Directors who approach data merely as a compliance issue do so at their peril. With effective governance, data moves from being a headache to a strategic asset — with significant earning potential.
In March, several Australian organisations were rocked by serious data breaches. These included the theft of Ambulance Victoria employees’ personal and financial data by a disgruntled former staff member; the exposure of sensitive personal information belonging to 16,000 customers of Nine Entertainment newspapers; and the 13cabs cyber attack that potentially compromised user account information. They highlight the increasing importance of data governance in maintaining the quality, integrity and accessibility of an organisation’s data.
At the Australian Governance Summit, Valeska Bloch, partner and head of Cyber at Allens, noted data governance and cybersecurity were essential pillars of an optimal system performance.
All businesses must comply with Australia’s legislation and sector-specific regulations. Primarily, directors need to oversee that their organisations implement strong data governance policies aligned with the Privacy Act 1988 (Cth) and the associated 13 Australian Privacy Principles.
Recent and proposed reforms to the Privacy Act include a new statutory tort (a wrongful act that injures another for which the law imposes civil liability). This allows individuals to sue organisations for serious invasions of privacy, increased regulatory powers and penalties, a proposed expanded definition of personal information, and enhanced obligations relating to automated decision-making processes.
To help directors cope with their oversight of data governance, the AICD has released Data Governance Foundations for Boards: Key principles for director oversight and value creation. The publication was developed in partnership with Melbourne Business School’s Centre for Business Analytics and law firm Allens. It includes guidance for directors of smaller organisations, recognising they often have limited resources to protect data.
Principle 1: Organisational data is a strategic asset
A robust data strategy aligns data governance practices with organisational priorities, driving growth, fostering innovation and ensuring compliance with regulatory and ethical standards, according to the AICD Data Governance Foundations for Boards.
Coles Group uses extensive data sources, including inventory records, customer transactions, and operational data, integrated through AI to manage store operations, as outlined in a Microsoft case study publication. The supermarket chain’s AI systems process insights from over 2000 distinct data sets to make 1.6 billion predictions daily, forecasting demand and managing stock levels across its 850 stores nationwide.
Wendy Stops, a non-executive director at Coles, highlights the benefits of treating data as a valuable asset. “Although many directors tend to view data through a risk management lens, as a liability, multiple benefits flow when data is instead leveraged as a high-value asset. This approach can bolster decision-making, enhance customer experience, optimise operations, support innovation, improve efficiency and provide a competitive advantage.”
AI underpins inventory management. Coles can forecast product availability up to 100 days ahead, managing around 20,000 different products for individual stores.
Speaking at the 2024 AGM, Coles CEO Leah Weckert said the company’s data-driven improvements in its eCommerce services have led to measurable customer satisfaction increases. “Upgraded app and web features, greater availability, reduced click-and-collect wait times, and increased personalisation have all resulted in a 22 per cent improvement in online NPS.” This contributed to supermarket eCommerce sales growth of 30.1 per cent for FY24 and a further 22.4 per cent in the first quarter of FY25.
Coles also uses computer vision data to streamline checkout, reducing customer wait times. Customer feedback is analysed by generative AI, identifying store-specific priorities.
Principle 2: Define clear data governance accountability
Given the reputational and financial losses that can arise through privacy breaches, boards now play a key role in defining clear data governance accountability, says Jamie Norton, a director with Information Systems Audit and Control Association, an advisory board member at cybersecurity startup Avertro and partner at McGrathNicol.
Boards need to ensure there is a framework in place for ensuring stewardship of an organisation’s data. This includes overseeing compliance and regulatory obligations, and adopting a “test and challenge” approach.
“As a board member, I’d want an effective data governance framework in place,” says Norton. “So, understanding the data and cyber risks, and the current status of the risks posed to the organisation, whether those risks are within appetite, and if they’re not, what’s being done about them.”
Boards also need to oversee policies on AI governance and responsible data use — and push for independent audits of AI decision-making. Those governance frameworks need to spell out who is responsible for data, how it is managed, and how risks are mitigated. Oversight is increasingly delivered through an internal management governance steering committee.
“In Coles, we call it the Data Governance Council,” says Stops. “It oversees and sets a lot of data and AI-related standards and policies. It monitors usage of data analytics and AI, and reviews business cases for such, including how to use AI ethically and safely.”
Another emerging role is that of chief data officer, an individual who assumes enterprise-wide ownership of the data strategy. Then there are data owners or stewards — senior people within the business who take ownership of particular domains, such as customer or employee data.
Cascading accountability and responsibility through an organisation by leveraging data stewards and effective structures ensures data governance is embedded into daily operations rather than being siloed or fragmented. The board can also play a key role through requesting effective reporting on data usage, compliance and operational issues. This combined approach creates a culture of data responsibility, enhances strategic decision-making and mitigates risk effectively, says Stops.
Principle 3: The data lifecycle and effective risk management
There are significant risks associated with weak data governance practices, including from data breaches and poor security at third party providers. To manage these, companies should implement robust security measures — including thorough due diligence, access controls, data encryption, regular monitoring and incident response plans — while ensuring compliance with regulations.
Due diligence and vendor assessment involves thoroughly vetting third party providers, and conducting regular security assessments to identify vulnerabilities. Enforcing multi-factor authentication for all logins to software as a service (SaaS) applications helps prevent unauthorised access, while encrypting data in transit and at rest safeguards data confidentiality.
The data lifecycle refers to the sequence of stages a unit of data goes through — from creation to destruction. Directors must know the critical data the organisation holds, how it’s used, who has access to it and how it will impact business operations if it is compromised. To mitigate risks throughout this lifecycle, controls such as data classification, restrictions on access, encryption and audits are typically used. “Success” in data governance means the information is secure, accurate, accessible and ethically obtained.
A range of metrics can be used to assess the efficacy of a company’s data governance frameworks. These include data quality scores, policy compliance rates, user access audit results, incidence of breaches and stakeholder satisfaction.
Principle 4: Empower a data-driven organisational culture
A data-driven culture is one in which the day-to-day actions and decisions of the business are informed or supported by data. “It’s decision-making that’s not based on intuition, opinion or the figures on a single report or dashboard,” says Stops. “You can’t take a dashboard as gospel and the only source when making decisions. It’s about digging down into the detail, peeling back the layers, taking in more data if necessary and looking more closely at why [a trend] is happening.”
Boards also rely on data for financial oversight and assessment. “It’s up to the board to not just take for granted what the numbers are telling them, but to prise under the covers.” she says.
Employee education and training plays a critical role in cultivating a culture of data-driven decision-making. Sometimes, initiatives fail because company data is not good quality. New tools or dashboards can be introduced by tech teams without understanding the overall business context and strategy.
“The business strategy is the starting point on any data use,” says Stops. “Boards should ask, ‘What are we trying to achieve? How can we use data to solve that problem and what data do we need?’”
She notes a Melbourne Business School Centre for Business Analytics report, which referenced that 80 per cent of all analytics and AI projects fail.
“A company needs to find the right balance between having strong data infrastructure in place while starting to experiment with advanced data analytics and AI.”
Ethical use of data is a compliance concern. Boards need to lead from the top by asking to see the framework and how it operates, for reporting around aspects such as breaches of privacy, bias and discrimination, and new and emerging forms of AI. Boards should also ask to see external indices and metrics, such as those relating to trust.
Principle 5: Respond effectively to a data incident
Effective responses to data breaches are more likely when directors thoroughly understood the process to be followed during any incident, says Norton. “It shouldn’t be something where you’re coming in blind. You need to build muscle memory through practising simulated incidents.”
Generally, cyber and technical staff will focus on identifying what happened, how, and the steps to recovery. The executive will form a crisis management team to understand the legal and regulatory effects, impacts on customers and how to respond. Even in an uncertain situation, maintaining clear and concise communication with internal and external stakeholders is critical, says Norton. “You need a good communications strategy, ideally predefined, about how you communicate — and when — within your incident and crisis management process.”
There are also regulatory requirements in relation to data breaches. Some companies make the mistake of engaging in initial messaging focused on denying the existence of a breach. “But then, as the incident evolves, it becomes apparent there’s a significant problem and you have to backtrack, which leads to embarrassment and materiality around issues such as what the company does and doesn’t know,” he says.
Many insurance companies offer assistance, normally a cyber legal expert, to help reduce the impact of an incident. From legal and ethical perspectives, boards need to support individuals affected by data breaches. “There’s the potential for significant harm at the time of the breach and down the track as data sets are increasingly available to threat actors and malicious criminals,” says Norton, who considers post-event reviews essential. Even if boards believe their incident response effective, a third-party independent review can highlight areas for improvement.
This article first appeared under the headline 'Getting down with data' in the June 2025 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content