Evolving Procurement’s Risk Language

Today’s risk language oftentimes utilizes one-size-fits-all categorizations with final risk scores generally ranging from low to high, least risky to critical, or similar scoring nomenclatures. In short, a...

Today’s risk language oftentimes utilizes one-size-fits-all categorizations with final risk scores generally ranging from low to high, least risky to critical, or similar scoring nomenclatures. In short, a lot of inputs boil down to just one rating. Although efficient and easily understood, this approach comes at the peril of a company’s leadership appreciating the fast evolving risk picture – namely that of data risk.

Data is different – driving new organizational structures

In recent years, many forward-thinking companies have split the responsibilities of their CIO) into the newly-created roles of Chief Data officer (CDO) and CTO . The main driver behind this organizational evolution is the insight that the skillset required to run operational IT doesn’t naturally lend itself to implementing the necessary digital transformation. In addition, CDOs are needed to evangelize digital thinking and apply it across the wider business. In short, IT’s future focus has shifted for many CTOs to tech architecture exclusive of deriving information from data because – simply put – data is a business asset, not an IT asset.

So How is data different?

Data value can increase dramatically when connected to other data

This network effect provides companies like Facebook, Google, and many others with exponential benefits by connecting various disparate points of data into highly marketable information.

Data is easily replicable

Copy, paste, done. Once your data is outside of your company’s “four walls”, control over it is very hard to maintain or reclaim. Blockchains may address that but the technology has not reached its cresting point into mainstream applications.

Data valuation approaches are not standardized 

Although valuation models of data are inexact and vary greatly – significant value is still being generated. Still, value generated is generally valued, not data itself – a meaningful distinction with real-world financial implications.

Data value is fast diminishing over time – but is highly reusable and non-depletable 

If data goes unrefreshed, it becomes stale and loses its value fast. However, many leading companies abstain from ever deleting any data as they expect to “daisy-chain” that data at some point in the future to convert it into actionable information.

Data is not represented in auditable financials (like other assets on the Balance Sheet) and, hence, cannot be capitalized

Whereas a physical asset always has an assigned value of at least $1, most companies do not assign any value to their data, hence, explicitly valuing their data at $0.

To state the obvious: The way we understand and mitigate data risks has significantly evolved from ten years ago and will definitely evolve further over the coming years. Consider these recent events that changed the way we perceive the complexities related to data risks:

  • In 2010, the Stuxnet computer virus leveraging previously little-known zero-day flaws.
  • The 2013 Target breach was caused by hackers gaining access via an integration of the retailer with an HVAC services provider.
  • A wide variety of malware (including computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware) have negatively impacted not only organizations of all sizes and kinds but also millions of people directly.

These “black swan” events changed the way data risk is perceived. Future events will change our perceptions and understanding even further. At the risk of discounting the incremental evolution of companies’ handling of operational risks, data risks have driven significantly greater changes – and the data risk mitigation revolution is not over by a long shot.

Now that data is different from other assets, we need to recognize that data risk is different from operational risks. Operational risks and data risks should be evaluated by different teams, have different guardrails, require a different focus / type of evaluation, and a different assessment frequency.

I see the following outcomes of separating data risk scoring from operational risk scoring:

More granular risk assessments

Instead of condensing all risk inputs into one score, any potential supplier can now be scored along both risk components independently. Frequency of each risk review would be driven by respective risk ratings and types. Also, with the data risk picture likely to evolve faster, any corporate updates or regulatory requirements to data risks scoring weights and components could be discreetly initiated without necessarily driving the operational risk review.

More strategic conversation by type of data 

So far, I have intentionally referred to data in general because data comes in many forms and formats, with different strategies or regulatory requirements. To illustrate the point, let’s consider customer data. From third-party data bought from data providers to hashed email addresses to anonymized, aggregated file data to transaction-level purchasing first-party data…each data type and source has different privacy implications, requires different handling and protections, is owned/originated in a variety of ways. Companies need to step into this discussion strategically but deliberately so that the way they handle and manage data is driven by their respective strategies and values. 

More deliberate conversation about data by each stakeholder group

With no single owner of all data, the role of data in any organization carries strategic implications and has many stakeholders: internal (master data architects, marketers, finance, innovation and product teams, field operations etc.) and external (regulators, customers, others)… Different stakeholders have different agendas and should carry different weights, decision rights, and implications as to what can and cannot be done.
As a first step, any company needs to develop its data strategy. That strategy needs to incorporate considerations for risk assessment and mitigation standards that become part of the Procurement processes for both new and existing vendors. By deliberately leveraging and operationalizing an articulated data strategy, Procurement can help lead this mission-critical and cross-functional alignment in support of the long-term success of their company. And do it again and again – as this effort will be iterative.

Sören Petsch is a Procurement and Finance leader with two decades of professional experience. Most recently he led the global sourcing and risk management teams at a Financial Institution where he modernized the procurement support model into best-in-class processes enabling the company’s mission by focusing on value, speed, and sustainable supplier relationships. Prior to that, he led strategic sourcing and procurement teams at an international retailer. With an MBA from the University of Chicago and over a decade of experience in Finance at various multi-billion dollar companies and in Consulting at Bain & Company, he brings a diverse, strategic, and comprehensive perspective.

go back to top ^