Data Governance Unlocking Value and Controlling Risk 1
White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars... 5 Data Governance focus areas... 5 Policies, Standards and Strategy... 5 Data Quality... 5 Privacy and Compliance... 5 Security... 6 Architecture and Integration... 6 Data Warehouse and Business Intelligence... 6 Management Support... 7 Getting Started... 8 Best practices... 8 Global vs. local approach... 8 Obtain executive sponsorship... 8 Stages in Data Governance Programs... 9 Current state discovery, full approach through small steps... 9 Data Governance Education Plan... 9 Performance Targets... 10 Defining YOUR Data Governance Program... 10 Guiding Principles for Implementation... 10 Establishing, collecting and reporting on metrics to measure progress... 11 Establishing measurable benefits by building a business case... 11 Link and build incentives to reward and re-enforce appropriation... 11 2
Introduction In our present data driven corporate world, information assets obtained from collected data are essential to support the corporate strategy, enabling decisionmaking of overall activities. Personal and non-personal data is the raw material for the creation of information assets. Data has today become one of the most valued assets: it allows companies to perform their activities efficiently and remain competitive. The surging value of data implies companies need to protect such assets. As they realize the benefits and the challenges they face when unifying - mashing-up - data, Data Governance issues and questions arise. What is Data Governance? A Data Governance Program is a strategy to ensure compliance, security and data quality of your information assets. The program s evolution is monitored through organized and planned performance metrics to ensure data assets are consistent through rules and standards driven from policies executed by people A strategic plan is required to reap the benefits promised by Data Governance, assuring the right decisions are taken, depending upon the type of data used, the activities performed by the company and the different issues surrounding data treatment. Data Governance should not be confused with Information Security. Information Security is the application of several security measures in order to avoid potential data breaches and assure data integrity. Data Governance does not limit itself to providing security to information assets. Its aim is to reap the benefits from the data obtained by the company in order to support its growth strategy. Effectively, it puts data to work. Data Governance is an all-encapsulating strategy followed by a company to encourage desirable behavior in the valuation, creation, storage, use and deletion of data and information assets. It includes decision rights and an accountability framework. It defines the processes, the roles, the standards and the metrics to ensure an effective use of data and information assets, enabling companies to achieve their purpose. 3
Data Governance Program Goals in light of Privacy One of Data Governance s goals is to create Information Security Systems that properly protect data and information assets. Addressing Data Governance in light of increasing Privacy issues revolves around the correct definition, approval and communication of data strategies; their related policies and standards as well as the supporting architecture, procedures, and metrics. Where: Data Policies are the collection of statements describing the rules controlling data integrity, security, quality, and use of data during its lifecycle and state changes; Data Standards are the detailed rules developing procedures of data policies; Data Architecture is composed of models, policies, rules or standards that govern which data is collected, and how it is stored, arranged, integrated, and put to use in data systems and within companies. Additionally, tracking and enforcing compliance for those data policies, standards, architecture and procedures need to be in place. The human resources aspect of true data governance covers understanding and promoting the value of data assets. True commitment is reflected by assuring adequate internal sponsoring, tracking and overseeing the delivery of data management projects and services while managing and solving for data related issues. Obviously, not all Data Governance Programs are created equal. Every company is specific both in terms of needs as obligations. To create an efficient Data Governance Program, a strategy based on the needs of data uses is required. From a Privacy perspective, this means confronting such needs with the risks company s information assets represent today and tomorrow. All undertaken efforts should aim at solving one of the following executive drivers: Increase revenue and the value of the company; Manage costs and complexity; Ensure business continuity attending to the detected risks and vulnerabilities through compliance, security, privacy, etc 4
Data Governance Program Pillars Depending upon the focus, the rules and concerns that participants within the Data Governance Program need to address shall differ. It will impact the mix of involved stakeholders, their actions and the efforts required. Data Governance focus areas Policies, Standards and Strategy The group leading this effort within an organization requires the support of a crossfunctional leadership body in order to assure success and silos are adequately broken down. A charter for this focus should ideally hold Data Governance and Stewardship participants accountable for: Reviewing, approving and monitoring policy; Collecting, selecting, reviewing, approving and monitoring standards; Aligning policy and standard sets; Contributing to the business rules; Contributing to the data strategies; Identifying stakeholders and establishing decision rights. Data Quality This effort addresses issues revolving around data quality, data integrity and the usability of data. Typically companies performing mergers and acquisitions (M&A) or data acquisition exercises implement these types of programs. They often involve data quality software where quality efforts are initially applied through master data management (MDM) programs to begin with, focusing either on a specific project, department to then be rolled out at a company-wide level. The typical charter for this focus holds data governance and stewardship participants accountable for: Setting the direction for Data Quality; Monitoring Data Quality; Reporting on the status for Data Quality focused processes; Identifying stakeholders, clarifying accountabilities and establishing decision rights. Privacy and Compliance Increasing concerns revolving around Data Privacy and compliance with legislation, (international) agreements and internal requirements are pushing Privacy and Compliance programs to the forefront. While often initially sponsored by business and IT departments, it should however be considered as an outgrowth of a Governance, Risk and Compliance (GRC) Program. 5
Such programs often start with a company-wide scope although efforts are usually limited to specific types of data. They include technologies to locate sensitive data within a companies network in order to then protect the data and manage the surroundings policies and control mechanisms. Typically, Data Governance and Stewardship participants are held accountable for: Protecting sensitive data through the support of Access Management and adequate security requirements; Aligning frameworks and initiatives; Supporting risk assessments and defining controls for risk management; Supporting regulatory, contractual, architectural compliance requirements and their adequate enforcements; Identifying stakeholders, clarifying accountabilities and establishing decision rights. Security Concerns are rising related to access permissions (typically login/password), Information Security Measures and Access Management, the internal set-up supporting access credentials. Implementation of a Security Program, undergone on a company-wide scope, includes technologies to support location of sensitive data, access management for sensitive data, data back-ups and deletion and risk assessments of possible threats. Architecture and Integration An Architecture and Integration program is typically taken into consideration and brought to life during major system adaptations, typically new acquisitions; when big new development efforts arise or updates require new levels of cross-functional decisions making and accountabilities. Typically, Data Governance and Stewardship participants are held accountable for: Ensuring consistent data definitions; Supporting architectural policies and standards; Supporting Metadata programs, Service Oriented Architecture (SOA), Master Data Management (MDM), and Enterprise Data Management; Bringing cross-functional attention to integration challenges; Identifying stakeholders, establishing decision rights and clarifying accountabilities. Data Warehouse and Business Intelligence This program is typically set-up in conjunction with any new kind of new storage facility implementation such as increasingly cloud or SaaS today. It can also be called a data warehouse, a data mart or a new business intelligence tool. 6
Such efforts often require strong data-related decisions where organizations implement data governance to ensure that standards, access and rules are correctly enforced once the new system starts to operate. The initial scope is often one where roles and responsibilities as well as rules are defined for the new system. This program can however serve as a prototype for a company wide data Governance/Stewardship program. A charter for this focus typically holds Data Governance and Stewardship participants accountable for: Establishing rules for data definitions and their subsequent uses. Typically, what is a customer and how is this defined? Identifying the lifecycle of sensitive data and the related Data Governance rules to be applied; Clarifying the value of data assets and their data-related projects; Identifying stakeholders, clarifying accountabilities and establishing decision rights. Management Support Managers who find it difficult to deal with data related management decisions, due to their potential effects on operational performance and compliance efforts, implement this type of program. It helps managers make decisions with more confidence. Such programs may consist of councils who analyze interdependencies, take decisions and issue policies. However, sometimes the Data Governance Program focuses on multiple issues, such as supporting management and addressing compliance. A statute for this focus holds Data Governance and Stewardship participants accountable for: Measuring the data value and data related efforts; Aligning frameworks and initiatives; Identifying the lifecycle of sensitive data and the related Data Governance rules to be applied; Monitoring and reporting on data related projects; Promoting data related messages and taken stances; Identifying stakeholders, clarifying accountabilities and establishing decision rights. 7
Getting Started Best practices Assigning respective roles and responsible personnel before developing policy is the common best practice for Data Governance and Data stewardship as it defines organizational bodies before developing the actual policies and related procedures. However, let s be honest, it s more productive if you start by establishing the focus and related value propositions. Defining how each effort contributes to stakeholder needs of increased revenue and value, defining their needs for efficient management of costs within an increasingly complex environment, and insuring continuity through attention to risk and compliance. It is therefore essential to understand the value statement and develop a plan to communicate that value proposition in the clearest possible way. As soon as the description of your company s data related issues is pinned down; as soon as the way to address them is defined and as soon as you define how success can be measured for this initiative, your company will be on its way to reap the benefits of a value-based Data Governance program. Global vs. local approach Each company is different therefore it is not always possible to act globally right from the start. The creation of a local Data Governance Program is sometimes also a good way to start, in pilot mode. Dissecting even further, as a lot of companies still work in unrelated silos or business units, it is also possible to create a Data Governance Program based on a single specific pillar for a company department, before widening the scope to include lessons learnt. Obtain executive sponsorship Data Governance demands inevitable behavioral and cultural changes. It requires revisiting investments in projects and technological tools. It forces your company to analyze major stakeholders. A closer look needs to be taken in order to assure alignment and agreement on key decisions with the responsible of the scope of the Data Governance project, representing the included lines of business and their functional areas. With everyone on the same page, your project has more chances to succeed. 8
Stages in Data Governance Programs Not all Data Governance efforts result in the expected outcomes. Insurmountable obstacles sometimes challenge the value and success of the program. Those obstacles can be cultural, political, and organizational challenges and result in the some needed changes required to move forward might not take place. Points to consider to avoid typical pitfalls: Current state discovery, full approach through small steps Data governance is an iterative process. Start with the people, politics and culture, and then move on to the Data Governance and stewardship processes as well as the underlying technology used. Take the steps to gradually move up the maturity scale. However, start with a limited and attainable focus in mind. Balance out strategic aims and tactical engagements to ensure that the program is moving towards the desired direction. Our approach to instituting a comprehensive Data Governance Program, fitting the company needs, starts with the understanding of where the company is in our COBITbased maturity model. Data Governance Education Plan The most important responsibility of data stewards, members of the Data Governance Council, is to ensure effective control and usage of data assets. Identify and build a data steward team that includes subject matter experts from all business areas of the company. The definition of this role must be included into the job descriptions. Additionally and most importantly, assure that the proper time allocation is attributed to the stewardship work. 9
Performance Targets After performing a study of the current status of the company s business objectives, its needs and the impact of its business processes, Mind Your Privacy is able to draw a picture of your companies current situation. The COBIT model is used as an initial framework, unless otherwise specified by the client. Using this framework, your company will have a clear picture of the current situation regarding the seven pillars mentioned earlier: 1. Policies, Standards and Strategy 2. Data Quality 3. Privacy and Compliance 4. Security 5. Architecture and Data Integrations 6. Storage: DW, BI and cloud 7. Management support and where Data Governance would have the highest impact on your companies use of data maturity, in line with those 7 pillars. Defining YOUR Data Governance Program Each company is a different story, not every company has the available internal resources or needs in our increasingly data driven era. A Data Governance Program has to be tailored to your company needs in order to obtain the best possible results, in line with attainable time construed objectives. Mind Your Privacy s Data Governance service is flexible and can be adjusted to your needs, depending upon your geographical location, sector and internal set-up. Guiding Principles for Implementation The Initial step is getting to know your company s current state with respect to: Business objectives, Functional needs, Impact on business processes, Potential improvements to identified processes, Cost and complexity of current business and technical drivers These findings are drafted to define a preliminary Data Governance Program. It contains preliminary recommendations, guiding principles and suggests metrics to gauge performance in line with defined targets. This initial Mind Your Privacy delivery will be open to adaptation, through an iterative process, following feedback. The third step is a technical assessment, in other to deliver a gap analysis, as the objective is to assure an adequate data architecture for your company. Mind Your Privacy s gap analysis is based upon organizational, functional, process and technology related initiatives as well as architectural imperatives. 10
Prioritization is the next logical step where risks are assessed through a cost benefit analysis for each suggested initiative. Once this is iteratively evaluated, a roadmap emerges, clearly defining company projects and related initiatives as well as underlying processes, focused on required business objectives. Establishing, collecting and reporting on metrics to measure progress Tailored measures and metrics are established at the start of the project. The focus is on clearly defined quantitative metrics that support the project objectives. Metrics need to combine business values and sample metrics including data values, data management costs and data management processes maturity. A Data Governance KPI dashboard is the ideal solution to monitor and automate the progress. Finally, measures of immediate returns for defined quick wins allows for positive feedback and broader project endorsement and appropriation. Establishing measurable benefits by building a business case An effective Data Governance program produces benefits in the long run. Yet as some of the effects might not be visible immediately, Mind Your Privacy suggests focusing on the relationship of key data elements and the business processes they support. Costs for managing these data elements are then calculated in order to quantify the risks of such data elements becoming unavailable or incorrect. Identifying the opportunities for data quality improvements fosters revenue through better customer service and insights is often an ideal initial business case. Link and build incentives to reward and re-enforce appropriation Parting thoughts: adequate participation on an on-going basis is essential to success. Without input and buy-in, your Data Governance effort is nothing more than another stack of written procedures gathering dust. Building an incentive-based reward system, linking performance to participation will re-enforce commitment, obtaining sustained appropriation from involved parties. 11
12