Chief Information Security Officer), CDO (Chief Data Officer), CAO (Chief Analytics Officer), CDAO (Chief Data and Analytics Officer), CAIO (Chief AI Officer), or CAIO (Chief Artificial Intelligence Officer. Given how important it is to do proper data management and regulatory compliance management today many companies are evolving to include these additional roles.

Common Organizational Processes Used for Corporate Data Governance

Establishing effective data governance is crucial for organizations aiming to manage their data assets efficiently. The structure of a data governance program can vary significantly based on organizational needs, size, and culture.

  • Data Governance Charter

(This is a document that outlines the core strategy and process related to the exercise of control and authority over an organization’s data assets).

  • Data Governance Board

(A governing body responsible for setting data governance policies, prioritizing projects, approving organization-wide data standards, and ensuring trusted data delivery across the enterprise. Also known as a data governance council or committee).

Recommended Organizational Structures for Data Governance:

1. Centralized Data Governance Model

In this model, a single entity or individual oversees all data governance activities. This approach is characterized by:

  • Decision-Making Authority: A designated data governance lead or council makes key decisions regarding data policies and standards.
  • Benefits:
    • Consistency: Ensures uniformity in data management across the organization.
    • Quality Control: Facilitates better decision-making through standardized data practices.
    • Security: Enhances tracking and security of data assets.
  • Risks: May lead to rigidity and slow response times to business needs.

2. Decentralized Data Governance Model

This model distributes data governance responsibilities across various business units, allowing for localized decision-making. Key features include:

  • Local Management: Each department manages its own data sets and governance strategies.
  • Benefits:
    • Flexibility: Adapts quickly to specific departmental needs.
    • Improved Representation: Incorporates diverse perspectives from different units.
  • Risks: Potential for inconsistent data practices and duplication of efforts

3. Hybrid Data Governance Model

Combining elements of both centralized and decentralized models, the hybrid approach offers flexibility while maintaining some level of oversight. Characteristics include:

  • Framework with Local Autonomy: A central body provides guidelines and best practices, while departments have the autonomy to manage their own data.
  • Benefits:
    • Balances standardization with responsiveness to local needs.
    • Facilitates collaboration across departments while maintaining overall governance.

Summary

Selecting the appropriate organizational structure for data governance depends on various factors including company size, culture, and specific goals. Whether centralized, decentralized, or hybrid, each model has its advantages and challenges. Establishing a Data Governance Council and clearly defining roles can significantly enhance the effectiveness of any chosen structure.

References

  • Why Selecting the Appropriate Data Governance Operating Model Is Crucial
    Link is here.
  • Data Governance Frameworks: The Cornerstone Of Data-Driven Enterprises
         Link is here.
  • 6 Best Practices for Data Governance
         Link is here.

Discover more from Nimble Risk Management (NRM) | Reducing business risk through optimized value delivery.

Subscribe now to keep reading and get access to the full archive.

Continue reading