Poor data management can lead to poor decision-making. While audit and risk committees across the UK receive reports every year on the effectiveness of their internal control systems, little thought generally goes into the data issues that decision-makers face every day. Data is often out of date and frequently there are multiple sets of similar data, resulting in data conflicts and manual work-arounds.
Having a data-risk management strategy goes a long way to support housing providers in their quest for a straightforward and structured approach to understanding their data risks and to prioritise their responses. By their very nature, data issues aren’t specific to a single IT application, thus the strategy needs to enable processes which allow the business to verify data, ensure it is up-to-date and correct, and in a consistent format. All of the data-related components need to be aligned; how data needs are identified, how data is processed and stored, and how it is governed.
Avoiding ‘out of system’ analysis
A housing provider’s strategic aims should include a focus on optimising the use of system functionality so that the right data is collected at the source of any transactions. By doing this, users of the data can ‘slice and dice’ the data without the need to create ‘out of system’ analysis. It’s also helpful to understand the data needs of multiple stakeholders and to create tools such as heat maps to assess team and system capability in managing data.
Where should data-risk management sit within an organisation? Practically, the management of data should rest with the teams who create it. By doing so, accountability and responsibility are appropriately positioned. The oversight of data governance itself often sits in the governance team, informed by the IT and finance departments.
When good data goes bad…
If data is shared or collected without proper authorisation or insecurely stored, it’s vulnerable to hacks and may be used for purposes other than what was originally intended. If data universes are inaccurate or not representative, they are devilishly difficult and expensive to rectify. Even with mitigations in place, the quality of data can be eroded (at best) or be unusable (at worst). Data remanence, comprising residual data which hasn’t been fully deleted, is troublesome and can result in data which may be unintentionally recoverable.
What can we do if data is compromised or just plain missing? Completing a data-risk review beforehand enables teams to set up quality control measures which support their understanding of what can go wrong and the effects on the business.
Systemic errors & users’ errors
Data errors may be categorised in two ways – systemic issues and user-generated issues. Systemic data errors happen when coding is faulty or invalid data is not identified and removed from data sets. Sometimes data errors are random too. Electronic glitches or corrupted data tend not to be obvious. Standardising dataset formats and embedding checks help in finding and resolving mistakes and anomalies. When system software is amended to be more bespoke for the business, there’s a risk that inbuilt data functionality could be compromised. To mitigate this risk, a thorough understanding of how data is manipulated and used by the system itself is necessary.
Data errors arising from users themselves often relates to uncollected data, incorrectly-keyed data, duplicated data or mismatched data. Enforcing data quality at the source of transactions (by using drop-down menus, for example) minimises the risk of aliases, misspellings or capitalisation problems. Simple errors arising from analysing data using different scales (such as reporting numbers in £’000s instead of whole numbers) can be easily fixed by using the functionality in Excel.
Having confidence in the reliability of the data is also a key factor in mitigating risk. Perversely, as AI and other data analysis software are being more widely adopted, the amount of people who have direct access to and can analyse the raw data remains small. If the data is out of reach or access is limited, business managers may feel they need to resort to making decisions based only on their own experience or intuition.
Some easy ways to build trust in and extend the use of system data is to:
- Make it easy for managers to analyse and manipulate data by using industry-standard data interrogation software;
- Standardise reporting to enable multiple uses;
- Make data access ‘real time’, arguably providing speed at the expense of greater accuracy;
- Focus on quality and centralised, single ‘point of truth’ data repositories with built-in checks and controls.
Finally, decision-makers should be mindful of the role proportionality plays in developing mitigation plans and safeguards to control data risk. While risks can be assessed around specific processing activities, such as the collection, sharing and usage of data, there also needs to be consideration regarding how long it should be stored for or used for purposes not originally intended.
Shendi Keshet is a board member of Wakefield District Housing, in collaboration with Martin Warhurst, the executive director of resources at Wakefield District Housing.
Authors’ note: This article does not focus on GDPR compliance; it should be implicit in all aspects of data management.