Is there a requirement for a “Data Attestation” in a Board paper?

This article is about how to ensure Directors gain assurance about “data” that is supporting the recommendations in a Board paper.


I have read, written and presented my fair share of Board and Investment Committee papers over the past 25 years. As Directors, we are collectively accountable and responsible for the decisions we take. I can now observe a skills gap regarding “data”, with many board members assuming and trusting the data that forms the basis on which they are asked to approve. There are good processes, methods and procedures for ensuring that any Board papers presented are factual. However, decisions using big-data and their associated analysis tools, including ML and AI, which drives automation, is new and requires different expertise at a higher level of detail.  Challenging data is different from finding it hard to question in detail any C-suite on their specific expertise and, more generally, the general counsel, CFO and CTO.  The CDO/ CIO axis bridges the value line being both a cost and revenue.  With “data” as the business driver, it remains superficially easier to question costs without understanding the consequences on our future decision ability and even harder to unpack unethical revenue. 

A classic “board paper” will likely have the following headings: Introduction, Background, Rationale, Structure/ Operations, Illustrative Financials & Scenarios, Competition, Risks and Legal. Case by case, there are always minor adjustments. Finally, some form of recommendation will invite the board to note key facts and approve the action.  I believe it is time for the Chair or CEO, with the support of their senior data lead (#CDO), to ask that each board paper has a new section heading called “Data Attestation.”  A section on Data Attestation will be a declaration that there are traceable evidence and proof of the data and the action of the presenter being a witness to certifying it.  Some teams will favour this as an addition to the main flow, some as a new part of legal, others as an appendix and some will claim it is already inherent in the process. How and where matters little compared to its intent.

Such a section could provide a solution until such time that we can gain sufficient skills at the Board and test data correctly.  Yes, there is a high duty of care that is already intrinsic in anyone who presents a board paper (already inherent). However, the data expertise and skills at most senior levels are also well below what we need because all the politics, bias and complexity is in the weeds, which is both easy not to know and hide.  Board members have to continue to question performance metrics (KPI and BSC) to determine the motivation for any decision, but having to trust “data sets” a different standard to those we have with audit, finance, legal and compliance.  If nothing else, a “data attestation statement” will set a hurdle for those presenting to prioritise bias, ethics and consequences of data used in their proposal. 

Having to trust data sets a different standard to those we have with audit, finance, legal and compliance.

Arguments for and against

Key assumptions

  • Data is critically important to our future and is foundational for decision making going forward.

  • Data is more complex today and continues to increase in complexity.

  • The C-suite and leadership team are experts in their disciplines and has deep expertise in their critical areas, but there is a data skills gap.

  • There is a recognition at the board that data bias, a lack of audibility, provenance, and data lineage can lead to flawed/bad decision making.

Based on these working assumptions, I do not believe that adding a “Data Attestation” section is a long term fix.  Whilst to comply with Section 172 of the Companies Act, it is an absolute requirement to meet the fiduciary duties that we upskill.  But data is not like marking, technology, operations, finance or HR - data is new, and the vast majority of boards and senior leadership team have little experience in big data,  data analytics or coding.  It is a recognition that education and skills development is a better solution, but in the gap between today and skills arriving, we should do something?   Critically, I would support introducing a data attestation section with a set date where it falls away. 

It is essential to consider as insurance companies who offer D&O policies are looking at new clauses related to the capability of Directors who make decisions based on data and their ability to know the data was “fit for purpose” for the decision. Insurance companies need to protect their claims business and might feel that the upskilling might take to long.

Why might this work? Do you get on a plane and ask to pilot it?  Do you go to the hospital with the correct google answer or ask a qualified Doctor?  We need to form our own view that someone has checked whether the pilot and doctor are qualified.  Today, we outsource Audit to a committee because of this same issue; it is complex. But Data is not finance, and data is not an Audit committee issue. Data is a different skill set. 


Each Board has to make its own choice. The easiest is to justify to oneself that our existing processes are good enough and we are following “best practices”, compliance thinking.   Given the 76 recommendations in the Sir Donald Brydon Review of Audit, assuming that our existing processes are good enough is difficult to justify. If we want to make better decisions with data, we need to make sure we can. 

Recommendation

A strong recommendation would be to put in place an “Attestation Clause”, a drop-dead date, a 2-year mandatory data training program aimed at the senior leadership team and Directors/ Board members and a succession plan that priorities data skills for new senior and board (inc NXD) roles.

Proposal

A “data attestation” section intends that the board receives a *signed* declaration from the proposer(s) and independent data expert that the proposer has:

  • proven attestation of the data used in the board paper, 

  • proven rights to use the data

  • what difference/ delta third-party data makes the recommendation/ outcome

  • ensured, to best efforts, that there is no bias or selection in the data or analysis

  • clearly specified any decision making that is or becomes automated 

  • if relevant, created the hypothesis before the analysis 

  • run scenarios using different data and tools

  • not miss-led the board using data

  • highlighted the conflicts of interest between their BSC/KPI and the approval sort

The independent auditor should not be the companies financial auditor or data lake provider; this should be an independent forensic data expert. Audit suggests sampling; this is not about sampling. It is not about creating more hurdles or handing power to an external body; this is about 3rd party verification and validation. As a company, you build a list of experts and cycle through them regularly. The auditor does not need to see the board paper, the outcome from the analysis or the recommendations - they are there to check the attestation and efficacy from end to end.  Critical will be proof of their expertise and an insurance certificate.    

Whilst this is not the final wording you will use, it is the intent that is important; this does not negate or novate data risks from the risk section.

Example of a Data Attestation section

We certify by our signatures that we, the proposer and auditor, can prove to OurCompany (PLC) Board that we have provable attestation and rights to all the data used in this paper’s presentation.   We have presented in this paper sensitivity of the selected data, model and tools and have provided evidence that different data and analysis tool selection equally favours the recommendation.  We have tested and can verify that our data, analysis, insights, and knowledge is traceable and justifiable.  We declare that there are no Conflicts of Interest, and no automation of decision making will result from this approval.