Marie Patterson:

Welcome to Archive360 Data Governance 360 podcast. This week's episode is titled Taming the Data Beast, an Introduction to Data GRC. My name is Marie Patterson. I'm the chief marketing officer here at Archive360. Joining me today is Michael Rasmussen, an internationally recognized pundit on governance, risk management and compliance, otherwise known as GRC. And he's the lead analyst at GRC 20/20. Welcome, Michael.

Michael Rasmussen:

It's a pleasure to be here, Marie.

Marie Patterson:

Well, great to be talking with you today. Michael, thank you for taking the time to join me on our podcast today as we start to delve into the fascinating topic of data governance. Let's start with some background on today's subject, which is GRC, governance, risk management and compliance. Could you give me a quick introduction, please, to what it is and why and how organizations are concerned about GRC today?

Michael Rasmussen:

Certainly, I mean, governance, risk and compliance is broad, incrosses the organization. I've been interacting with GRC for 22 years. On a cold snowy day of the Chicago Office of Forrester Research, I defined a model, a market for technology and label it GRC being called the Father of GRC. But I work closely with OCEG and working on the OCEG GRC capability model and the GRC professional training. At the end of the day, GRC isn't something organizations buy, it's something they do. Technology helps make GRC processes more efficient, effective, and agile as well as resilient. But the reality is governance and management of risk and compliance are activities of the organization that have existed for a long time in the organization, but the organization is rather fragmented. So we talk about GRC by the official definition, GRC and the definitions from the OSEG GRC capability model.

GRC is a capability to reliably achieve objectives. Let's stop there. The reliable achievement of objectives, that's the governance function, that's the G in GRC, they can be entity-level objectives. They can be department, they can be process, they can be project, they can be like a relationship level, they can be asset, like data-level objectives. And so first off, we reliably achieve objectives. So GRC is the capability to reliably achieve objectives, that's governance. Address uncertainty, that's risk management. ISO 31000 the international standard on risk management says risk is the effect of uncertainty on objectives.

And so we have context there. And the C is the act with integrity. So GRC is a capability to reliably achieve objectives, address uncertainty and active integrity. That integrity is more than just regulatory compliance, but includes that it's compliance to the values and the ethics and the ESG commitments and all those of the organization as well. And so GRC is really three legs to a stool that they all support each other and we can support it from an enterprise perspective, which requires collaboration across different departments and functions. But then there's GRC applied to very specific areas like data GRC or identity GRC or IT GRC or a supply chain vendor, third party GRC. Does that fill your question there, Marie?

Marie Patterson:

Yeah, absolutely. But before we dive into data GRC that you already brought up, just for those who don't know, you mentioned OCEG. What does that acronym stand for? Michael?

Michael Rasmussen:

The open compliance and ethics group, it's a non-profit organization that really is aimed at promoting GRC and it has the only publicly vetted GRC standard that's built from a wide range of other standards and frameworks. So sort of an amalgamation of those.

Marie Patterson:

Got it. That's great. Thank you. So let's get back to data GRC. So first of all, what is data GRC? I mean, you've given us the framework for what GRC is and the fact that it's not technology, it's the way in which an organization behaves. So thinking about data specifically, what's that about? Give us the high level introduction to data GRC.

Michael Rasmussen:

I would love to. Now, data GRC is absolutely critical because if you think about it, the modern organization is what I call navigating chaos. It's changing minute by minute, second by second. Laws and regulations impacting data are changing enforcement actions, expectations and standards and frameworks, the external risk environment's changing in which data is used and needed, but the internal business environment's changing, employees change and their access to data changes and sometimes they have inherited rights issues and all these other stuff. And then the processes around data change and technology around data changes, and we have third party relationships, vendors and suppliers, and their access to your data evolves and changes. And then you have the world of AI and its use of data. The modern organization when it comes to data is like navigating chaos and trying to monitor all these complex interactions and access to data within the organization.

And we need to be able to ensure going back to the traditional CIA acronym, confidentiality, integrity and availability of that data and making sure that it's proper use. So leveraging the OCEC definition of GRC, that GRC is the capability to reliably achieve objectives, address uncertainty, and active integrity. To me, we adopt that for data GRC. And so in that context, we need to be able to focus on an integrated data governance strategy process and supported by technology and to be able to address these complex relationships of data. Data governance to me is the ability to establish directions, strategy and an ontology and the information architecture for effective data management, ensuring data supports the business objectives and the reliable achievement of those objectives.

Data risk management, the R in data GRC is about identifying, assessing, and mitigating, and we can also say monitoring uncertainty associated with data, the management of data and the usage of data. Data compliance is about ensuring the organization acts with integrity around data, fulfilling its regulatory, contractual as well as self-imposed data-related obligations and commitments. So to me, data GRC is the capability to reliably achieve objectives with data, address the uncertainty and risk around data and act with integrity in the use and disposition of data throughout the organization.

Marie Patterson:

That's a really great delve into the topic. Earlier this year though, you presented a webinar with Archive360 where we were talking about the new data governance risk and compliance imperative. So the new imperative. I guess my question for you, and you've already touched on this a little bit, but what's new about data GRC today than say if we were having this conversation two years ago or even just a year ago?

Michael Rasmussen:

I would say it's a lot of the same problems that have been exemplified in growing with the volume of data itself and its access and use. We have a lot of structured data risks around data breaches, the possibility of data corruption, the reliability of data. We have unstructured data risks around data leakage and compliance around unstructured data. We have communication messaging data risks, like eavesdropping and interception risks and compliance violations. We have data risks posed by artificial intelligence, which has been around, but it's been more of the hot topic this last 12 months where it's become much more of a risk where the leveraging and use of data by AI includes things like bias and decision-making and data privacy violations with artificial intelligence and even intellectual property issues around the use of AI and particularly generative AI out there in the environment.

Now there's other data governance, risk and compliance risks as well as such as inadequate data governance policies and mismanagement of third party data governance and noncompliance with continuously evolving regulations and not just the regulation itself. Maybe that regulation hasn't changed in the last five years, but the enforcement of it evolves over time as well. So organizations need good strong structured processes supported by technology for the discovery of data, the overall collection of data, the management of data, as well as the access to data and the analysis and use of data.

Marie Patterson:

So I totally get that. And you've touched here on some of the key risks, things like data breaches, growing volumes, the implications for AI, that effect on intellectual property and the changes in the regulatory environment. Are those really the things that are driving what we're seeing in terms of the interest today and the adoption of data GRC or is it going beyond that? What do you think are some of the key drivers today within the organizations that you speak with?

Michael Rasmussen:

Those are the key drivers, but it's also much more than that. So the range of data risks, what I mentioned around structured and unstructured data, the communication messaging risks, AI and the overall governance risks, those are key. But added to that, I mean, you've just got the challenges in organizations just to keep up with this. Do we have the right staff? Do we have the time? How are we doing risk assessments around this? How are we enforcing our data governance policies, our disposition policies? All these are critical because the organizations to continuously behind and now as we've had shadow IT for several years, that's evolved in the world of shadow data and also now shadow AI where people in the organization, employees are going out and accessing AI and stuff and leveraging the corporate data in AI that hasn't been improved and putting the organization at risk.

And so the intersection of all these risks, the exposures growing exponentially year over year, month over month. At the same time, the organization typically lacks the resources and tools to be able to do anything about it. And so it's time that we build a strong governance strategy for data that's supported by core processes and technology like Archive360.

Marie Patterson:

Okay. So when it comes to the data itself though, Michael, and you touched on it a tiny bit and you started talking about different data types. Just so I'm clear and everyone listening to the podcast is clear, what data are we talking about here when we're looking at data GRC? I'm assuming it's more than just email data, is that correct?

Michael Rasmussen:

Oh, definitely. I mean, email data is important in messaging data, but also the structured data within applications and databases and the unstructured data out there within documents and spreadsheets and things, all that's absolutely critical. How that data plugs into data lakes and how that data plugs into AI and gets leveraged and used and the disposition of it, all that's absolutely critical. So organizations really need to be able to identify the indicators of the use of data and its potential impact on the organization. We need to bring frontline data related activities, teams broader awareness on this topic.

We need to really define and monitor controls around data, understand the legal requirements around data as it crosses all those areas of structured to unstructured, to AI, to messaging and email. It's absolutely critical. We need to monitor regulatory compliance and not just the regulation itself, but how that enforcement of that regulation, how it's being interpreted by courts and regulators is being applied. And we see significant areas of how that's evolved like with the EU GDPR over the years. And we need to make sure that we design our data GRC programs supported by technology that can address this.

Marie Patterson:

So when it comes to technology though, and you mentioned when you were describing some of the key risks in terms of different data types, this notion of shadow IT, what do you think are some of the greatest data governance challenges that organizations faced in terms of technology?

Michael Rasmussen:

Data governance... I mean, organizations need data GRC management technology and systems that can enable data discovery management, to enable the organization to know what data it has, where it is, its context, and how it should be managed to structure the overall data management process where we can manage and integrate information across various data processes, manage data in storage and data storage management. That includes the capability to move inactive and compliant data from operational systems to a perhaps lower cost, more secure centralized repository for easier discoverability management enterprise analysis, as well as security.

Address integration to ensure seamless interaction with other technologies and competencies within the organization to provide cross system visibility and control to your organization's data. Have strong content workflow and task management around data governance, provide information and data governance and classification, which provides a modern actionable enterprise class-based data inventory, have a policy engine to drive that leverages that information classification and to be able to drive and monitor the user activities around that data and to ensure compliance and control. All these are absolutely critical. Of course, then data analytics and modeling, and I mean, I can go on and on, on this.

Marie Patterson:

Absolutely, absolutely. One of the questions I had was around the role of the chief data officer, because what you're talking about here, Michael, is clearly not just a technology issue, is it? There are many other teams within an organization that needs to be involved. So can you talk a little bit about that, about the role of different organizations and maybe touch on what you're seeing with this continually evolving CDO role?

Michael Rasmussen:

Yeah, that chief data officer has to be the central linchpin of data GRC, but that role needs to be a good facilitator and collaborator with other roles such as legal and compliance. HR, dealing with HR data, AI teams now with the AI use of data, I mean there's a variety of roles and need to be part of this process. And to me, that data governance officer, that chief data officer is the one that leads this collaboration with legal and compliance, with records management. IT in general, audit and assurance that provides validation and assurance around the use of data, e-Discovery, teams, the privacy, security, the enterprise information architecture, the group responsible for cyber and operational resilience, the data and content owners out there in the business as well as application owners. All these are critical roles that the chief data officer has to continuously collaborate with and facilitate with in a data GRC strategy.

Marie Patterson:

So at the beginning of our discussion when you were outlining what GRC is, clearly it's a very wide-reaching initiative within an organization, and data GRC makes up a part of that overall strategy. Given priorities for organizations as they think about their data GRC plans and start to prioritize, what do you think some of the key plan or strategy elements or initiatives should be? And maybe for those that are somewhat getting started, I doubt there are that many organizations that don't have some level of data GRC strategy. But thinking about it in terms of priorities, what would your recommendations be? And particularly what might some of your conversations be as you are advising clients today?

Michael Rasmussen:

Wow. To me, it would be define what that data GRC strategy is. How it integrates with broader enterprise GRC strategy and supports that? Who's responsible for the data GRC strategy? Like that chief data officer we talked about. What other roles and departments are involved, and then really build out the framework and data GRC processes that govern the data in the organization. And that includes the data discovery and classification to identify and classify data from its various diverse sources and ensuring metadata is accurate, so dark data can be exposed and managed appropriately. Also have challenges around data sovereignty requirements in that area. So data discovery and classification is one area. And then move on to data collection management, which is a component following of the broader lifecycle management of data. But we want to ensure that legal and compliant data collection practices are accounted for, particularly in a privacy context.

And this is quite challenging in data collection when you really consider managing the volume and velocity of incoming data in the modern organization. Part of data collection management, we want to make sure that we have the proper storage, optimization, the regulatory compliance controls around that, risk mitigation, all that is in place. From there, we need to manage the overall data lifecycle management throughout the organization, where we need to establish clear data ownership, implement data quality measures, manage data from creation all the way through the disposition and deletion of data.

At some point, you need to recognize that the risk of maintaining information and operational system exceeds the remaining intrinsic value of the data. Data incurs higher costs and production. The longer the data is in production, the greater the risk of modification, deletion or a data breach. So I've sort of outlined data discovery classification, data collection management, data lifecycle management, another thing to consider is data access management, to be able to ensure secure and controlled access to data, managing user permissions and balancing the accessibility with data protection requirements is also considered and data analysis oversight. We want to implement responsible data analysis practices to ensure transparency and tools and algorithms and balance analytics needs with the privacy and security requirements. The world of artificial intelligence that we're in right now, Marie, introduces new risks, and some social, cultural and ethical risks have already been identified with the use of AI, and we need to really manage that as well in this context.

Marie Patterson:

That provides a really comprehensive answer, I think. But I did want to delve into one area a little bit more with you. You mentioned cost versus risk. So again, talking about going back to this whole organization approach and then thinking about setting a strategy. One of the areas I know our customers run into is sometimes initiatives as it relates to data lead with cost. And you touched earlier on the fact of organizations having large volumes of data sitting in maybe legacy systems or data that no longer has huge amounts of value in operational systems. Would you have any recommendations for organizations that are maybe leading with this from a cost perspective, engaging with their colleagues on the governance side of the house and on the risk side of the house?

Michael Rasmussen:

Well, I mean it's to really understand what our exposure is and what's the right role of automation and technology to be able to manage this and automate this for the organization because it's a task that's beyond any type of manual capabilities in the organization. For an organization to really get ahold of data GRC, they're going to need good technology automation to be able to manage this in the organization and operationalize it. It's impossible to do manually today with the volume and veracity of data out there. And so that's one thing that definitely comes to mind there. And so organizations need to really define this strategy and build a business case on how focus on data GRC can help us become more efficient, time-saved, money-saved in our data governance and compliance practices.

More effective, like more getting done, monitoring, less things slipping through cracks and more resilient to contain data issues. Because they will happen, there will be breaches, there will be access to data violations. How can we identify them and contain them when they're still small, before they become big and be able to recover from them? So resilience and how to keep data governance. A fourth piece to a good business case is going to be the agility. How do we make sure that we're not managing our data governance the way the company was structured five years ago, but to the environment it is today and keeping up with that.

Marie Patterson:

I think that's going to be really helpful for people listening into this podcast, Michael. I think we are ready to wrap up. I want to thank you for a really interesting discussion today on this topic of data governance. If anyone has questions on this topic and would like to speak with you directly, Michael, what's the best way to get in touch?

Michael Rasmussen:

Of course, LinkedIn, I get a lot of interactions through LinkedIn and my website is www.grc20/20.com as in 20/20, vision, not the year 2020. And I also have the grcreport.com, which is a global news source on governance, risk and compliance.

Marie Patterson:

That's great. Thank you. For anyone who has questions on this topic and would like to speak to one of our subject matter experts here at Archive360, please send an email mentioning this podcast to info@archive360.com and we'll get back to you as soon as possible. Thanks to everybody for downloading and tuning in. Thank you again, Michael, for a really fantastic conversation.

Michael Rasmussen:

Thank you, Marie.