Many operational decisions are now heavily reliant on automation - data, models, rules etc. We’re...
Better access to data enables better decisions
You already know that you need your reports and processes to support your operational decisions.
The reports need to be complete and accurate. The processes need to be error free.
But user access limitations - because of audit, risk and/or compliance expectations – mean that it is increasingly difficult to get access to the data you need.
This can affect your ability to make accurate decisions - if the reports that you use to inform those decisions are incomplete, for example.
Access to systems and data is traditionally limited by job function, and the introduction of Sarbanes Oxley and other regulatory obligations and compliance standards has resulted in heightened focus on limiting user access.
However, these controls were designed to apply to systems of record e.g., ERP, financial or other systems used to process transactions. For those systems, limiting access makes sense. They are used to process transactions that reflect business activity Getting that wrong could be damaging.
Unfortunately, this approach is also often used for granting access to systems of information and intelligence e.g., data warehouses.
For these systems, the risk profile is different: in most cases, the primary downside risk you need to mitigate relates to confidentiality. Making sure privacy is maintained and preventing leaks of intellectual property.
But there are also upside risks to consider.
What does this mean?
For systems of record, access controls are put in place to reduce risk.
They are tried and tested, so they generally work well, if designed carefully.
For systems of intelligence, if you apply the same control design, those controls actually increase your risk - decreasing efficiency and effectiveness.
The purpose of these systems is not to record transactions. Rather, they are designed to provide access to information to better understand customers and operations, and to enable smarter decisions.
With growing data volumes, and growing potential for the use of data to improve your business, is there an alternate approach?
Consider open access to systems of intelligence
Open access means granting access to everything except certain specific confidential data.
A more extreme approach involves granting access to everything and then monitoring access to confidential data. This may work, in certain circumstances, but is riskier.
While open access instantly raises concerns, when done right, it can yield significant benefit.
Organisations like yours are implementing such access policies, or are thinking about moving in this direction, because open access promotes:
- Efficiency - reduced effort in discovering and requesting access to data.
- Innovation - providing opportunities to join up data for new insights.
- Data quality – gaps and inaccuracies become easier to spot.
If you lead a business area, do any of these sound familiar?
- You're not sure if your reports are complete and accurate.
- It takes too long to access the data your team needs.
- Your team often discovers or stumbles upon data that enhances analysis.
- You get the feeling there is data you don’t know about that could help.
If they do, you need to insist on a better approach. Challenge your risk and assurance and your data teams. Ask them to explain the risk/opportunity analysis – because there is a better, more sensible approach.
If you are accountable for data, reporting, BI or analytics, consider whether your access policies are working.
Are you enabling your business teams to generate the value you have promised?
If you oversee risk or compliance or assurance, consider whether the controls you have in place are mitigating risk, or preventing opportunity.
In guiding or auditing your business teams, you have an obligation to help them reduce risk, so if you are trying to enforce systems of record controls to systems of intelligence, are you really being effective?
A word of caution: While open access enhances analysis and reporting, it generally doesn't provide direct access to process transactions or data changes. However, if there's a feedback loop between your data warehouse and operational systems or data capture/change within your data warehouse, careful access control is still necessary.