ISACA Journal
Volume 6, 2,017 


Governance, Risk, Compliance and a Big Data Case Study 

Guy Pearce 

ISACA Journal Volume 6 Podcast:  Governance, Risk, Compliance and a Big Data Case Study

By showing what would have changed if a previously successful big data analytics project was performed given today’s governance, risk and compliance (GRC) imperatives, this article highlights the GRC considerations that should be incorporated by design into any new big data project.

This project did not begin with the intention of being based on big data at the outset. Rather, big data was found to be incidental to helping solve a business problem for a Forbes Global Top 1000 bank. It is only in retrospect that the bank found it had met the definition of big data as part of its solution to achieve data-driven customercentricity.1

Defining Governance, Risk, Compliance and Big Data

To ensure this article is interpreted as intended, the following definitions are provided:

  • Governance—”[S]tructures and processes that are designed to ensure accountability, transparency, responsiveness, rule of law, [and] stability…”2
  • Risk—”The effect of uncertainty on [business] objectives.”3
  • Compliance—Acting in accordance with a wish or command.4
  • Big Data—High-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.5

A Business Summary of the Big Data Case Study

The market share of the bank was under pressure due to increasing competition. Data-driven customercentricity proved to be an effective solution to the problem, putting the bank on track to regain market share. The bank regained market share through the creation of US $94.95 million in incremental value for the bank within six months. The way the value was created for both the bank and its customers provided a peek into the power of a customercentric paradigm.

Figure 1As part of the process of understanding the business problem, the outcome of multiple focus group sessions with a representative sample of customers showed that the bank was not meeting its customers’ expectations, a finding in parallel with the bank’s own market research (figure 1).

Corrective actions were then identified and prioritized according to their urgency and impact, and prospective solutions were filtered based on their risk-adjusted business cases and their ease of implementation.

The deep customer insights raised in figure 2 were categorized as products and services, product utilization, channel utilization, wallet dilution, economic insights, industry insights, and regional insights. The data needed as inputs for these insights—made up of both internal and external, and structured and unstructured data—were identified. However, not knowing the quality and, therefore, the eventual usability of the analytics posed a considerable business risk. Processes were thus created and executed to determine the completeness, uniqueness, validity and accuracy dimensions of data quality for the data elements identified. In one case, the findings of the data quality assessments were such that enterprisewide data restitution was performed to increase the completeness attribute of a key data element.

Figure 2

After resolving data access, data integration, data quality, data cleansing and data fusion (structured with unstructured, and internal with external) issues, a portfolio of descriptive, behavioral and predictive analytics initiatives were performed on the consolidated data source.

The point of deployment gets tougher given the growth in privacy legislation today. While few laws were applicable to leveraging data when the case study was performed, two observations are useful at this point. First, the bank already had working business relationships with their clients, implying consent in today’s terms. Second, data-driven customercentricity was not just a phrase. It meant the creation of two-way value. Value was created for the bank because real value was created for customers. The results bear this out.

Once prototyping proved that data-driven customercentricity could address the business problem, senior approval was given for enterprise deployment. This involved distributing periodically generated analytics-derived customer insights to 1,300 branches using a customer relationship management (CRM) tool. Customer-facing bank staff now had access to key insights on each of their customers and could consequently strategize about how to have more meaningful and mutually beneficial conversations with them.

Coupled with improved training on the bank’s products and services (figure 2), bank staff could now better link the right products and services with the position of their customers during their unique banking life cycles. Customer interactions were consequently more relevant and meaningful, resulting in sales strike rates of almost one in two (50 percent). This is a noteworthy result because direct marketing strike rates are only about five percent.6 This outcome demonstrates the superior effectiveness of relationship marketing over direct marketing, a very interesting dimension of competitiveness. Figure 3 shows the overall results of these efforts.

Figure 3

While the bank’s customers experienced better-focused interactions from bank staff, the bank, in turn, experienced a financial uplift by increased sales and activity in four ways, as shown in figure 3.

While big data was instrumental to success, note that it was incidental. The bank did not seek to solve a business problem with big data. Rather, by first appropriately understanding the problem and then objectively implementing the best response from a set of alternatives, the bank ended up with a big data-driven approach to customercentricity.

So did the foundation of the data-driven project qualify as big data? Based on the big data definition introduced earlier, yes. Those definitions are:

  • High-volume data—Multi-terabytes of data were produced.
  • High-velocity data—Transaction volumes were around 1,000 transactions per second at peak.
  • High-variety data—Structured and unstructured data, both internally and externally sourced from across multiple divisions of the bank and from specialist data vendors. They included government gazettes and national, provincial and regional economic forecasts. The potential of these disparate data sources was unlocked by data fusion for data enrichment
  • Innovative processing—New database technology was needed to accelerate the daily data processing required to produce up-to-date customer insights to the field in a timely manner.
  • Enhanced insight and decision making—Better customer insights mean significantly higher quality customer engagement, resulting in enhanced financial outcomes, as shown in figure 3.

The Impact of Governance

Data governance is one of the greatest challenges to corporate governance because many boards ignore the risk posed by the mismanagement of data.7 Demonstrating the potential to appropriately mitigate this risk, 16 areas of alignment were found between data governance (using the Data Management Association International [DAMA’s] framework) and corporate governance (using Deloitte’s framework) that could be meaningfully applied in pursuit of risk mitigation.8, 9

Consider what the impact of today’s corporate governance and data governance disciplines would have been if the big data project was taken on now, starting with corporate governance.

For data governance, note that the impact is partially reflected by the integrity pillar in figure 4 and partially by privacy principle two in figure 5.

Figure 4
Figure 5

The overall governance implications of the big data project are clearly significant. Three of the six pillars of corporate governance would demand at least some change to the project’s approach, with data governance possibly having the most governance implications for implementation.

The Impact of Risk

The greatest risk boards of directors need to protect against is reputation risk.11 Because an organization’s reputation can be negatively impacted today by, for example, the incorrect or inappropriate use of data or by not complying with privacy regulation, appropriate controls need to be put in place to mitigate this risk.

Corporate governance mitigates some of this risk by enterprise risk management (ERM) within the risk pillar, while data governance mitigates some of this risk by means of the policies, procedures, standards, guidelines and tools used to perform and assess various characteristics of the data asset, and to ensure adherence to the enterprise’s policies for audit purposes.

Originally, the executive committee provided a means of risk management, noting that data governance as a risk mitigator was not yet as formal as it is now. Today, more formal ERM would be required for a project of this scale and impact, and it would have to be presented for review by senior members of the bank. Furthermore, cyber security was in its infancy, relatively speaking.

An important matter for a data team to understand about cyberrisk is the risk of a breach of personal information both before deployment and on deployment. This means risk must be mitigated using appropriate response plans, the content of which may differ by jurisdiction. Besides the regulatory requirement for breach reporting, some jurisdictions also need to understand the risk of significant harm arising from the breach. This risk necessitates an assessment of the sensitivity of the exposed data and the probability that these data will be misused.12 Many executives still have no idea where their sensitive data are, even though there are modern tools available to support their discovery.13

The Impact of Compliance

In 2015, 109 general privacy laws were active globally, and 49 percent of them were in the European Union. A significant addition to this list today would be the EU’s General Data Protection Regulation (GDPR), enforceable beginning in May 2018.14 Given that the European model is the leading global privacy model, the key elements of privacy legislation from this model should be considered in the context of this big data case study (there will be some similarities across other jurisdictions).15, 16

Doing the project today would be impacted by principles two, three, four and five, with consequent implications for project management, team size, team composition, and the time and financial resources required to execute the project. Also, principle seven requires the appropriate oversight and assurance of all customer-facing data-driven initiatives today.


The modern GRC landscape has a significant impact on how an enterprise-scale big data project would be undertaken today. Much of the impact falls under corporate governance’s integrity pillar. This pillar aligns data governance with corporate governance, helping ensure that data activities subscribe to enterprise standards of integrity.17

Figure 6 summarizes the major areas of impact of GRC on a big data project applicable from the perspective of the European model of privacy, which, as noted, is the dominant global model.

Figure 6

This article provides an overview of the likely impact of GRC on today’s big data initiatives. Given the span of risk and compliance issues and the relationship between corporate governance and data governance, this article is not exhaustive in content, in highlighting the complexities of each jurisdiction, in highlighting the complexities of data and information movement between jurisdictions, or even in highlighting the relevant content in a single jurisdiction. The article does, however, highlight the need to be increasingly aware of regulatory considerations—such as those concerning privacy—as part of both current and proposed big data projects, particularly if data are involved in driving how the enterprise interacts with its customers.


1 Sicular, S.; “Gartner’s Big Data Definition Consists of Three Parts, Not to Be Confused With Three V’s,” Forbes, 27 March 2013,
2 United Nations Educational, Scientific and Cultural Organization, “Concept of Governance,”
3 Lark, J.; “ISO 31000 Risk Management: A Practical Guide for SMEs,” International Organization for Standardization, Switzerland, 2015,
4 English Oxford Living Dictionaries, “compliance and comply,”
5 Op cit, Sicular
6 Chaffey, D.; “Marketing Campaign Response Rates,” Smart Insights, 11 October 2012,
7 Yordanova, V.; Filling the Gaps of Big Data Regulation, master’s thesis, Maastricht University, The Netherlands, 2015
8 Pearce, G.; “Align Data Governance With Board Governance Imperatives,”, 3 May 2017,
9 Data Management Association International, Body of Knowledge,
10 Deloitte, “The Role and Benefits of a Corporate Governance Framework,” The Wall Street Journal, 24 May 2013,
11 Dowling, G.; “Reputation Risk: It Is the Board’s Ultimate Responsibility,” Journal of Business Strategy, vol. 27, iss. 2, 2006, p. 59–68
12 Jones, P.; L. Walker; “How to Navigate Landscape of Global Privacy and Data Protection,” American Bar Association, USA, 2–4 November 2016,
13 Pearce, G.; “Boosting Cyber Security With Data Governance and Enterprise Data Management” ISACA Journal, vol. 3, 2017,
14 General Data Protection Regulation (GDPR), “GDPR Portal,” European Union,
15 Op cit, Dowling
16 Bank for International Settlements, Principles for Effective Risk Data Aggregation and Risk Reporting, Switzerland, 2013,
17 Op cit, Chaffey

Guy Pearce
Has served on five boards of directors and two management boards in banking, financial services and retail over the last decade. He also served as chief executive officer of a multinational retail credit business that served 100,000 customers in three countries, where he led the organization’s 700 staff to profitability soon after the 2008 global financial meltdown. He has published numerous articles on cyberrisk, big data and various aspects of governance, and he currently consults in strategy, risk, governance, IT, big data and analytics.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.