CEOs often assert that people are a company’s most important asset. But people are more aptly characterized as resources, not assets.

Craig Calle

Craig Calle

In fact, at many companies data is the most important asset. It even gets recorded, intangible as it is, on the balance sheet. Often it is data assets that justify market values that can be a huge multiple of book value.

Yet few organizations have organized themselves to give data the same representation at the C-level that employees get through a chief human resources officer. Treating data as a critical asset, with a dual mandate to protect it and enhance its value, is one of the great organizational redesign opportunities at hand. To that end, a company should give one C-level executive the responsibility for sustaining a comprehensive information-governance program.

Opinion_Bug7The payoff from comprehensive data ownership at the C-level can be huge, and organizations won’t become cyber-secure without it. Other benefits include lower compliance and litigation risk, stronger controls, reduced storage and other expenses, and higher return on data and information assets.

However, there is a lot of work to do to fully protect and monetize data. Data and other information assets get balkanized within lines of business and in functional areas across organizations. They reside in data centers; in devices such as cell phones, laptops, and thumb drives; in the cloud; on paper; and elsewhere. Few organizations have even mapped these assets. That’s right: It’s 10 p.m., and we don’t know where our data are.

Regulatory Environment

Aside from management’s motivation to realize these opportunities, powerful regulatory forces are forcing change too, especially with regard to cybersecurity and the protection of customers’ personally identifiable information.

First, the recently updated internal control framework that is a foundation of Sarbanes-Oxley (SOX) makes data breaches a cause for possible criminal liability for CEOs and CFOs. Second, the Federal Trade Commission (FTC) has brought more 50 cases against companies that have exercised poor housekeeping of consumers’ personal information, leading to expensive settlements.

Third, cybersecurity enforcement actions by the U.S. Securities and Exchange Commission (SEC) so far have been focused on financial institutions, but growing congressional pressure may lead to broader activity.

There is an alphabet soup of other regulations that obligate organizations to maintain data more securely. Regulators are not the bad guys here; it’s the hackers and other bad actors that compromise data security and trigger costs beyond the regulatory pain. Organizations must adjust to a new style of information technology by getting comprehensive visibility and control over their data and information assets.

Golden Age of Data Analytics

Organizations are capturing vast amounts of data. New platforms and tools enable people to collect, prepare, analyze, and visualize huge amounts of it, including unstructured data developed from social media, Internet of Things sensors, and other touch points, yielding valuable new insights on consumer behavior.

These platforms and tools foster collaboration, and they are intuitive to operate, so executives and analysts in lines of business can more quickly make smarter decisions without having to rely on finance or IT for help. Now that we can close the books on time, attention is shifting to this new golden age of data analytics. An information-governance leader can promote the data-driven organization.

Organizational Considerations

A successful information-governance leader would align everyone with interests in data across the lines of business and in functional support areas. This leader would be connected through newly formed solid-line and dotted-line relationships to others in IT, finance, legal and elsewhere, and would understand the way data is created and managed by its key stakeholders, including CIOs, CFOs, and GCs.

These same leaders, or those who report to them, are excellent candidates for the information-governance job. Consider their various characteristics that are relevant to their ability to perform the role:

Chief Information Officers: CIOs are well positioned to take on the additional responsibility for comprehensive information governance. At large organizations, many already report to the CEO, and they align their department’s resources with the strategic needs of the businesses. They are closely associated with data, especially with regard to the infrastructure and operating systems that carry the data and store it when it’s at rest. Data is really just another asset they need to manage better.

However, CIOs have their hands full dealing with profound changes in the IT landscape and could benefit by reporting to an information-governance leader. The massive shift from the use of licensed software and physical hardware to software-as-a-service (SaaS) applications and cloud hosts are representative of cloud computing’s powerful transformational effect.

The shift offers beneficial agility and innovation, but it is also a major source of cybersecurity risk that remains remarkably under-addressed today. The introduction of employee-owned smart phones and other mobile devices has made network perimeters — once carefully guarded — very porous, compromising cybersecurity.

Not surprisingly, the state of IT housekeeping is deficient, even at large, seemingly sophisticated organizations, notwithstanding suggestions of adherence to technology management standards and frameworks from NIST, SANS, ISACA (COBIT), ISO, SOX, and AXEOLOS (ITIL).

CIOs must also come to grips with an organizational behavior known as “shadow IT,” where employees introduce technology into the network, especially SaaS apps, without first seeking approval. People frequently end-run IT because they find it unresponsive to their needs. Considering that the average tenure of a Fortune 500 chief marketing officer is less than four years, they don’t want their teams spending the first year haggling with IT.

At the same time, employees have access to a proliferation of outstanding tools that are largely self-serve and best in class, usually superior to the bolt-on modules that IT typically recommends. CIOs are learning how to provision technology efficiently and effectively to regain control and promote innovation.

CIOs assess and deploy data analytics tools that lead to value creation. They are likely to be the ones who establish a data warehouse and help others, such as finance and the lines of business, develop queries to extract meaning from the data. However, most CIOs see themselves as enablers, rather than drivers of value creation. CIOs looking to move up to the top spot need to do more.

Chief Financial Officers: CFOs are asset stewards. They are first in line when it comes to understanding and accommodating the demands of Sarbanes-Oxley, the SEC, the FTC, and other regulators. Their internal audit staff drives compliance with control procedures.

CFOs are familiar to the board’s audit and risk committees, which increasingly are on-point to deal with cybersecurity. Security breaches are evidence of weak controls around data assets, so CFOs are now spending more time understanding technology. The CFO’s team also includes enterprise risk managers, who have a vested interest in maintaining secure data and the means by which residual risk can be transferred with insurance.

Finance chiefs are the architects of the chart of accounts and key repositories of data like enterprise resource planning (ERP) systems. They are naturally data-driven, as they marshal budgets and design and review key performance indicators. CFOs are number crunchers and, usually armed with financial planning and analysis (FP&A) teams, they support the businesses to improve the decision-making process.

CFOs have spent decades refining their ERPs to close the books promptly and use business intelligence tools like Hyperion to muster a meaningful conference call transcript and narrative for SEC filings on Forms 10-K and 10-Q.

However, most need help to extend their competence beyond a traditional reliance on relational databases and focus on structured data in order to play a role in Big Data and predictive analytics, while the business leaders develop these capabilities as well. Everyone wants to derive richer insights about the future, not just the past.

General Counsels: GCs bring a pronounced sensitivity to privacy and compliance issues that make them comfortable with information-governance responsibilities. Records and information management, including retention policies, originate from this group. Operating with a “lean data” mentality, they drive lower storage costs, as well as greater efficiency and accuracy in accessing content.

Their central role in litigation and due diligence make them no strangers to evolving eDiscovery, archiving and other technologies to manage data and information assets. Armed with knowledge of the law, they carry weight in any organization, and can drive policy enforcement in ways that other groups respect. They shepherd the innovation process when they work with developers of intellectual property.

The person running information governance will confront conflicts when balancing the interests of risk mitigation and value creation. For example, the legal side of the house generally advocates “less is more.” They are more likely to champion records-retention policies that eliminate the potentially embarrassing email that they would prefer not be discovered one day.

Business analysts, on the other hand, are never quite sure what data they might need one day, so they would just as soon keep it all, especially as storage costs continue to decline rapidly and analytical tools become more powerful and user friendly.

Rise of the “CIGO”: There is an abundance of C-level titles, so adding another should be the result of thoughtful organization design. “Chief information governance officers” (CIGOs) are starting to emerge at large organizations today to elevate data as a critical asset and accept the dual mandate of risk mitigation and value creation.

There are other job titles that sound like they could be comprehensive data owners but their roles are narrower, and that specialization makes them highly effective.

“Chief digital officers” tend to support marketing initiatives and capitalize on the rich data available from growing online channels. They often are on point to transform their organizations from a traditional reliance on brick and mortar business models. “Chief data officers” tend to concentrate on analytics and, while they can be sensitive to privacy and risk issues, their emphasis is on value creation.

Many organizations feel they cannot afford yet another C-level position, but at the very least one C-level executive should carry the responsibility for comprehensive information governance. Who will step up to “own” data and the information governance process at your organization?

Craig Callé is CEO of Source Callé LLC, a consulting firm that makes organizations more data centric. He is a former CFO of Amazon.com’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.

, , , , , , , , , ,

4 responses to “Why Data Needs a Seat at the Corporate Table”

  1. Craig
    Thank you for mentioning the 2013 COSO internal control framework vaguely by stating:
    “First, the recently updated internal control framework that is a foundation of Sarbanes-Oxley (SOX) makes data breaches a cause for possible criminal liability for CEOs and CFOs.”

    The COSO internal control framework has been chosen by all (100%) US listed companies, except one, British Petroleum, as their suitable framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002.

    To clarify, the COSO framework makes no possible criminal liability for anything or for anyone or for any activity, including data breaches. It is guidance created and designed to help all organizations create, develop, mature and continuously improve their system of internal control as they or others define it. It is not required for SOX as SOX only requires the use of a suitable framework which registrants themselves determine. COSO is pleased, of course, that so many registrants have chosen our framework as their suitable framework for this purpose.

    Sincerely,
    Robert B. Hirth, Jr.
    Chairman
    Committee of Sponsoring Organizations of the Treadway Commission (COSO)

  2. Hi Bob. I’m condensing a lot into the single sentence you referenced, and the topic deserves its own article: http://sourcecalle.com/blog/2015/7/31/cfo-owns-cybersecurity
    The COSO update is motivating CFOs and auditors to dig deeper into technology controls and that should lead to stronger cybersecurity.

    Pervasive data breaches are evidence of weak technology controls and can affect how data assets get reported on the balance sheet under goodwill and intangible assets. Data breaches can compromise an organization’s brand and reputation, impairing goodwill. Data assets can be deleted, stolen, or held hostage, among other transgressions by internal and external bad actors. If these data asset value reductions go unaddressed on the balance sheet, the CEO and CFO that sign the SOX Section 404 certificate can face criminal liability.

  3. The focus of information management has been at the heart of having a true competitive advantage. Information is widely available so it is how companies manage it that makes a difference. Certainly this role is needed with the complexity that digital brings in interactions with customers.

Leave a Reply

Your email address will not be published. Required fields are marked *