On Data Governance – By Marv Goldschmitt
Posted by Prat Moghe on Tue, Jun 19, 2007
I have bitter sweet emotions with this post. Marv Goldschmitt who led business development at Tizor for the past three years is retiring. Marv has been doing interesting work in the area of Data Governance – he led the Risk Management group within the IBM Data Governance Council. I asked Marv to pen his thoughts on Data Governance and how data auditing plays into managing data risks. Here is the first of two articles he came up with. Those who know Marv will understand that I had asked him to be brief and “promised” him heavy edits. However, the article was so good that I had to leave it alone. This is quintessential Marv.
Data is important. We all know that. But we may not have realized what shape that importance would take. How it would represent all corporate assets, not just financial. Or how many people would care about what happened to data - because it’s about them. We also didn’t expect the government to legislate control over data - because data would factor into crimes that corporate executives committed against the public and because data can be used to threaten the safety and underpinnings of society.
So in reaction, a new political science term has become the buzz phrase geared to help manage our relationship with electronic information: data governance. This is a good term, really. It recognizes that data is part of the fabric of society and needs a shared understanding of how we interact with it and how we expect other people to interact with it. That is the essence of governance: an agreed upon set of rules and procedures that create an environment of expectations, metrics, rewards and penalties. This is true in any material arena of human interaction.
The “crux of the biscuit”, as Frank Zappa said, is do we agree on what data governance is and will it be taken seriously? Without agreement on those two points data governance will remain a buzz phrase and be of little value in the real world.
Data governance is in its infancy, so different people will have different definitions. This is natural as we struggle to create a common view of this new discipline.
Discussions with senior management in large corporations have shown me that the definition spans the spectrum from compliance reporting -- providing regulators and auditors with proof that externally created requirements demanding basic controls on data exist (e.g. Sarbanes Oxley, HIPAA) to being able to protect data from bad events-- to protect the company’s reputation from the affects of Breach incidents that result in identity theft to making sure that the corporation fully leverages data assets in a way that gives them sustainable competitive market advantage.
Using the same term to cover everything from compliance to security to market advantage, while not inherently incompatible, is inherently confusing. And this confusion can lead to a lack of clear organizational goals and mandates, operational inefficiency and failure at the project level.
Because of the ubiquity, borderless nature and high value of data, it’s inevitable that data governance will eventually become a reality. Without it, trust can’t be built in business and interpersonal relationships, especially those at a distance. The question is, “how much pain and how many steps do we have to go through to get there?” How many companies will end up on the front page of the Wall Street Journal because they’ve allowed customer data to be misused? How many CEOs will go to jail and their stockholders suffer because books have been juggled clandestinely with the click of a mouse? How much money and critical organizational resources will be squandered because of lack of guidance when an auditor or a regulator makes a request for a specific control?
So, here’s the real question: What’s going to drive companies to the point where they look seriously at data governance, integrate it into their normal process of corporate governance and, eventually, gain the benefit from understanding and managing what will become their most important asset? The answer, I believe, comes from history. Though we’d like to believe that businesses, communities, countries create governance models to take advantage of opportunities, the fact is that most rules and regulations come into being for the purpose of avoiding and managing risk.
It is enticing for corporate executives and consultants to explore the potential benefits of being among the vanguard of companies to wring the in-depth business intelligence value of their accumulating data asset for greater market knowledge and, therefore, improved product and service creation. The reality is that the pressures of revenue, profit and the efficient use of scarce resources make it difficult for these ideas to make it out of the boardroom into the realm of day to day operations. What will drive that change is risk.
For those of us who care about data governance, see it as a critical bottom-line business issue and accept the premise that the only thing that will motivate change is risk, the good news is that there is plenty of data risk to go around. Data risk comes in many flavors. It is the risk to an individual’s career if he or she can’t demonstrate control of the data they are responsible for. It is the embarrassment of a leading retailer who treats customer data cavalierly and suffers fines, internal costs, stock value declines, expensive lawsuits and the loss of public trust. And, inevitably, it will result in the inability to thrive as other companies use data in a way that improves their business performance in an accelerating worldwide economy that provides little forgiveness for inefficiency.
So what next? If data risk is the key driver for getting a start on data governance, how do you get a start on dealing with data risk? We’ll talk about that next week.