Data Product Risks Assessment

Key Ideas

• Consult with IT QA, Platform Architecture,Governance along with Product Owner to identify potential risks
• Assess risk likelihood and impact for each identified risk.
• Identify risk indicators and control measures
• Develop risk mitigation measures to reduce the likelihood of occurrence.
• Update the Requirements Specification and Solution Design as necessary.

---

Note

Data Product Risk controls are to be handled by means of Service-Now IRM.

Roles involved

Responsibility	Roles
Accountable	Product Owner
Responsible	Data Engineer , Solution Architect, IT QA, Scrum Master
Consulted	Platform Architect , Data Owner
Informed	Business Owner , Solution Delivery Manger

Goals

• Protect Novo Nordisk from financial, commercial, reputational, and other damages caused by potential negligence in managing data-related issues.
• Safeguard the assets of the Data Product being assessed, as well as any Data Products derived from it.

Inputs

• Product Defining Requirements Specification - core requirements list, data model, data contracts.
• GxP Q204010: "Manage data integrity in IT solutions".
  • Data Integrity
• Q187655: "Manage Information Security in IT Solutions"
  • Information Security
• GDPR (for Europe), if PII data is planned to be handed for the Data Product
• HIPAA (for US), if PII data is planned to be handed for the Data Product

Outputs

• Data Product Risk Assessment Service-Now IRM:
  • Risks with likelihood and impact ratings.
  • Indicators and controlling measures for identifying occurrences of risks.
  • Risk mitigation measures to reduce likelihood.
  • Plan for handling consequences of risks.
• Update Data Contracts, tags and policies

Risks Assessment Process Flow

1. Create Data Impact Assessment Conduct an evaluation to understand the potential effects and risks associated with the data product.

2. Assess Data Classification Determine the sensitivity and categorization of the data being used or processed.

3. Assess Data Security Evaluate the measures in place to protect data from unauthorized access, breaches, and other security threats.

4. Assess Data Policies Review existing policies related to data handling, storage, and usage to ensure compliance and adequacy.

5. Assess Geo Limitation Identify any geographical restrictions or regulations that may impact where and how the data can be stored or processed.

6. Assess PII Data Examine if personally identifiable information (PII) is involved and ensure proper handling according to privacy laws.

7. Update Data Contract Modify contractual agreements to reflect any changes or new requirements identified during the risk assessment process for example: sensitivity of an attribute

8. Update Business Terms Revise business terms to align with updated contracts and ensure all parties are aware of their responsibilities regarding data management.

Next Steps

Once the Risk Assessment Document is finalized, the following items must be incorporated into the Requirements Specification:

• Indicators and Controlling Measures
• Risk Mitigation Measures
• Items related to preparing for Consequences Handling

Afterward, the Requirements Specification is deemed complete. Solution Design elements like Design Documents should be changed accordingly if the design does not meet the new requirements originating from this phase.