Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2023

Roger Clarke's 'Managing Data Risk'

Managing Data Risk: A Consultant's Guide

Outline of 16 July 2020

For presentation to the ANU Cyber Law Program - 12 Aug 2020

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2020

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

The supporting slide-set is at


My consultancy practice has as its focus strategic and policy aspects of disruptive information technologies. That provides an appropriate context for a discussion of the assessment and management of technology and risk.

The starting-point is a generic model of security. This identifies relevant concepts and their relationships, and provides a suite of defined terms. That lays the foundation for examination of the risks arising in any particular context.

Risk assessment applies the security model to problem analysis. Risk management shifts beyond analysis to design, and then to implementation. Choices have to be made across a wide range of alternative risk management strategies, with mitigation as a critical element.

All effective risk management plans involve a suitable blend of organisational and technological measures, backed up by an appropriate legal framework, comprising both public law and private law components.

A hierarchical model of the regulatory field distinguishes layers of 'government' (formal law), 'self-governance', and 'systemic governance'. L-A-W law is the framing element, and the fallback, but it is emphatically not the primary part of any risk management plan.

Some organisational measures are within the self-governance layers. The most effective means of managing risks are commonly much deeper-embedded, however, in the Infrastructural Regulation layer. The RoboDebt fiasco arose because the agency responsible for it tried to do away with the organisational elements. Enormous cost was borne by untold thousands of welfare recipients, by the reputation of government, and by the public purse.

Effective management of technology-associated risk depends heavily on Infrastructural Regulation, comprising both organisational and technological elements.


'The Conventional Security Model'
Appendix 1 to Clarke R. (2015) 'The Prospects of Easier Security for SMEs and Consumers' Computer Law & Security Review 31, 4 (August 2015) 538-552, at

'The Risk Assessment and Risk Management Process'
s.3.1 of Clarke R. (2019) 'Principles and Business Processes for Responsible AI' Computer Law & Security Review 35, 4 (2019) 410-422, at

'Multi-Stakeholder Risk Assessment and Risk Management '
ss.3.2-3.3 of Clarke R. (2019) 'Principles and Business Processes for Responsible AI' Computer Law & Security Review 35, 4 (2019) 410-422, at

'A Generic Data Risk Assessment of Cloudsourcing'
s.4 of Clarke R. (2013) 'Data Risks in the Cloud' Journal of Theoretical and Applied Electronic Commerce Research (JTAER) 8, 3 (December 2013) 60-74, at

'Detailed Application of the Risk Assessment Process to Micro-Business Backup Needs'
ss.3-4 of Clarke R. (2016) 'Practicable Backup Arrangements for Small Organisations and Individuals' Australasian Journal of Information Systems, 20 (September 2016), at

'Guidelines for the Responsible Application of Data Analytics' Comp Law & Security Review 34, 3 (May-Jun 2018) 467- 476, at

'A Business Process Model for Responsible Data Analytics Projects'
s.5.2 of Clarke R. & Taylor K. (2018) 'Towards Responsible Data Analytics: A Process Approach' Proc. Bled eConference, 17-20 June 2018, at

'Centrelink's Big Data 'Robo-Debt' Fiasco of 2016-17'
January 2018, at

'Categories of Risk Management Strategy'
Table 2 in Clarke (2019) 'Principles and Business Processes for Responsible AI' Computer Law & Security Review 35, 4 (2019) 410-422, at

'A Hierarchy of Regulatory Forms'
s.5 of Clarke R. (2019) 'Regulatory Alternatives for AI' Computer Law & Security Review 35, 4 (2019) 398-409, at

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor associated with the Allens Hub for Technology, Law and Innovation in UNSW Law., and a Visiting Professor in the Research School of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 6 May 2020 - Last Amended: 16 July 2020 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy