ERM data governance: why risk frameworks fail under audit pressure

TL;DR: Enterprise risk management frameworks often fail because the data layer is fragmented, manually assembled and hard to trace, leaving organisations unable to prove where reported figures came from under BCBS 239, Solvency II and similar scrutiny, according to Collibra. The control problem is not the framework on paper, but the governed data foundation underneath it.

NHIMG editorial — based on content published by Collibra: Enterprise risk management framework: Building a scalable foundation for regulatory compliance

By the numbers:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

Questions worth separating out

Q: How should organisations build a risk framework that regulators can actually trust?

A: They should start with governed data rather than reporting templates.

Q: Why do manual spreadsheets break enterprise risk and identity governance?

A: Manual spreadsheets break because they hide provenance, allow inconsistent definitions and create a new “golden source” each time someone copies data into a report.

Q: What breaks when data lineage is missing from governance reporting?

A: Without lineage, the organisation cannot trace a reported figure back to its source system or understand how it was transformed.

Practitioner guidance

• Map critical identity data elements to owners Define the fields that matter most for identity governance, such as service account ownership, token scope, certificate expiry and privileged access status.
• Automate lineage for identity and risk reporting Trace how access, entitlement and credential data moves from source systems into audit and governance reports.
• Enforce policy at the data layer Translate governance rules into controls that operate on live identity records, not just policy documents.

What's in the full article

Collibra's full blog post covers the operational detail this post intentionally leaves for the source:

• How Collibra maps critical data elements to catalogued risk and governance assets
• How lineage and quality controls are operationalised across reporting pipelines
• How policy enforcement is tied to data assets and governance workflows
• How the platform supports audit-ready evidence production for regulated risk teams

👉 Read Collibra's analysis of why enterprise risk frameworks fail without governed data →

ERM data governance: why risk frameworks fail under audit pressure?

Explore further

View Full Forum →  |  NHI Foundation Course →