Understanding Data Governance ROI: A Compliance Perspective

Transcription

1 A DataFlux White Paper Prepared by: Gwen Thomas Understanding Data Governance ROI: A Compliance Perspective Leader in Data Quality and Data Integration FLUX International +44 (0)

2 Most organizations today have concluded that they need to move to formal data governance. The arguments are compelling: Formal data governance helps make cross-functional decisions effectively. It helps identify data stakeholders and gives them a voice in establishing rules and policies for how information is managed and used. It provides a mechanism for orderly and thorough escalation and resolution of data-related issues. It brings together business and technology representatives with multiple perspectives to collaboratively examine issues and suggest controls. Data governance helps establish standards that contribute to increasing the value of information assets, to cost containment, and to compliance. While these are common outcomes of data governance programs and projects, not all data governance efforts are equal. Some are large, involving many participants and areas of an organization, while others may consist of one facilitator/administrator and scattered input by others. Some data governance programs look only at strategic issues and decisions, while others dive into detailed needs and processes. And while some data governance programs may exist to support IT-centric efforts such as data warehouses, master data management (MDM) or metadata management projects, others may focus on bringing cross-functional perspective and power to the work of setting policy, aligning business rules and definitions, or supporting architectural decisions. Regardless of the primary focus of a data governance program, there are two efforts that nearly every program is expected to support in some way: data quality/standardization and compliance. How much attention should any data governance program give to these efforts? How much should be spent, and what is the expected rate of return or return on investment (ROI) for the involvement of data governance especially in the area of meeting compliance requirements? When is it reasonable to measure ROI, and how do we go about measuring it when our data governance efforts do not directly result in revenue? In this paper, we ll look at the role of data governance programs in supporting compliance efforts. We ll look at the types of contributions they make, especially in the area of managing compliance costs. And we ll introduce an ROI formula you can use in those circumstances where it s important to quantify the value of those contributions. 1

3 Data Governance in Support of Compliance For many organizations, the question is not whether they should have data governance. Rather, the question is how much data governance they should fund: How broad and deep should their program reach? Should it address only present and future efforts or participate in remedial efforts? How should data governance align with data quality and integration efforts? For some data governance initiatives, answering these questions can be fairly straightforward. When the focus is on revenue-generating activities, for example, it s often feasible to calculate ROI for data governance contributions even when a contribution is two or three degrees of separation from the money involved. In these cases, ROI numbers can help leaders decide which data governance efforts to fund, and for what amounts. But what about data governance programs with a focus on compliance? Strict ROI is rarely the driver behind compliance. Organizations "do" compliance because they are compelled to; it's simply not seen as optional. Data governance programs with a focus on compliance, then, tend to focus on requirements and controls: what they are, how to align them and how to assign accountabilities. The value of such data governance programs is based on cost containment: data governance efforts can definitely avoid unnecessary compliance-related spending. Types of Compliance Initiatives Compliance may take many forms: adherence to legal and regulatory requirements, contractual compliance, and adherence to standards and other requirements set internally or by partners or industry groups. Legal and regulatory compliance Today, a slew of regulations affect how data must be managed. For example: The Payment Card Industry Data Security Standard (PCI-DSS) imposes 12 data security requirements. It s mandatory for organizations that process debit and credit cards. The Gramm-Leach-Bliley Act (GLBA) imposes strict privacy and security controls on financial information by financial institutions. The Health Insurance Portability and Accountability Act (HIPAA) imposes requirements for managing the security and privacy of medical records and personally identifiable information. 2

4 The Sarbanes-Oxley Act affects how public companies treat financial information, including how it is managed, controlled and reported. Consequences of noncompliance can be severe: there can be significant fines for companies, and in some cases CEOs and CFOs can be subject to personal fines and even prison terms. Contractual compliance In today s interdependent environments, what happens to information within one organization s firewall may have a critical impact on customers, partners, suppliers and other stakeholders. As a result, it is becoming more common to see contractual requirements that place restrictions on how information is acquired, managed, stored, processed, moved, displayed and disclosed. The language of such constraints because they are stemming from business reasons and are written by lawyers rather than legislators may be difficult to reconcile with regulatory compliance requirements. However, they are probably touching the same databases, processes and systems. Adherence to standards Let s not overlook the importance of enforcing adherence to standards set by internal staff. Often, the successful implementation of new systems and the value expected from significant programs and projects hinges on the assumption that information can be passed between systems and can be effectively identified and analyzed. Adherence to naming conventions and other standards may be critical to many efforts. Requirements may be set by internal data management groups, or they may be industry standards or conventions designed to support interoperability. 3

5 Deciding How Much to Fund If your compliance requirements and subsequent data governance or data quality requirements are vague or subjective, you need to decide how to comply and how much to invest. You can prepare for that decision by performing the following process: 1. Identify the absolute minimum needed to reach compliance 2. Assess the benefits of doing more than the minimum 3. Assess the potential consequences and costs of non-compliance 4. Identify opportunities for managing the costs of the compliance process In assessing the potential consequences of non-compliance, you ll want to quantify what is at risk: Penalties and fines HIPAA, Sarbanes-Oxley, and other regulations generally impose penalties for non-compliance. These may come in the form of fines or, in some cases, the risk of incarceration for corporate leaders. Costs of notifying customers and stakeholders The expenses involved in alerting customers when then their private information has been breached can be significant. And such notification can be required by law. For instance, SB 1386 (the California Security Breach Information Act) is a California state law that applies if you have even one customer in California. If a commercial company, non-profit, or agency collects personal information, it must notify each person in their database should there be a security breach involving personal information. This information can include the customer s Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account. Many other states have followed California s lead and have passed similar laws. The value of customers, partners or investors who might react to non-compliance When regulatory noncompliance is reported, or when security breaches occur, individual customers may lose confidence in an organization s ability to safeguard their information. Inevitably, some customers leave. What is their value? What is the value of a corporate customer who leaves (or never signs on) because of your organization s inability to adhere to contractual requirements? Compliance Costs Tied to Lack of Auditor Confidence In deciding how much attention to pay to data-related compliance efforts, smart organizations ask another key question: "What additional testing and auditing costs could we incur if our auditors lose confidence in the data we present to them or in our controls environment?" 4

6 Consider a situation where an auditor is reviewing Sarbanes-Oxley controls in software applications that manage financial data. At least three things could happen that would affect compliance costs. 1. The auditor accesses the repository that houses the official list of corporate applications, but the system that the auditor is looking for isn t there. Oops. The auditor has just lost confidence in the data in that repository and may require an application inventory review as part of the audit an activity that will be expensive and disruptive. 2. The auditor finds an application in the system, but the official record says that the system does not contain financial data, when the auditor knows that it does. Now the quality of the information in the repository is suspect. Additional testing and investigation may be required. 3. The system s record is complete, but the code used in the repository to signify the presence of financial data does not match the code used in data flow models or lists of controls or in risk management narratives. Now, the auditor has to reconcile these areas. At the very least, auditing costs will rise to accommodate this reconciliation. More likely, the auditor s confidence in your efforts will be diminished, and this will contribute to future judgment calls about whether to mandate additional examinations. Data governance programs that focus on supporting compliance efforts often participate in pre-auditing reviews of materials that will be put in front of auditors. They are ideally situated to pick up on missing elements (such as a simple mapping of codes from one system to another) that can go a long way toward increasing auditor confidence. They may also be able to identify additional controls that have been put in place by business or technical staff, and they may be the keepers of roles and responsibilities charts that highlight accountabilities of interest to auditors. Why This is Hard Make no mistake: managing information has become much harder in recent years even if systems, applications and processes have not changed. Why is this? It s because information management efforts that support processes or systems that come into scope for compliance now have four times as many goals to meet. Now, the requirement is to: Do the (information management) work Control it Document it Prove compliance 5

7 Even if you had controls and documentation that were perfectly adequate for operational purposes, they may not meet compliance requirements. For instance, the type of documentation needed for compliance purposes may be of a different type, or of greater complexity, than that needed for ongoing operations. Data integrity and security controls that have been baked into a system or process or database because they are "best practices" may need to be called out and formally rated for their ability to manage risk to prevent undesired outcomes, to detect them, or to correct them. Proving compliance can involve creating audit trails, documenting the performance of certain processes, and even participating in audits. All told, the effort to support compliance can be significant. Managers are generally experienced in overseeing the "doing" of data management work. Often, however, they are not so experienced in designing and supervising the other activities. Certainly it is unfair to expect every manager to be an expert in all of the compliance requirements that must be adhered to, as well as preferred approaches to controls, documentation and proof of compliance. The result of this situation is ungoverned compliance efforts that can be unduly complicated and expensive. AMR Research estimated 2008 costs for governance, risk management and compliance to top $32 billion 1. Within this complicated tangle of compliance efforts there are bound to be redundancies; after all, we have multiple groups devising multiple controls to manage multiple sets of compliance requirements. Each of these controls follows a lifecycle that includes requirements, design, development, testing, implementation, monitoring and reporting. An ungoverned, unaligned approach requires excessive management oversight time. Other problems include: Missed opportunities to employ multi-purpose controls; ones that can satisfy many requirements. Also, missed opportunities to employ control functionality that is embedded in most commercial MDM, ETL, and data quality tools. Controls that contradict or overwrite each other, rendering each other unable to achieve their compliance goals. Data Governance as a Vehicle for Spending Less Data governance programs with a focus on data quality and compliance are often charged with providing input to data-related controls strategies. Through the work of data stewards or data governance administrators, committees, or work groups, data governance can help answer the following questions: 1 AMR Research. The Governance, Risk Management, and Compliance Spending Report, : Inside the $32B GRC Market. March 25,

8 How can we identify all the compliance requirements that touch the same data, systems, or processes? How can we communicate compliance requirements to all that are affected by them? How can we align requirements and rules? How can we ensure that data-related controls don't negate each other? How can we design multi-purpose controls? How can we take advantage of existing controls to meet compliance requirements? How can we employ our data stewards and others to support compliance? How can we embed compliance activities and controls into operational and data management processes? How can we be confident that our efforts will be effective? How can we be confident that our efforts will satisfy auditors? How can we minimize the burden of compliance on management? On superusers? On others? Return on Investment for Compliance-Focused Data Governance Sometimes it s not clear how involved data governance programs should be in answering these questions, or in reacting to the responses to them. Sometimes an organization wants to examine the ROI for such involvement. Using the ROI metric can be challenging, however, because data-related efforts are sometimes two or more degrees of separation from actual hard-dollar benefits. If you want to calculate ROI for such efforts, you ll need to use a modified ROI formula. Degrees of Separation from the Ultimate Benefit Projects that are just one degree of separation from money are easy to understand. Direct-mail campaigns, for example, are always based on ROI. Conduct the campaign, and you can expect a certain amount of revenue. Divide the revenue minus costs by the costs, as shown in Figure 1, and you have the ROI for the campaign. 7

9 ROI = ( Total Benefit Cost of ) - Benefit 100% X Cost of Benefit ( ) Figure 1: Formula for ROI On the other hand, consider an effort to clean up customer data before conducting the campaign. This effort is two degrees of separation from the ultimate benefit. It should result in a higher return for the campaign, so it s probably worth the effort since it will improve (or protect) the ROI of the main activity. Now consider a data governance effort to establish data standards and data quality rules. This effort has to take place before the clean-up; it is three degrees of separation from the ultimate benefit. Still important, just a little farther removed from hard dollars. Data governance in support of compliance efforts is almost always two or three degrees of separation from the ultimate benefit. Organizations rarely look for hard dollar returns on these efforts. Still, if it s important to do so, you can measure a data governance contribution and compute the ROI for that contribution. What you need are three numbers: 1. The total benefit of compliance or at least the risk you are avoiding, such as the costs of an extra 20% in auditing fees. You ll probably need to use rough estimates for this number. Most organizations don t keep track of these potential costs. 2. The percentage of credit that data governance would be given for avoiding these costs. If this cost is a certainty without data governance, then this figure will be 100%. If several efforts will go into avoiding this expense, then data governance should be allocated a smaller percentage. 3. The costs of the data governance contribution. Now you can plug those figures into a modified ROI formula, as shown in Figure 2. ROI of = DGov ( Percentage ) Total of benefit Benefit X contributed - 100% X by DGov Cost of DGov contribution Figure 2: The ROI of data governance. ( ) Cost of DGov contribution 8

10 Conclusion Data governance programs with an emphasis on data quality and compliance can make important contributions. The cross-functional nature of such programs means that multiple perspectives from across the organization can be brought to the work of deciding on compliance approaches and even specific controls. Whether the value of the contribution is so obvious that monetary calculations are not necessary, or whether ROI formulas are applied to decide whether to invest in an effort, most organizations with formal data governance agree on this: data governance makes compliance more effective, more thorough, less likely to overlook gaps and omissions, and certainly less expensive. 9