The amount of data we are exposed to, both professionally and personally, is expanding wildly. This expansion is happening while the amount of investment necessary to store this data diminishes. Since storing information is so cheap now, there’s no real disincentive to becoming a “data hoarder.” While data hoarding has a lot fewer health risks than knick-knack hoarding, if you don’t manage your inbound data well, you can end up equally overwhelmed and paralyzed when you realize the mess you’ve made.
A Thousand Pictures Is Worth a Few Words
Let me illustrate this with an example. My household doesn’t lack for children. My wife and I try our best to capture as many memories of our munchkins as we can in pictures. I can store the 4GBs of pictures and videos from 2013 on an external drive that’s small enough to fit on my key chain. (That same volume of data would consume 2,844 3.5-inch disks in “olden” days.)
Yet, now that we have all of this “data,” what will my wife and I do with it? Thousands of pictures and nearly one hundred videos are not easily consumed. While we were diligent to capture all of this, we’re going to struggle to parse and sort this data. (The parsing and sorting likely won’t happen until we get the last of these kids out of diapers.) To aid us in the management of these pictures our phones/digital cameras/camcorders automatically embed values with each file. Therefore, beyond just the pictures as individual data points, the pictures themselves also reflect the following: file name, size, location, date and time. Using things like facial tagging, our computers can even auto-tag the individuals in the picture. Here are some data points from a favorite family photo:
- File Name:IMG_0039
- File Size: 1.78MB
- Location: Kansas City, Missouri
- Date: August 22, 2013
- Time: 6:38pm
- Individuals: Kids 1, 2, 3 and 4
Isn’t technology grand? Don’t these data points paint such a heart-warming scene? Oh wait, something’s missing – the actual event the picture was capturing! While the Kitchin family is swimming in meta data, the Kitchin family can’t really assess what’s happened so far in 2013; looking at these data points doesn’t allow us to see anything. We have 6000 data elements (~1,000 pictures w/ ~6 data elements per picture), but we haven’t really accomplished our main goal: holding on to memories in a way we can reflect on in the future.
Knowledge vs. Wisdom
If you’re an architect of your organization’s GRC systems, you can get lost in “big data.” It’s easy to accumulate data, but knowing how to capture insight is a much more challenging question. GRC is a discipline where quality trumps quantity; a concept I often sum up with the phrase, “more data is not necessarily more better.”
In your attempts to categorize, classify, consolidate and correlate the information you’ve been tasked to process, has there been any effort to “contextualize” your content? As you implement your upcoming processes, consider the following two factors:
Capture Narratives Where Possible
For an audit process, one of the core reports is always going to be, “Open Findings.” When there is a finding, there is usually a “story.” (It may not be a good story or one that paints the events in a positive light, but there’s likely something beyond the checkboxes.) Provide a way to capture this information – even if it is an excuse from the parties involved – within your system. Radio buttons and checkboxes will help organize your data, but getting to the heart of the issue is going to require insight into the minds and actions of the individuals involved. Leave space for your team to provide their open-ended observations and perspectives. While it may not be easy to report on a narrative, it will help you bring a faster resolution to the issue.
Link Your Data Across Functions
The ‘C’ may not stand for “Cooperation” in GRC, but to gain real insight from your information, your teams need to work together. The first stab at the likelihoods and impacts of your risks may be an exercise in research and guessing, but as you collect more information you can make your decisions with more confidence as you have more examples to reference and support how you allocate your resources.
For example, as you capture IT incidents through your network monitoring tools and assess the risks these incidents pose to your organization, do you link the actual incidents back to the items in your risk register? Do the individuals that own your risk register ever have meetings with the people that manage your security incidents? An organization that links these functions (and this is just one of many examples) has the ability to leverage far more information to prioritize how it manages risks. If you see that one type of incident leads to a significant loss event, tying this to a specific risk in your risk register creates a powerful story for investing greater resources to prevent this type of risk in the future.
“It’s Not What You Look at that Matters, It’s What You See”
Henry David Thoreau deserves the credit for this eloquent heading. This quote captures the essence of the point I’d like to leave you with. Numbers and record counts are useful (looking), but understanding the inter-relationships and underlying reasons (seeing) allow you to tell and promote a far more compelling story to your stakeholders. Don’t just store your vast amounts of information without developing some sort of strategy or a plan. For our family pictures, it’s likely a simple folder system – folders for “Birthdays”, “Summer Vacation 2013”, etc – would give us much more context into what we’ve accumulated to date. In your GRC process endeavors, look for both the quick wins and the long term things you can implement to help you sift through the noise and find the nuggets of insight you can use to optimize your business.
–Jonathan Kitchin, OrangePoint