Risk and Governance in Analytics

There is now an enormous quantity of data which is being generated in a wide variety of forms. However this data, in itself, has little meaning or value; it needs interpretation to make it useful. Analytics are the tools, techniques and technologies that can be used to analyze this data into information with value. These analytics are now being widely adopted by organizations to improve their performance. However what are the security and governance aspects of the use of these tools?

For example Dunnhumby which was created in 1989, by a husband and wife team, to help businesses better understand their customers by being 'voyeurs of the shopping basket'. Within a few years, they were working with Tesco to develop their Clubcard loyalty program. The insights from this help Tesco stock the right products, optimize prices, run relevant promotions and communicate personalized offers for customers across all contact channels.

However another side to this kind of analysis was described in the NY Times article How Companies Learn Your Secrets - NYTimes.com. According to this article a statistician working for the US retailer Target figured out how to identify customers in the second trimester of their pregnancy based on buying habits and other customer data. The targeted advertising based on this led to an angry father complaining to a store manager about advertising for baby clothes and cribs being sent to his daughter who was still in high school. It turned out that the analytics had worked out she was in fact pregnant but she had not told her father.

These examples based on loyalty cards illustrate the value of data analytics but the problem is now even more difficult. This is because of the amount of data that is being generated through smart devices and Apps vastly exceeds that from the occasional use of a loyalty card.

So where is the line between improving service to customers and invading their privacy? At what point does the aggregation and analysis of data become a threat rather than a benefit? These are difficult questions to answer and regulations and the law provide little help. For example when a customer in the UK accepts a customer loyalty card they accept the terms and conditions. These will almost certainly include an agreement that the card provider can use the data collected through its use in a wide variety of ways. Most people do not read the small print – they simply want the loyalty rewards. Those who do read the small print are unlikely to understand the full implication of what they are agreeing to. However under the data protection laws this agreement is considered to be “informed consent”. So is this a fair bargain? Based on the take up of loyalty cards in the UK - for most people it is.

So from the point of view of an organization that wants to get closer to its customers, to provide better products, to become more competitive data analytics are a powerful tool. According to Erik Brynjolfsson Professor at the MIT Sloan School of Management: “Companies with ‘data driven decision making’ actually show higher performance”. Working with Lorin Hitt and Heekyung Kim, Professor Brynjolfsson analyzed 179 large publicly-traded firms and found that the ones that adopted this method are about 5% more productive and profitable than their competitors. Furthermore, the study found a relationship between this method and other performance measures such as asset utilization return on equity and market value.

But what are the risks to the organization in using these forms of analytics? Firstly it is important to be sure of the accuracy of the data.

Can you be sure of the source of the data which originates from outside of your organization and outside of your control? Many consumers take steps to cloak their identity by using multiple personas, the Internet of Things may provide a rich source of data but without guarantees regarding its provenance or accuracy. If you are sure of the data what about the conclusions from analysis?

Can the analytics process provide an explanation of why it has reached the conclusions that you can understand? If not be careful before you bet the farm on the results.

Are you sure that you have permission to use the data at all and in that way in particular? In the EU there are many rules regarding the privacy of personal information. An individual gives data to a third party (known as the data controller) for a specific purpose. The data controller is required to only hold the minimum data and to only process it for the agreed purpose.

If you are going to use analytics it is a decision which should involve the board of directors. They should set the business objectives for its use, define the policies for its governance, and their appetite for risks relating to its use.

This article has originally appeared in the KuppingerCole Analysts' View newsletter.



KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00