On February 21, 2024, Change Healthcare detected a ransomware attack that exposed 192.7 million Americans’ records, the largest healthcare breach ever reported to the HHS Office for Civil Rights.
Attackers entered through a Citrix portal that was missing multi-factor authentication. UnitedHealth Group has booked $2.88 billion in direct response costs through Q2 2025.
The Data Governance Risk Assessment that should have caught this trajectory (an asset inventory that flagged the unauthenticated portal, a vendor-acquisition data due-diligence step, and an MFA control test on every remote-access path) was either out of scope or out of date. The case rewrote what every 2026 Data Governance Risk Assessment in the US has to cover.
| Key Takeaways |
| A modern Data Governance Risk Assessment in the US covers six categories: privacy and confidentiality, security and cyber, regulatory and compliance, data quality and integrity, operational and vendor, and strategic / AI / model risk. Treat them as one register, not six. |
| The US average data breach cost reached $10.22 million in 2025, an all-time high per IBM’s Cost of a Data Breach Report. The Change Healthcare ransomware attack alone exposed 192.7 million records and cost UnitedHealth Group $2.88 billion through Q2 2025. |
| Sixty-three percent of breached organizations either have no AI governance policy or are still drafting one. Twenty percent suffered a shadow-AI breach in 2025, adding roughly $670,000 per incident. Any 2026 Data Governance Risk Assessment that does not score AI access controls is incomplete. |
| Anchor the program to four standards: NIST Privacy Framework 1.1, NIST AI Risk Management Framework 1.0, ISO/IEC 27001:2022, and the EDM Council DCAM v3.1 capability model. DCAM v3.1 added Business Data Knowledge and an expanded Data Control Environment. |
| HIPAA Security Rule risk analysis remains the single most cited HHS Office for Civil Rights enforcement finding, named in more than three-quarters of 2025 settlements. A documented, tested, dated risk analysis is the single highest-leverage control for any covered entity. |
| State privacy enforcement crossed roughly $1.4 billion in 2025 across SEC, FTC, HHS, state AG, and class-action settlements. The Texas AG’s $1.375 billion Google settlement and California’s CPPA enforcement actions reset the baseline for board-level data risk reporting. |
| Score every data domain on five DCAM maturity levels (Not Initiated, Conceptual, Developmental, Defined, Achieved). Set the program target at Defined or higher within 24 months and report movement quarterly to the audit and risk committee. |
The IBM Cost of a Data Breach Report 2025 put the US average breach cost at $10.22 million, an all-time high. Twenty percent of organizations suffered a shadow-AI breach. Sixty-three percent of breached organizations had no AI governance policy.
Texas extracted a $1.375 billion settlement from Google over biometric and location data. The California CPPA finalized its Automated Decisionmaking Technology rule in October 2025.
A modern Data Governance Risk Assessment is no longer a checkbox spreadsheet. It is a continuous, six-category program that scores AI risk inside the data inventory, treats vendor concentration the way it treats adversaries, and feeds the audit committee on the same cycle as financial reporting.
We walk the lifecycle end to end, with the standards, statistics, and decisions a US risk owner needs.
Figure 1. Six risk categories a 2026 Data Governance Risk Assessment must cover, weighted by US loss frequency.
What a Data Governance Risk Assessment Actually Is
A Data Governance Risk Assessment is the structured, repeatable process a US organization uses to identify, measure, prioritize, and treat the risks that threaten the confidentiality, integrity, availability, quality, and lawful use of its data across the lifecycle. It links the enterprise risk management framework to the data domains that actually move the loss-event distribution.
Three properties separate a working Data Governance Risk Assessment from a checklist exercise.
It runs continuously rather than annually, it produces leading indicators that move before incidents do, and it integrates with the integrated risk management approach rather than living in a data team silo. SEC, OCC, FRB, HHS OCR, and FTC enforcement is now aligned with these three properties.
Scope spans on-premises systems, cloud and SaaS, identity stores, data warehouses and lakes, AI models and the data that feeds them, business associates and vendors, and the dependent services those vendors run.
The CrowdStrike outage of July 2024 pulled vendor-induced availability failures into the same scope as adversaries and human error. A Data Governance Risk Assessment that ignores either category is incomplete.
How a Data Governance Risk Assessment Differs From an Audit
| Attribute | One-off data audit | Data Governance Risk Assessment |
| Direction | Snapshot at one date | Continuous program tied to risk appetite and board reporting |
| Frequency | Annual or triggered | Real-time monitoring with quarterly recalibration |
| Scope | Controls against a checklist | Six categories: privacy, security, regulatory, quality, operational, strategic / AI |
| Trigger | Compliance calendar | Risk appetite breach, incident, vendor change, AI deployment, regulator inquiry, M&A |
| Owner | Internal audit or external assessor | Chief data officer or CRO with named domain stewards |
| Reference | SOC 2 control matrix or HIPAA SRA tool only | NIST Privacy Framework 1.1, NIST AI RMF, ISO 27001:2022, DCAM v3.1, ISO 31000:2018 |
The Six Categories Inside a Data Governance Risk Assessment
The first move in any Data Governance Risk Assessment is to fix the taxonomy. We use six categories. They map cleanly to NIST Privacy Framework profiles, NIST AI RMF functions, ISO/IEC 27005 risk treatment, and the GRC tooling most US programs already run. Six is the right number: fewer hides AI risk inside cyber, more invites overlap and double counting.
Privacy and Confidentiality Risk in the Data Governance Risk Assessment
Unauthorized collection, use, retention, sharing, or disclosure of personal information sits in the privacy line. The reference standards are the NIST Privacy Framework 1.1, HIPAA Privacy Rule, the FTC Act Section 5, the Gramm-Leach-Bliley Act, and the active US state broad-scope privacy laws.
Twenty US states had broad-scope privacy laws in force or signed by year-end 2025, up from five in 2022.
Disney paid the FTC $10 million in 2025 to settle allegations it enabled the unlawful collection of children’s personal data on YouTube.
The Texas Attorney General extracted a $1.375 billion settlement from Google over biometric and location data in mid-2025, the largest single-state privacy settlement on record. Privacy now drives more headline US enforcement than any other Data Governance Risk Assessment category.
Security and Cyber Risk in the Data Governance Risk Assessment
The security line guards the confidentiality, integrity, and availability of data assets across people, process, and technology.
It draws control language from NIST SP 800-53 Revision 5 and ISO/IEC 27001:2022 and uses ISO/IEC 27005:2022 for the risk-management process. The Change Healthcare attackers found one Citrix portal without MFA; the rest of the lifecycle did not catch the gap in time.
Multi-factor authentication on remote and privileged access is the single most effective security control inside a Data Governance Risk Assessment.
The CISA Cybersecurity Performance Goals treat MFA as a baseline, not an option. Programs that cannot prove MFA coverage on every internet-facing data path are running uncontrolled risk.
Regulatory and Compliance Risk in the Data Governance Risk Assessment
On the regulatory line, anything that misses a binding rule scores. For US data the rule set is dense: HIPAA, GLBA, SOX, FCRA, COPPA, the SEC cyber disclosure rule, FFIEC IT Handbook expectations, FTC Health Breach Notification Rule, state privacy statutes, and sector rules from OCC, FRB, FDIC, and CFPB.
The FTC’s Health Breach Notification Rule expanded in 2024 to cover most consumer health apps.
HIPAA Security Rule risk analysis is the single most cited finding in HHS OCR enforcement. More than three-quarters of 2025 OCR settlements named the absence of a current, thorough risk analysis as a violation.
A documented, tested, dated risk analysis is the lowest-cost way to keep a covered entity off the OCR enforcement page.
Data Quality and Integrity Risk in the Data Governance Risk Assessment
Errors, inconsistencies, duplication, drift, and unauthorized modification across the data lifecycle define the quality line.
The control language comes from DCAM v3.1’s Data Quality Management component, ISO 8000, and DAMA-DMBOK. In banking the BCBS 239 risk-data aggregation principles set the supervisory bar; the Federal Reserve’s BCBS 239 supervisory letter still drives global systemically important bank programs.
Quality is also where AI risk lands inside the Data Governance Risk Assessment. Garbage training data produces garbage models.
A data integrity risk assessment should be the gating step before any AI model enters production. Without it the audit trail breaks and SR 11-7 model risk management governance has nothing to grade.
Operational and Vendor Risk in the Data Governance Risk Assessment
Day-to-day execution of the data program lands on the operational line: process failures, human error, key-person risk, change management, and vendor or supply-chain disruption.
The third-party breach share doubled to 30% of US incidents in 2025 with supply-chain breaches running $4.91 million on average. CrowdStrike, MOVEit, Okta, and Snowflake all moved third-party risk to the top of board agendas.
Operational scoring inside the Data Governance Risk Assessment should reward concentration analysis, not just count vendors.
One unmonitored shared SaaS tenant or one critical security agent on every endpoint is a single point of failure. How to manage third-party risk begins with a population view, not an inventory list.
Strategic, AI, and Model Risk in the Data Governance Risk Assessment
The strategic line picks up the long-term decisions that define the data estate: cloud and platform choices, AI deployment scope, M&A integration, monetization, and the risk appetite for new data products.
AI risk is now the fastest-growing sub-category. NIST released the AI Risk Management Framework 1.0 on January 26, 2023, followed by the Generative AI Profile in 2024.
Strategic scoring belongs in the Data Governance Risk Assessment because the answers shape every other category.
A bank that decides to deploy a large language model on customer data has just inherited model risk under SR 11-7 Guidance on Model Risk Management.
A retailer that decides to store full payment card data has just rewritten its PCI-DSS scope. Strategy decides what the rest of the program has to govern.
Figure 2. The US-versus-global breach cost gap that drives a 2026 Data Governance Risk Assessment.
Standards Stack Anchoring a Data Governance Risk Assessment
A Data Governance Risk Assessment that cites no standards is just an opinion. Four references do most of the heavy lifting in 2026: NIST Privacy Framework 1.1, NIST AI Risk Management Framework 1.0, ISO/IEC 27001:2022 with ISO/IEC 27005:2022, and the EDM Council DCAM v3.1 capability model. Most US programs add NIST CSF 2.0, ISO 31000:2018, and BCBS 239 in financial services.
NIST Privacy Framework Inside the Data Governance Risk Assessment
The NIST Privacy Framework 1.1 gives the five-function structure (Identify-P, Govern-P, Control-P, Communicate-P, Protect-P) and a profile-based assessment method that translates directly into a Data Governance Risk Assessment scoring sheet. Version 1.1 was published in 2025 with deeper alignment to NIST CSF 2.0 and the AI RMF.
NIST AI Risk Management Framework Inside the Data Governance Risk Assessment
The AI RMF 1.0 structures AI risk around four functions: Govern, Map, Measure, and Manage. Plug those four into the Data Governance Risk Assessment exactly the way NIST CSF functions plug into the cybersecurity program.
The Generative AI Profile and the Secure Software Development practices for GenAI extend the model into LLM and agent deployments.
ISO/IEC 27001:2022 and 27005:2022 Inside the Data Governance Risk Assessment
ISO/IEC 27001:2022 supplies the management-system shape and the Annex A control set. ISO/IEC 27005:2022 supplies the risk-management process.
Together they give the Data Governance Risk Assessment the same Plan-Do-Check-Act discipline ISO 22301 brings to business continuity. US firms that hold guide to information security risk management certification already have most of the scaffolding.
EDM Council DCAM v3.1 Inside the Data Governance Risk Assessment
DCAM v3.1 is the capability model US data programs use to score themselves. The EDM Council released DCAM v3.1 in 2024, elevating Business Data Knowledge to a top-level component, integrating Data Architecture and Technology Architecture, and expanding the Data Control Environment for risk, security, and audit. DCAM is now used by roughly 41.7% of US data programs, second only to DAMA-DMBOK.
Figure 3. DCAM v3.1 maturity scoring shows the eight components a US Data Governance Risk Assessment should track.
How to Run a Data Governance Risk Assessment, Step by Step
The Data Governance Risk Assessment runs as a seven-step cycle that mirrors ISO/IEC 27005 and NIST SP 800-30 Rev 1. Each step has an artifact, a named owner, and a defined input to the next step.
We treat the cycle as continuous; the steps below describe one full pass through a single data domain or AI system.
Step 1 of the Data Governance Risk Assessment: Establish Context
Set scope, risk appetite, regulatory perimeter, stakeholder list, and the data domains in scope. The first step in the risk management process is always context-setting.
For a Data Governance Risk Assessment, the context document names the chief data officer, the audit committee chair, the data domains, and the regulatory perimeter (HIPAA, GLBA, state laws, sectoral rules).
Step 2 of the Data Governance Risk Assessment: Inventory Assets and Data Flows
Catalog data domains, processing activities, AI systems, vendors with data access, and the source-to-target flows that move regulated data. The data inventory is the single most undervalued artifact in the Data Governance Risk Assessment. Without it, no later step is reliable.
AI systems and the training data they consume must be inside the inventory; 97% of organizations breached through AI systems lacked AI access controls in 2025.
Step 3 of the Data Governance Risk Assessment: Identify Risks
For every domain, walk the six categories and produce a candidate risk list. Use threat catalogs for the security category (MITRE ATT&CK, NIST 800-30 Appendix E), regulatory crosswalks for the compliance category, and DCAM v3.1 capability gaps for the data quality and operational categories.
Common approaches and tools for risk identification cover bowtie analysis, Delphi panels, and structured what-if technique.
Step 4 of the Data Governance Risk Assessment: Analyze Likelihood and Impact
Score each risk on likelihood and impact using a calibrated scale (typically 5×5). For US programs, anchor financial impact bands to the IBM Cost of a Data Breach Report figures: $10.22 million US average, $5.08 million ransomware, $7.42 million phishing per incident. Use qualitative and quantitative risk assessment together; FAIR is the dominant quantitative model in US enterprise data programs.
Step 5 of the Data Governance Risk Assessment: Evaluate Against Risk Appetite
Compare each scored risk to the documented appetite. Anything red goes to a treatment plan. Anything amber requires control evidence. Anything green is monitored.
The risk appetite statements examples most US boards now adopt include explicit AI and data appetite lines, not just operational risk lines. Write them so a reasonable risk owner can act without escalation.
Step 6 of the Data Governance Risk Assessment: Treat Risks
Apply the four-option treatment menu: avoid, transfer, reduce, or accept. The Data Governance Risk Assessment treatment plan should reference NIST Privacy Framework subcategories or ISO/IEC 27001 Annex A controls so the audit trail is portable.
How to mitigate risk lays out the decision sequence; each treated risk should have a residual score, an owner, and a closure date.
Step 7 of the Data Governance Risk Assessment: Monitor, Report, and Recalibrate
Set key risk indicators for every red risk and every Tier 1 control. Report quarterly to the audit and risk committee. Recalibrate after every material incident, vendor change, or AI deployment. The key risk indicators dashboard is the artifact the board sees; build it for them, not for the data team.
AI Risk Inside the Data Governance Risk Assessment
AI is the fastest-growing line in the Data Governance Risk Assessment. The IBM Cost of a Data Breach Report 2025 found 13% of organizations reported AI model or application breaches, 97% of which lacked AI access controls.
Twenty percent suffered a shadow-AI breach. Sixty-three percent had no AI governance policy. The numbers force the AI line to the top of the 2026 register.
Shadow AI as the New Frontier of Data Governance Risk Assessment
Shadow AI is unsanctioned use of generative-AI tools by employees. It moves regulated data outside the controlled environment without an audit trail.
Shadow-AI breaches added roughly $670,000 per incident in 2025 and exposed 65% more personal data and 40% more intellectual property than non-shadow-AI breaches. The Data Governance Risk Assessment must score shadow-AI exposure as its own line.
AI Access Controls Inside the Data Governance Risk Assessment
AI access controls follow the same NIST AI RMF Govern and Manage logic as identity controls in the cyber program. Map every AI system to a data domain.
Score the access path: model API authentication, training-data segmentation, output-monitoring, prompt-injection defenses, and human-in-the-loop gating. The CISA cross-sector Cybersecurity Performance Goals now reference AI controls as part of identity and access baselines.
Figure 4. The AI governance gap that every 2026 Data Governance Risk Assessment must close.
Key Risk Indicators for a Data Governance Risk Assessment
KRIs are the leading indicators that move before an incident. A 2026 Data Governance Risk Assessment should track at least one KRI per category, refresh weekly or monthly, and report quarterly to the audit committee.
The KRI table below is the floor, not the ceiling. How to develop key risk indicators sets out the construction logic; the threshold values come from the program’s own loss history and the IBM benchmark.
Sample KRI Table for a Data Governance Risk Assessment
| Category | KRI | Frequency | Amber threshold (US benchmark) |
| Privacy & confidentiality | DSAR backlog (days median) | Monthly | > 30 days |
| Privacy & confidentiality | Records of processing without legal basis (count) | Monthly | > 0 for personal data |
| Security & cyber | MFA coverage on remote access (%) | Weekly | < 100% |
| Security & cyber | Mean time to contain a data breach (days) | Quarterly | > 73 (US median) |
| Regulatory & compliance | Days since last HIPAA risk analysis update | Monthly | > 365 |
| Data quality & integrity | Critical-data-element exception rate (%) | Monthly | > 5% |
| Operational & vendor | Top-10 vendor concentration (% spend) | Quarterly | > 60% |
| Operational & vendor | Vendor SOC 2 report aging (months) | Quarterly | > 15 |
| Strategic & AI | AI systems without GOV-MAP-MEASURE-MANAGE evidence (count) | Quarterly | > 0 |
| Strategic & AI | Shadow-AI tools detected on endpoints (count) | Monthly | > 0 for unsanctioned |
US Enforcement Landscape Driving the Data Governance Risk Assessment
Federal and state enforcement now drives the timeline of the Data Governance Risk Assessment. Roughly $1.4 billion in 2025 settlements crossed federal, state, and class-action lines; the line is accelerating into 2026.
Five regulators set the cadence: HHS OCR, FTC, SEC, state attorneys general, and the new California Privacy Protection Agency.
HHS OCR HIPAA Enforcement Inside the Data Governance Risk Assessment
HHS OCR opened a record number of HIPAA enforcement actions in 2025, with risk-analysis failures cited in more than 75% of settlements. OCR’s 2025 enforcement focus emphasized ransomware response, audit log review, and timely breach notification.
Any covered entity Data Governance Risk Assessment must produce a current, dated, evidenced HIPAA Security Rule risk analysis on demand.
FTC Enforcement Inside the Data Governance Risk Assessment
FTC enforcement in 2025 hit children’s privacy, education technology, and connected health apps.
The Disney $10 million children’s privacy settlement and the Illuminate Education action both required full data security programs and unnecessary-data deletion. The FTC Health Breach Notification Rule extended to most consumer health apps in 2024.
SEC Cyber Disclosure Inside the Data Governance Risk Assessment
The SEC’s Form 8-K Item 1.05 cybersecurity disclosure rule requires public companies to file within four business days of materiality determination.
The Data Governance Risk Assessment has to produce a documented materiality decision pathway, a single-source incident chronology, and a board-level disclosure committee. The SEC’s October 2024 enforcement actions against four companies reset disclosure expectations.
State Privacy Enforcement Inside the Data Governance Risk Assessment
Twenty US states had broad-scope privacy laws in force or signed by year-end 2025. The Texas $1.375 billion Google settlement, the California CPPA finalization of the ADMT rule in October 2025, and active enforcement from Connecticut, Colorado, Oregon, and Washington moved state enforcement to the front line. Year in review: top US privacy developments 2025 is the standing reference.
Where Data Governance Risk Assessment Programs Stall (And the Fixes That Work)
Most US Data Governance Risk Assessment programs do not fail on framework choice. They fail on execution: stale inventories, unscored AI systems, vendor risk treated as questionnaire output, and KRIs that no one reads.
The pitfalls table below captures the patterns we see across US client engagements and what to do about each.
| Pitfall | Root cause | Remedy |
| Inventory is out of date the day it is published | Manual collection and no continuous discovery | Wire data discovery tooling into the change-management process; recertify quarterly with named owners |
| AI systems sit outside the data inventory | AI launched by business teams without data-program review | Add AI-system gating to the procurement workflow; require GOV-MAP-MEASURE-MANAGE evidence before go-live |
| HIPAA risk analysis older than one year | Treated as a project artifact rather than a control | Make refresh annual with named owner; tie completion to the SOC 2 / HITRUST audit calendar |
| Vendor risk reduced to a SOC 2 receipt check | Procurement owns it without risk participation | Layer concentration analysis, SBOM review, and breach-history check on every Tier 1 vendor |
| KRIs no one reads | Built for the data team, not the board | Strip to 8-12 indicators with amber thresholds tied to dollar impact; show movement, not absolute level |
| Risk appetite written without numbers | Drafted in workshop without loss data | Anchor each line to IBM benchmarks or internal loss history; review annually with the audit committee |
| Privacy and security run as separate registers | Historical org chart split | Merge to one Data Governance Risk Assessment register with shared scoring scale and joint quarterly report |
| Shadow-AI invisible to the program | No endpoint detection for AI tool use | Deploy network and endpoint detection for sanctioned and unsanctioned AI; publish the allowed-tool list quarterly |
Where Data Governance Risk Assessment Is Heading: 2026 to 2028
Three shifts will rewrite the Data Governance Risk Assessment playbook over the next 24 months. Each is already visible in 2025 enforcement actions, in IBM, Gartner, and EDM Council research, and in the way US boards now demand the artifact. We expect each to land hard in 2026 and accelerate through 2027.
Shift One: AI Governance Becomes a First-Class Line in the Data Governance Risk Assessment
AI risk is no longer a sub-clause of cyber. The California ADMT regulations took effect in 2026, the FTC AI rulemaking is active, and ISO/IEC 42001:2023 is the international management-system standard for AI.
By 2027 expect every Tier 1 US Data Governance Risk Assessment to score AI on its own dedicated worksheet, with named owners and quarterly board reporting.
Shift Two: Vendor Concentration Inside the Data Governance Risk Assessment
CrowdStrike, MOVEit, Snowflake, and Change Healthcare moved vendor concentration to the top of the operational category. Federal banking supervisors issued the Interagency Guidance on Third-Party Relationships in 2023 and have been enforcing it through 2025.
By 2027 vendor concentration will be a board-level KRI inside every regulated US Data Governance Risk Assessment.
Shift Three: Continuous Assurance Replaces Annual Cycles in the Data Governance Risk Assessment
Annual point-in-time assessments cannot keep pace with cloud, SaaS, and AI deployment velocity. Continuous control monitoring tools, AI-driven anomaly detection, and real-time KRI feeds are moving Data Governance Risk Assessment from a quarterly artifact to a live dashboard. By 2028 the audit and risk committee will see the same view the chief data officer sees, with the same refresh cadence.
Frequently Asked Questions About Data Governance Risk Assessment
How does a Data Governance Risk Assessment fit inside enterprise risk management?
A Data Governance Risk Assessment is the data-domain slice of the enterprise risk management framework. It uses the same scoring scale, the same risk appetite, the same audit-committee reporting cadence, and the same residual risk register.
Build it as a feeder into ERM, not a parallel program. The role of an enterprise risk management system is to receive the data feed and aggregate it with operational, financial, and strategic risk.
What are the most common challenges in conducting a Data Governance Risk Assessment?
Five recur across US engagements: a stale data inventory, AI systems outside scope, vendor risk reduced to a questionnaire, KRIs no one reads, and a risk appetite written without numbers.
The fix in every case is the same: name an owner, set a refresh cadence, anchor scores to dollar impact, and report movement quarterly to the audit committee.
How does data privacy and compliance fit a Data Governance Risk Assessment?
Privacy and compliance are two of the six categories. Privacy covers personal-information handling under HIPAA, GLBA, COPPA, FTC Act, and state laws. Compliance covers binding rules across regulators including HHS OCR, FTC, SEC, FFIEC, OCC, FRB, FDIC, and CFPB.
Both share controls (access management, retention, breach response) so they map cleanly onto the NIST Privacy Framework profile inside the Data Governance Risk Assessment.
How can organizations ensure data accuracy and integrity during a Data Governance Risk Assessment?
Anchor the data quality category to DCAM v3.1’s Data Quality Management component and ISO 8000. Define critical data elements, set quality rules and thresholds, and publish exception rates monthly.
Run a data integrity risk assessment before any AI model goes live. Tie completion to the SOC 2 or HITRUST audit calendar so the artifact stays current.
Are there industry-specific best practices for a Data Governance Risk Assessment?
Yes. Banks anchor to BCBS 239, FFIEC IT Handbook, OCC Heightened Standards, and SR 11-7 model risk management. Healthcare anchors to HIPAA Security Rule, HITRUST CSF, and FDA cybersecurity guidance. Insurers anchor to NAIC Insurance Data Security Model Law.
Federal contractors anchor to NIST SP 800-171 and CMMC 2.0. Each layer adds sector-specific controls on top of the standards stack the Data Governance Risk Assessment already uses.
How often should a Data Governance Risk Assessment be conducted?
Treat it as continuous. Refresh the data inventory quarterly, refresh KRIs weekly or monthly, refresh the full risk register annually, and trigger an out-of-cycle refresh after any material incident, M&A event, regulatory change, or new AI deployment.
The HIPAA Security Rule requires risk analysis to be reviewed and updated as needed. How often should risk assessments be conducted gives the full cadence menu.
Who owns a Data Governance Risk Assessment?
The chief data officer or chief privacy officer typically owns the artifact. The chief risk officer signs off on the methodology and the appetite. The CISO owns the security and cyber category. Business unit data stewards own their data domains.
The audit and risk committee receives the quarterly report. Single-throat-to-choke ownership at the executive level is the structural pattern that separates working programs from stalled ones.
What is the difference between a Data Governance Risk Assessment and a HIPAA Security Risk Analysis?
The HIPAA Security Risk Analysis is a regulatory subset of the Data Governance Risk Assessment, scoped to electronic protected health information and the HIPAA Security Rule control set.
The Data Governance Risk Assessment covers the full data estate across the six categories. A covered entity can use the same methodology and risk register for both, with the SRA filtered to ePHI scope for HHS OCR audit purposes.
Where to Start Your Data Governance Risk Assessment
If your last Data Governance Risk Assessment is older than nine months, missing AI scope, or built without a current data inventory, that is the place to start.
Pick the highest-loss-potential domain, run the seven-step cycle on it, prove the artifact moves the audit committee conversation, then scale across the other domains.
riskpublishing.com publishes practitioner playbooks, templates, and worked examples for US risk owners. See how to conduct a risk assessment, operational risk management, and the ERM framework library. For advisory work on a specific Data Governance Risk Assessment program, contact us or read more about the practice.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.