In my experience working with sustainability standards over a number of years, implementing and operationalizing risk management continues to present unique challenges related to data management best practice.
Many standards organizations are interested in risk management because it can help them drive efficiency and value for their stakeholders.
As an example, agricultural producers and companies are increasingly re-considering the cost/benefit equation as they think about investment in a certification program for demonstrating their good sustainability practices. The desire for greater value from certification is increasing pressure on standards to explore how to reduce the intensity and quantity of audits on the ground by discerning where the greatest sustainability risks exist in the geographies and sectors where they operate. Pinpointing and monitoring where risks exist enables them to offer risk-based assurance that focuses more precisely on issues and geographies where sustainability standards can have the most impact.
In conversations with colleagues from a range of standards systems in the past few years, they cited the following challenges and barriers to systematic and effective risk management:
- Lack of leadership support to resource risk management functions and activities
- Lack of high quality data to assess risk, and determine risk profiles and risk levels (and keep them up-to-date)
- Challenges in identifying, using, and sharing (internal and external) data from multiple sources to inform better decisions about quantifying risks
These challenges all have something in common: they are the same challenges to creating consistent value with organizational data. If we follow the risk data trail, we will often see these same roadblocks creating gridlock for organizations in managing data more generally.
This is not surprising. Risk management data is essentially a subset of the data an organization manages. If an organization is not managing data effectively overall, it will be challenged to deploy a risk management strategy.
After all, risk management is a data intensive effort since it relies on changing information over time, high quality data to justify risk assessments, and multiple perspectives to be most valuable (e.g. external data on sustainability risks, like child labor or biodiversity loss).
But in order to be able to manage risk data effectively to drive decision-making, organizations must understand both the sources and flow of many types of risk data, and also trust the practices of data stewards who handle the data and influence its quality. These conditions make risk management a hairy data management challenge for organizations who are still young in the development of robust data management systems.
So how can organizations address the challenge to access and use the raw material (risk data) to implement a good risk management program? A risk management program can benefit from applying these key steps to develop a risk management plan*:
- Identify top goals or objectives in managing risk
- Take inventory of current risks, risk types, and risk levels (risk register)
- Ensure program operations link to the risk register and ongoing management reviews of performance
- Create a feedback loop between program operations and the risk register so that updated risk data can be recorded and reflect current conditions.
(Note: *The above steps are outlined in ISEAL Alliance’s best practice guidance note on Building a Risk Management Plan, 2018)
So how does this relate to data governance?
The above steps also mirror the steps to understand and document how data flows. Part of understanding data flows includes learning about how data interacts with staff and collaborators, and how information moves into and out of an organization.
The steps above are also the core elements of data governance and why this practice is so essential not only for a good information management system overall, but also for any program or initiative within an organization that relies on data and information.
While it would be impactical to suggest that an organization must have a well-developed information management system in order to deploy a risk management program, both can be developed incrementally and in unison.
This is because developing both systems follow similar steps in the use, organization, and identification of connections between data. Organizations eager to develop risk management strategies and programs can use a data governance framework to begin this journey so that their risk management programs can deliver value incrementally and effectively over time.