I’m surprised more people don’t run for the hills when the term ‘data governance’ comes up.
Throughout my journey of implementing data governance programs in financial services and supply chain businesses, I’ve mostly heard phrases like, “We have enough governance, why do we need more?”, and, “Our data is fine, why do we need more policies and more compliance training?”
The phrase that I’ve chosen to introduce to the businesses I’ve worked in is not ‘data governance’, but ‘data risk management’.
I have always considered risk management as the valued second step to consider in any business decision. Data risk management (and governance) should be view in the same way.
It has a fair bit to do with the technology solutions that assist a business in managing their data assets, but the largest risk, as I see it, is what the business employees are doing with the data – this is a question that technology cannot answer on its own.
Benefits of data risk management (governance)
More mature businesses view data risk as an operational risk.
Bringing data risk (governance) into the operational risk management framework usually allows companies to manage the incidents effectively and not rely on quick or isolated fixes.
When incidents occur with data, be that data loss, incorrect data or missing data, that leads to assumptions being made, which generally creates an operational risk incident.
Investigations need to be done to get to the root cause of the incident or issue, and remediation activities need to be implemented to correct the incident or issue, while monitoring needs to be conducted alongside remediation to ensure the fix is effective.
The benefit of an issue being exposed to the whole business, prioritised, and remediated is that it can ensure other parts of the business are not solving the same issue on their own, or several times over.
This also drives strategic thinking around the data ecosystem, as risk management looks at cause and effect, and then reviews the control environment for solutions.
If the control is not in line with the business’s strategic control appetite, the risk management framework can change and improve on ways of working.
The other less-talked-about benefit, is the idea of allowing innovation to occur.
Now, risk management isn’t necessarily innovative in its own right, but it can be in the environment that it creates.
Data risk management provides the guardrails for the management and innovation in data.
Think of it as a type of ‘freedom within boundaries’. If a company’s risk management framework is well established, the data citizens will have a far better understanding of what can and cannot be done with data.
This facilitates meaningful conversations throughout the business regarding the change in data risk appetite, rather than an isolated data discussion in the event of, or aftermath of a crisis.
The metrics captured through effective data risk management are more comprehensible outside of the immediate data community, as they will align to or inform the risk appetite of the business.
How do we get to this nirvana state?
Most businesses think that data governance is ‘a set of policies, procedures, and standards that ensure a business’s data is accurate, consistent, secure, accessible, and usable’.
The definition I prefer is that, ‘data governance is the specification of decision rights and an accountability framework to ensure the appropriate behaviour in the valuation, creation, consumption and control of data and analytics’, provided by Gartner.
Gartner’s definition talks much more to the human aspect of data governance over pure process and documentation.
A data governance framework that allows businesses to think and challenge a purely documented process, policy and standard leads to better engagement with the governance framework and often a far greater take up, as not all of the framework may need to be applied all of the time.
This can often lead to more accountability and behavioural changes that allow innovation and creativity to happen inside the framework (Again: Freedom within boundaries).
This also facilitates consistent dialog between the citizen users and the governance framework advocates, allowing the framework to develop over time and remain meaningful to the organisation, and not just a theoretical model based on current or out of date practices.
This also moves the data governance team into more of a business partner role, as opposed to a framework administrator and judicator.
Humans are generally averse to risk that needs to be intensively managed.
Data risk management can cause a level of anxiety, with people having to consistently wonder if what they are doing is ‘safe’.
Building out data governance to be the boundaries within which the data citizens can move freely will facilitate better take up and allow innovation to flow, without the consistent need to check for ‘clearance’.
It also requires data governance leaders to be more engaged with what the business is doing and consistently checking the framework for relevance, as opposed to standing behind a set of policies and standards that may be hindering the business.
Data risk management (governance) should be the valued second opinion in relation to data, and to be valued, the governance framework should be relevant to the business strategy, aligned to the risk management framework, and have a structure where it can consistently be reviewed and challenged.
This kind of framework will invite the business to engage with risk management from the initiation phase of change related to data, and not be asking for forgiveness post-implementation.