Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ERM data governance: why risk frameworks fail under audit pressure


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Enterprise risk management frameworks often fail because the data layer is fragmented, manually assembled and hard to trace, leaving organisations unable to prove where reported figures came from under BCBS 239, Solvency II and similar scrutiny, according to Collibra. The control problem is not the framework on paper, but the governed data foundation underneath it.

NHIMG editorial — based on content published by Collibra: Enterprise risk management framework: Building a scalable foundation for regulatory compliance

By the numbers:

Questions worth separating out

Q: How should organisations build a risk framework that regulators can actually trust?

A: They should start with governed data rather than reporting templates.

Q: Why do manual spreadsheets break enterprise risk and identity governance?

A: Manual spreadsheets break because they hide provenance, allow inconsistent definitions and create a new “golden source” each time someone copies data into a report.

Q: What breaks when data lineage is missing from governance reporting?

A: Without lineage, the organisation cannot trace a reported figure back to its source system or understand how it was transformed.

Practitioner guidance

  • Map critical identity data elements to owners Define the fields that matter most for identity governance, such as service account ownership, token scope, certificate expiry and privileged access status.
  • Automate lineage for identity and risk reporting Trace how access, entitlement and credential data moves from source systems into audit and governance reports.
  • Enforce policy at the data layer Translate governance rules into controls that operate on live identity records, not just policy documents.

What's in the full article

Collibra's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Collibra maps critical data elements to catalogued risk and governance assets
  • How lineage and quality controls are operationalised across reporting pipelines
  • How policy enforcement is tied to data assets and governance workflows
  • How the platform supports audit-ready evidence production for regulated risk teams

👉 Read Collibra's analysis of why enterprise risk frameworks fail without governed data →

ERM data governance: why risk frameworks fail under audit pressure?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Enterprise risk management now fails as a data governance problem before it fails as a risk model problem. The article is correct to shift the centre of gravity away from committees and dashboards. If critical data elements are undefined or unowned, the framework becomes a reporting shell with no reliable evidence base. The practitioner conclusion is that risk governance must start with governed data assets, not after them.

A few things that frame the scale:

  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
  • A separate finding from the same survey shows that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, which is a clear warning sign for governance design.

A question worth separating out:

Q: Who is accountable when governance reports cannot be reproduced?

A: Accountability should sit with the data owner and the business owner of the critical data elements, not only with the reporting team. If no one owns the underlying fields and quality thresholds, the organisation is relying on process memory instead of controlled governance, which regulators treat as a serious weakness.

👉 Read our full editorial: Enterprise risk management frameworks fail without governed data



   
ReplyQuote
Share: