Boardrooms divided over data governance, survey finds
Most respondents say their organisations do not have adequate frameworks or processes in place and smaller organisations struggled the most.
Most directors are uninformed and ill-equipped to handle their organisation’s data governance issues, a survey from the Governance Institute of Australia reveals.
Almost 60 per cent of senior risk management officials and C-suite executives surveyed said their boards did not have an understanding of their organisation’s current data governance challenges.
Employees responsible for data governance – how their organisation managed and secured data assets – reported to 80 per cent of boardrooms on a quarterly or less frequent basis while a further 51 per cent said data governance was not reported at all.
“This is a concerning revelation,” the survey said. “Given the substantial damage that can be caused to individuals through data mismanagement or breach, such lack of regular oversight is of concern.”
The survey, conducted in partnership with DataX Macquarie Research Centre, was initiated in response to issues raised by academia and the media after a string of recent high-profile data breaches, it said.
“There is concern that important data-related matters are routinely made by technical experts with limited understanding of relevant laws and principles of accountability and transparency. On the whole, the findings of this survey justify this concern.”
A lack of formal technology skills and education was seen as the main reason for these challenges, reflecting the complexity of data governance and the need for specific training for executives and senior officials. A further 39 per cent said their lack of understanding was down to having “more pressing” priorities than data governance.
There were also mixed opinions over the best committee structure to oversee data issues: 46 per cent believed it should be part of an existing audit or risk committee, 23 per cent thought it was a board-level issue and 12 per cent said a separate risk committee should be formed.
The survey’s 345 respondents included public and private companies but was dominated by government organisations (21 per cent) and not-for-profits (36 per cent). It covered industries such as healthcare and social services, finance, education and technology.
Overall, respondents viewed their management practices negatively and only 34 per cent said their management was “excellent or very good”. Confidence in handling and protecting data assets was highest for ASX-listed companies and lowest for not-for-profits.
Governance Institute of Australia president, Pauline Vamos, said the survey showed that smaller organisations with fewer resources were more likely to be exposed to data-related risks.
“High-profile data breaches have had a sizeable impact on action, with 56 per cent of companies having changed their process and procedures since those events took place. But it’s the smaller companies that are less likely — due to resourcing constraints — to have been able to make these changes,” she said.
The finding of inadequate data management processes across industries and organisations was compounded by a dearth of data governance frameworks, the survey said.
“An effective data governance framework is critical in protecting an organisation from potentially catastrophic internal and external threats and ensures a responsible, legally compliant and efficient use of data assets,” Ms Vamos said.
“It is critical that organisations design, introduce and implement an effective data governance framework to maximise customer service and commercial value of data while also minimising risk.”
The survey also found that boards believed cyber attacks, followed by emergent technologies and AI were the main risks to data governance. Only 10 per cent of respondents believed AI was a risk in 2023, but nearly half (43 per cent) said it would be a risk in 2030.
“This is of concern, as it suggests a lack of appreciation of how AI usage can presently lead to data misfeasance. This is not a future problem, it is a real and present danger, and organisations need urgent education on the nature and extent of the current threat presented by AI usage,” the survey said.
About the author
