Blog

Looking for Something?

Search for posts and comments here.

More access to data to reduce risk & enable better decisions

You know that there is untapped value within your systems and the data that they contain. But user access limitations - because of audit, risk and compliance expectations – mean that it is increasingly difficult to get access to the data that you need.

 

Access to systems and data is traditionally limited by job function. The introduction of Sarbanes Oxley, PCI-DSS* and other regulatory obligations and compliance standards resulted in heightened focus on limiting user access.

 

However, these controls were designed to apply to systems of record – i.e. ERP, financial or other systems used to process transactions. For such systems, limiting access makes sense – because they are used to process transactions that reflect business activity, and getting that wrong could be damaging.

 

Unfortunately, this approach is also often used for granting access to systems of information and intelligence – e.g. data warehouses. For these types of systems, the risk profile is different – in most cases, the primary downside risk that you need to mitigate relates to confidentiality – e.g. making sure that privacy is maintained and preventing leakage of intellectual property. But there are also upside risks to consider.

 

What does this mean?

 

For systems of record, access controls are put in place to reduce risk. Tried and tested, and they generally work well if designed carefully.

 

For systems of intelligence, if you apply the same control design – those controls are, in fact, increasing your risk - by decreasing efficiency and effectiveness. This is because the purpose of these systems is not to record transactions. Rather, they are designed to provide access to information, to better understand customers and operations, and enable smarter decisions.

 

With growing data volumes, and growing potential for the use of data to improve your business, is there an alternate approach?

 

Consider Open Access to systems of intelligence

 

Open Access instantly raises concerns; but when done right, it can yield significant benefit.

 

Open Access means granting access to everything except certain specific pieces of confidential data. A more extreme approach involves granting access to everything and then monitoring access to confidential data – this may work in certain circumstances but is riskier.

 

Organisations like yours are implementing such access policies, or are thinking about moving in this direction, because Open Access promotes:

  • Efficiency - reduced effort in discovering and requesting access to data
  • Innovation - providing opportunities to join data up for new insights
  • Data Quality – gaps and inaccuracies become easier to spot.

 

If you lead a business area, do any of these sound familiar?

  • It takes too long to get access to the data that your team needs
  • Your team often discovers or stumbles upon data that enhances analysis
  • You get the feeling that there is data that you don’t know about that could help

If they do, you need to insist on a better approach. Challenge your risk and assurance teams, challenge your data teams, ask them to explain the risk / opportunity analysis – because there is a better, more sensible approach.

 

If you are accountable for data, reporting, BI or analytics, consider whether your access policies are working.

Are you enabling your business teams to generate the value that you have promised?

 

If you oversee risk or compliance or assurance, consider whether the controls that you have in place are mitigating risk, or preventing opportunity.

In guiding or auditing your business teams, you have an obligation to help them reduce risk – so if you are trying to enforce systems of record controls to systems of intelligence, are you really being effective?

 

A caveat

In general, Open Access enables better analysis and reporting, but it usually does not directly grant access to process transactions or change data.  However, if you have a feedback loop from your data warehouse to your operational system, or if you permit any type of data capture / change in your data warehouse, you may need to think about how you control access more carefully. 

 

 

*  PCI-DSS: Payment Card Industry Data Security Standard.

   An information security standard that is applicable to organisations that handle credit card data.

FS Government / Public Sector Internal Audit / Risk Analytics