OPINION: Data Risk: It’s All About Governance


By Paul Franks, Director, Financial Services, SAS


Financial institutions confronting more stringent regulation for data management – as in APRA’s new Prudential Practice Guide CPG 235: Managing Data Risk – might be tempted to paraphrase former US President Bill Clinton’s memorable line about the ‘economy’ with, “It’s the ‘data’, stupid”. With information and data being considered as genuine strategic assets for enabling and driving business strategy, I thought it would be timely to revisit a long-held firm favourite of mine: data governance and topical issues for complying with new prudential requirements.

What exactly is data governance?

Data governance is defined as the organising framework for aligning strategy, specifying objectives, and establishing policies for enterprise information. Of greater importance than defining data governance, however, is what your organisation understands it to be. Despite its pervasiveness, data governance has failed in more than one well-meaning company because people misinterpreted its meaning, its value, and the shape it would eventually take. As with any strategic initiative that enlists both business and IT and is process-centric and highly visible, data governance must be designed. This means tailoring it to your organisation’s specific culture, organisational structure, incumbent ownership environment, and current decision-making processes. It means articulating the value proposition for cross-functional and formal decisions about corporate information use and how value is measured.

A common mistake companies make is equating data governance with data management. Data governance is the decision-rights and policy-making for corporate data, while data management is the tactical execution of those policies. Both require executive commitment, and both require investment but data governance is business-driven by definition while data management is a diverse and skills-rich IT function that ideally reports to the CIO.

Not a finite project

In a well-intended effort to fix what is broken, many companies will announce data governance with much flourish and fanfare. An executive might assemble a cross-functional team by extracting its members from existing projects, creating a data governance SWAT team and a Centre of Excellence or a data quality task force. In each case, data governance is being treated as a discrete effort when in fact it should be embedded into existing development and decision-making processes. Data governance should be continuous and systemic. As information needs change, data volumes increase, and new data enters the organisation via new systems and sources, decisions about how to treat, access, clean, and enforce rules about data will not only continue but will likely also proliferate. A structured, formal and permanent process for these policies and decisions should be retrofitted into the way a company develops its data and conducts its business.

Leveraging your existing data governance structures

A key indicator of data governance success is an environment that encourages decision-making bodies such as councils, steering committees, management roundtables, or advisory teams. These usually comprise individuals from across business functions who have both the authority to make decisions and the accountability to ensure those decisions are enacted and ultimately drive business improvements. By inviting incumbent decision-making bodies to participate in the data governance process, you effectively institutionalise data governance as a component of corporate policy making. You also implicitly enlist the support of a variety of individuals and change occurs one individual at a time.

Changing entrenched organisational paradigms and behaviours is perhaps the biggest obstacle for any governance effort. Regardless of your organisation’s explicit structure and biases, establishing unambiguous decision rights is a requirement for governance to thrive. Existing cultural norms should inform, but not necessarily dictate, how decision rights and accountability are assigned. Effective governance often challenges intrinsic ideas about what decision making means. Therefore, the governance program must also clearly articulate its mission and value, develop communication plans; and plan for, champion, and reward change – often one business constituent or person at a time. The design of your governance must address the unique challenges and biases in your organisation.

No place for the big bang approach

The mantra: ‘Think globally, act locally’ is particularly apt when embarking upon data governance. The issues addressed by data governance are far-flung and pervasive, ranging from arbitration of cross-functional data usage to information privacy, security, and access policies. As a result, governance initiatives attempting to address an array of enterprise needs in one big bang are quickly squelched by role confusion, prioritisation debates, emergency development projects and a general backlash of the incumbent culture. To avoid this, successful programs begin with a series of tightly scoped initiatives with clearly articulated business value and sponsorship. Rome wasn’t built in a day, as they say, and neither is a mature enterprise data governance program. While an incremental approach takes time, not to mention patience, it engenders business support by demonstrating the value of governance in a context relevant to each stakeholder or sponsor. Most importantly, a phased approach establishes data governance as a repeatable core business practice rather than a standalone ‘once and done’ project.

Most companies do a good job of implementing governance policies within the scope of an initial business process or application release. However, the need for ongoing maintenance and assurance is frequently overlooked or underestimated. Because data is constantly being generated, new applications are added, business processes change, and users come and go, data management becomes a full-time endeavour. Data governance and data management are symbiotic by nature. The most relevant or vital data governance policy is of little merit just sitting on a desk. To be perceived as valuable, data governance must be measured, ultimately demonstrating positive outcomes and hard payback. For this, you must be able to manage data in a structured and tactical way. A short-sighted and hurried approach is harmful and counter-productive. For effective business outcomes from your data governance initiatives, heed this advice and you will be on the road to success.

Paul Franks, SAS, data governance, strategic assets, prudential requirements
AB+F Online
Article Posted:
October 01, 2013

Review this content

Fields marked with an asterisk (Required) are mandatory.

Extranet Login

Remember me

Forgot password?
Click here

If you do not have an Email and Password please call: (02) 9376 9509 or email subscriptions@financialpublications.com.au