Data risk is everywhere: 5 steps to manage it

February 11, 2025

Imagine trying to view the entire night sky by looking through a straw. It’s impossible. Yet for many business leaders, that’s how they view their organization’s data — in pieces and largely incomplete. These disparate, piecemeal views can prevent organizations from realizing data’s value and identifying underlying risks.

Many industry leaders already understand that data is foundational for an enterprise to function effectively, communicate, make strategic decisions and ultimately help drive revenue. The marketplace already expects companies to use data for those purposes — and to do so holistically, safely and wisely, with an articulated strategy. But it’s not often happening.

A chief data officer may be focused on data governance and quality.
A chief financial officer may focus on reliable data to inform planning and decision-making.
A chief risk officer may be concerned about data integrity and the accuracy of risk reporting.
A chief information security officer may be concerned about classifying, encrypting and preventing the loss of sensitive data.
A chief compliance officer may focus on data privacy and protection but also needs to think about how to marshal multiple departments together to help address various data management and compliance requirements.

What these corporate leaders may be missing: Their siloed views mean that their data is functionally at a dead end. When it’s not incorporated into one ecosystem, data can undermine the foundation for business operations, transformation and growth.

That could mean anything from endangering large-scale migration from legacy systems, hindering the adoption of artificial intelligence (AI) capabilities, inhibiting the ability to expand a product portfolio, or diminishing reporting, intelligence and innovation. If data cannot be protected and collected in a safe manner, a lack of focus on these risks can also affect regulators and consumer trust.

48%

of business executives say they're prioritizing data protection and data trust as their top cyber investment.

2025 Global Digital Trust Insights Survey

Full stop: Data is a business imperative

There are signs that some industry leaders are starting to realize what’s at stake. In PwC’s 2025 Global Digital Trust Insights Survey, 48% of the business executives responding told us they’re prioritizing data protection and data trust investments over the next year, ahead of technology modernization and enhancement.

But if leaders understand data’s criticality and risks, why are they still falling short? Why do organizations still view data risk as a technology issue handled by the IT department, rather than an enterprise-wide business problem? Data risk is likely becoming everyone’s concern, no matter where they sit in the C-suite.

Those business leaders need a holistic strategy to help them align on the risks. Traditional data governance alone, while still important, is no longer enough.

Managing data risks and gaining an enterprise-wide view of data can require an elevated and more encompassing approach. Moreover, a company that executes its data strategy well may be on the receiving end of greater trust from stakeholders in the marketplace — be they regulators, consumers, investors or other companies.

Yes, data risk can be a complex business problem, but solving it doesn’t have to be. It starts by understanding data risk in its many forms.

1. Know what data risk really is
2. Go for overall (not some) visibility into your risks
3. Rally your teams and help build up their skills
4. Start (and keep) asking the right questions
5. Stop treating data risk as an afterthought

1. Know what data risk really is

So, what exactly is data risk? At its core, data risk can be described as the exposure to financial or reputational harm caused by loss, limitations (e.g., inaccurate and poor data quality) and related issues to an organization’s ability to acquire, store, transform, move, protect and use its data assets.

While the concept of data risk is not new, the standards and expectations for mitigating risk to help maintain data quality and trust have only intensified in recent years due to many factors.

Stricter data compliance: There’s been a steady stream of global and state regulations — the Consumer Data Privacy Act, EU Data Act, California DELETE, Protecting Americans’ Data Act (PADFA) — that require businesses to prioritize data privacy or face potential legal consequences if they fail to comply.
Accelerated cloud transformation: 72% of “top performers” surveyed in PwC’s 2024 Cloud and AI Business Survey are prioritizing data modernization and migration to the cloud.
Integration of AI capabilities: In the same survey, 69% told us they’ve implemented cloud data modernization to power AI and help unlock insights for all areas of the business, from various data sources.

Treat data risk as a business risk — otherwise, it can snowball quickly out of an IT silo into general business operations with unintended impacts. Here are some of the types of data risks that may be affecting your business.

Risk type	Examples	Business impact
Data quality	• Data entry errors • Technical errors • Missing or misclassified data • Inaccurate or incomplete requirements • Poor system integration	Relying on poor data quality can lead to compliance issues, uninformed decision-making and financial loss
Data protection	• Improper handling of customer data • Data breaches from third-party vendors • Poor data encryption practices • Unsecured APIs or integration points	Opening the door to privacy and security vulnerabilities that could compromise customer data and lead to reputational damage, ultimately losing trust
Data loss	• Cyber attacks • Inadequate backup and disaster recovery plans • Less reliable storage and availability	Experiencing an outage or downtime without access to important data to stay up and running, adding to possible response costs and putting customer relations at risk
Data compliance	• Non-compliance with third party data privacy regulations • Failure to identify and classify important data for disclosure, reporting, audit and retention	Facing regulatory scrutiny on data use and sourcing along with possible fines and disciplinary actions
Data exposure	• Trade secrets or intellectual property theft • Insider threats and employee misconduct • Shadow IT and unsanctioned data usage	Losing a grip on access rights and controls and putting your competitive advantage at risk

No matter the type of data risk, you should have a cohesive strategy so you can be better prepared to inventory the data, assess the risks, apply governance and protection according to the risk levels, and establish appropriate ownership. Enhanced visibility can be the key.

2. Go for overall (not some) visibility into your risks

A data risk framework rooted in visibility can allow you to know and establish controls for your data, as well as unlock new doors to slice and dice that data for sharper insights and strategic benefits. Think of it as a digital paper trail that connects the data life cycle.

But visibility can fall apart if you only see certain pieces of the puzzle instead of the whole picture — back to the straw-in-the-sky problem. Historically, IT departments have managed the technical aspects of data, while compliance teams have focused on regulatory requirements. These and other functional areas can have their own objectives or even their own set of tools and controls. Moreover, data logs can be interpreted differently across environments.

This fragmented view could create redundancies, inefficiencies, increase risk exposure and derail transformation. Business leaders should get directly involved and not simply defer to IT and compliance to solve the problem.

3. Rally your teams and help build up their skills

As the saying goes in sports, you can either play to win or play not to lose. The same can be said for data risk. There’s a significant difference between keeping things from going wrong and making sure things go right.

An important element of data risk management is not only technology, tools and systems, or even the data itself. It’s also about reinventing how the right people integrate their skills in one place to manage data across the life cycle.

In that sense, privacy, data, security, risk and technology teams across the enterprise should collectively identify, document and measure risks — together, in unison. Moving as one unit, these teams should better understand their environments. With this centralized, holistic approach, your organization can clearly articulate a data risk strategy to stakeholders, regulators and consumers.

This means that you should invest in upskilling and training your teams to meet new data demands. For example, role-specific training for both technical teams (data engineers and analysts) and non-technical stakeholders (compliance officers and executives) can help build foundational knowledge for understanding and acting on insights. Upskilling employees should include providing certifications in data governance, security and privacy, as well as engaging external experts to assess and validate your systems.

4. Start (and keep) asking the right questions

Data risk should be everyone’s business. A candid assessment of your data across roles can reveal gaps and help you focus on your efforts. Consider challenging the executives in your C-suite by their specific roles.

CEO: Are different departments in our company keeping their data separate, preventing us from getting a complete picture to extract insights and make data-informed decisions? Are we prepared to manage privacy and exposure risk as we make our data more accessible?
CFO: Are we confident that the data we rely on for making financial decisions is both reliable and up to date? What are our methods or tools for measuring its quality?
CISO: Do we know where our data exists among on-premises and cloud environments and the exact sensitivities to determine appropriate security controls? Are controls established across our overall data modernization cycle?
COO: Can we track, organize and manage our data from the moment we collect it to when we no longer need it? How are we maintaining the quality of our new and legacy data to support transformation efforts?
CRO: What are the major risks associated with our data and where are we more vulnerable? Do we have risk and regulatory change management in place to handle new or evolving requirements?
CDO: Do we have well-defined policies for managing our data? Is our data complete and accurate enough for gaining business insights?

5. Stop treating data risk as an afterthought

Finally, companies embracing a data-first mindset should also change how they view data risk. Leadership should start treating it as a top-line business agenda. Addressing the risk inherent in enterprise data is just as critical as staying on top of data innovation and transformation.

For instance, while the promise of AI and emerging technologies adoption has amplified C-suite awareness of data’s value and has spurred greater investments in data, many departments, companies and even industries are just grappling with the risk side of that equation. Most fundamental data risk capabilities — discovery, cataloging, lineage — are essential for addressing traditional data deletion issues and upcoming challenges with unstructured data use. Organizations may need to double down on these efforts to increase their data and prepare for the future with new data uses.

Changing the view of data risk across the C-suite not only requires a new way of thinking but accountability across departments. Accountability should also stretch to third parties and other strategic relationships. Establishing data risk mitigation, policies and controls — ultimately, one of the leading practices for your organization — are important steps to balance protection with innovation.

More collective awareness, education, collaboration and ownership could help raise data risk to a top-of-mind business priority. This is no longer a back-office issue, but a front and center concern that, when addressed, can help your organization embrace the true value of data.

Contact us

Mir Kashifuddin

Data Risk & Privacy Leader, PwC US

Joshua Rattan

Data Risk & Privacy Partner, PwC US

Brian Fox

Data Risk & Privacy Partner, PwC US

Audit and Assurance services Consulting Tax services Newsroom Alumni US offices Contact us

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.