Blog
22 Jun 2026

IM BLOG: The Discipline We Lost: Why Data Risk Management Can No Longer Be an Afterthought

Remember when mobile phones forced us to delete old messages because storage was limited? Today, data is rarely removed, it's duplicated, migrated and retained indefinitely. As organisations face growing regulatory, privacy and AI-related risks, the challenge is no longer collecting information but managing it effectively. This article explores why data risk is becoming a critical organisational issue and why strong information management has never been more important.

Blog Jon Benson and Natalie Mu image .png

Do you remember the mobile phones of the early 2000s?

Not for the nostalgia - but for the constraint. Limited storage. A full inbox. The moment you had to stop, review your messages and decide what genuinely needed to be kept.

That forced discipline shaped behaviour. Space was finite. Choices mattered. Consequences were immediate.

Fast-forward to today and that discipline has quietly faded. Storage is cheap. Systems are plentiful. Data flows continuously between platforms, teams and third parties. Information is rarely deleted - instead, it is duplicated, migrated and quietly accumulated.

Until something goes wrong.

When deferred decisions surface as risk

For many years, organisations operated with little immediate penalty for poor data hygiene. Records and data were retained just in case. Ownership was unclear. Lifecycle decisions were postponed or avoided altogether.

Records management, once a core organisational control, was often seen as administrative rather than strategic.

That context has shifted.

Across multiple sectors, organisations are now grappling with the consequences of unmanaged data: regulatory penalties, breach notifications, remediation programs, legal exposure and reputational harm. In many cases these outcomes stem not from sophisticated attacks but from everyday failures in data lifecycle and records management.

Data that is not actively governed does not remain neutral. Over time, it becomes a source of exposure.

Data risk as an organisational concern

Data risk is increasingly recognised as a factor that cuts across traditional risk categories. Regulatory compliance, operational resilience, information security, privacy and ethical data use all depend on how data is collected, managed and retained.

Several factors are contributing to this shift:

  • heightened regulatory attention to how organisations handle information
  • hybrid and remote working arrangements that reduce direct oversight
  • complex legacy systems that fragment data across platforms
  • advanced analytics and AI that magnify the impact of poor data quality or bias
  • persistent external threats that exploit over-exposed data environments

When organisations lack visibility of what data they hold, where it resides or how long it should be kept, risk accumulates quietly.

Moving earlier in the lifecycle

A recurring challenge in managing data risk is timing. Issues are often identified late - during audits, system implementations or post-incident reviews - when remediation options are limited and costly.

A more sustainable approach involves considering data risk earlier, during planning, design and decision-making. Addressing classification, retention, access and quality at the outset reduces the likelihood of issues becoming embedded in systems and processes.

This reinforces the value of lifecycle thinking. Early decisions shape long-term outcomes and small choices made upstream can prevent significant downstream effort.

Beyond silos: aligning information disciplines

Effective data risk management depends on coordination across disciplines that have traditionally operated separately.

Records management addresses over-retention and unmanaged records. Data governance clarifies ownership, definitions and acceptable use. Privacy and data protection focus on access and misuse. AI governance introduces considerations of transparency, accountability and bias.

When these functions are disconnected, gaps emerge. When they are aligned, organisations are better placed to understand and manage their overall data exposure.

Alignment does not require uniform tools or structures. It requires shared principles, clear accountability and a common understanding of how data moves through the organisation.

What effective practice looks like?

Managing data risk well does not mean eliminating risk altogether. It involves establishing clear expectations and practical controls that support proportionate, defensible decisions.

Common elements of more mature practice includes:

  • an agreed approach to data risk appetite
  • defined ownership across the data lifecycle
  • consistent classification and retention practices
  • attention to data quality and authoritative sources
  • guidance that supports staff to make informed decisions
  • consideration of secondary data use, including analytics and AI

These elements work best when they are embedded into everyday operations rather than treated as compliance overlays.

Reframing the role of information management

This moment represents a shift in emphasis.

Lifecycle management, appraisal, retention and disposal are no longer seen only as housekeeping activities. They are increasingly recognised as foundational controls that support trust, compliance and organisational resilience.

Modern systems rarely force difficult decisions about what to keep. That absence of constraint makes professional judgement more important, not less.

Data risk does not emerge solely from technology. It emerges from decisions deferred, responsibilities blurred and information left unmanaged.

Good information management has always been about judgement. In a data-saturated environment, that judgement has never mattered more.

Meet your blog authors:

Jon Benson.png

 

Jon Benson

Jon Benson is a Partner in PwC's Digital Advisory practice, where he leads a multidisciplinary team of AI, Cyber, Data and Privacy specialists. He works with organisations to safely deliver digital transformation, strengthen privacy and data protection practices, improve trust in executive and operational reporting, manage regulatory and reputational risk, and address data quality and master data challenges.

With more than 20 years of experience, Jon has led large-scale engagements across data and technology domains, including analytics, business intelligence, data warehousing, data governance, data quality management, master data management, data risk and assurance, software development and systems integration. He is passionate about helping organisations unlock value from their data while building trust, resilience and sustainable governance frameworks.

Natalie Mu.png

 

Natalie Mu

Natalie Mu is a specialist in Privacy, Cybersecurity and Data Governance, helping Australian organisations navigate the complexities of digital transformation while managing data risk and regulatory obligations. With expertise across key frameworks including GDPR, the Privacy Act and APRA standards, she supports organisations in building resilient, compliant and trusted information environments.

Natalie is passionate about developing operating models and governance practices that align regulatory requirements with business objectives. Her work focuses on helping organisations strengthen resilience, enhance trust and confidently respond to the challenges and opportunities of the digital age.

Return to listing