Why data governance matters – and who should own it?

Should CIOs take an active role in data governance? Their organizations may need it to survive even if they don’t grock the business value.

tug of war

Over the last couple of years, I have pinged CIOs multiple times regarding their view of data governance. It has been amazing to watch how much it has morphed over the last few years…as clearly evidenced by recent discussions among senior tech leaders in our weekly #CIOChat Twitter chat.

What topics should an effective data governance process address?

CIOs today have thought through data governance. One CIO suggested immediately that data governance needs to answer the following business questions:

  1. What data do I have?
  2. Where is that data?
  3. What do we need data for?
  4. Who has access and owns the data?
  5. How do we control, protect and maintain data?

Given a maturing perspective regarding data governance, I was not surprised when CIOs provided me a long list of things to be considered in an effective data governance program:

  • Data ownership
  • Data architecture
  • Data accessibility
  • Data usage
  • Data security and privacy
  • Data classification
  • Data quality
  • Meta data management/master data/data consolidation
  • Data retention
  • Regulatory/compliance
  • Reporting/metrics

Many CIOs suggested data classification is the place to start a data governance initiative. One CIO said it is important that organizations be able to crawl before they walk or run. For this reason, the ability to classify data represents an important first step. CIOs believe this is paramount and foundationally. CIOs say data governance, at the same time, needs to be able to evaluate several types of data including metadata, master data, content…the list goes on. Effort here, CIOs say, should be part of a larger information governance initiative.

Increasingly, CIOs say a data governance program needs to include a strategy for privacy as well as other business risks. CIOs here need to be able to actively balance between corporate goals and business risks.‏ As part of this effort, data governance programs should answer the ownership of data for consumer. Does data have one or dual owners? Compliance is a good starting point for this topic. And the list of compliance requirements is only going to grow. A minimalist list today includes GDPR, CCPA, HIPAA and PCI-DSS.

Driving good data

CIOs say that governance by itself doesn't ensure data quality. But it does ensure data quality processes are defined, who is responsible and that enterprise-wide needs are being met in this regard. Clearly, data governance should not be just a laundry list. It's about who is involved (people) and how they're involved (process). This of course will depend upon the organization.

CIOs say if an organization is starting a new transformation, governance should be considered a foundation, a capability. If governance, however, is about repairing a broken data mess, data governance should include cleanup governance. This allows organizations to refine processes and make effort to improve data quality.

If data quality is bad, you may have the wrong people with “write” permissions for data, which is a governance problem. At the same time, it is important to establish agreement on sensitivity of data and where that data sits in your data classification model.

It is the responsibility of data stewards and even data users to determine what to do when data is misused. It’s also the steward’s role to determine how to ensure the overall trustworthiness of data. Clearly, topics like data longevity and retention can represent thorny governance issues, with numerous technical, legal, regulatory, compliance and operational concerns.

What stakeholders should be involved in an effective data governance program?

CIOs say that all that own, manage and/or rely on data to make decisions, should be involved in data governance. A financial services CIO said, “to use Gramm-Leach-Bliley Act (GLBA) terms, this includes data managers and regulation monitors. They must be at the table. In the end, this could include someone from just about every business area.”

For many organizations, the legal department is a key stakeholder to align with and ensure the organization is meeting necessary governance requirements. Data can pose legal challenges. The longer you keep data, the more data can be used in e-discovery. While the business may want to keep data forever, there is a risk in not defining and enforcing data retention as part of a data governance program.

Data governance stakeholders, for this reason, often include leaders from operations, sales, marketing, HR, accounting/finance. The C-suite leaders need to play a role. Where they exist, information governance and records management functions need to be included. The key stakeholders for data governance other than IT need to include:

  • CEO
  • CFO
  • Lines of business
  • Customers
  • Partners/suppliers
  • CRO
  • CMO
  • Head of Sales
  • Regulatory/legal bodies
  • Risk management
  • Chief Data and/or Digital Officer
  • Compliance

Organizations, in risk intolerant industries, want data retention limited for reasons of legal exposure. It used to be seven years, but many defining even shorter windows. A key partner in data governance in higher education is our institutional research office. This office should drive the process with IT support. Beyond them, it's all the data stewards. And, as always, risk management, counsel, etc.

How can the IT organization best support a data governance?

CIOs believe the IT organizations represent the connective tissue for much of the organization. IT has unique knowledge of the “who” in most questions about data. In other words, they know who has, who sees, who wants, etc. For this reason, IT should be a principal facilitator for data governance. As a part of this, it's critical that IT connect the business stakeholders that may not even know they need to connect.

At the same time, CIOs suggest that it is hard to imagine a workable data governance effort without software tools. This is even though some are highly specific to domains or governed/audited systems. One of the most important responsibilities for IT is to create a seamless process for multiple departments and stakeholders to be involved during the data governance process. They cannot become a bottleneck, or it will never get started. The best way to make sure data is correct is to use it. CIOs are clear that bad data begets bad reporting.

CIOs say that the IT organization best support data governance by taking on:

  1. The resolution of long-term data ownership/control issues
  2. The making of it easy to understand and comply with
  3. Removing of obstacles (technical debt, integration/MDM issues)
  4. Being proactive + helpful

It is important for the IT department to implement realistic solutions for their situation. Sometimes when they try to do too much, they end up creating impossible policies. The data governance process must be very strategically thought out functionally and practically. In data quality, one CIO said that sunlight tends to be the best disinfectant. For this reason, they suggest when migrating to cloud, part of the data governance plan must be “rot cleanup.”

It is a failure where IT tries to implement data governance through tools but without the full business backing. Here IT can end up with a mess. Even the best tools are helpless when applied against broken process. The best thing IT can do is make sure the overall process as automated and seamless as possible. Data governance processes that are cumbersome create opportunities for shadow IT to go in around a defined process. If it doesn't work, it won't get used and then it will become IT's fault.

IT must make sure to start lean and not turn governance into a bureaucracy. This will kill the program at its’ start up. Even though IT can be a true leadership function when it comes to data governance and master data, the reality is that without very close business involvement, it becomes almost a rogue exercise. Therefore, lines of business need to be on top of the stakeholder list.

By being an informed and accessible data custodian.  This can include both process and tools. Process is the most difficult thing to agree upon. People and process before technology. There must be complete buy-in and then experienced IT leaders quarterbacking the situation to ensure everything continues to progress smoothly cross-departmentally.

Where there is a Chief Data Officer how does the RACI get done between the IT and the CDO? 

CIOs say that this should be done very carefully. They say the RACI for data governance between the CIO and chief data officer is a function of the following:

  • Official role definitions in the organization
  • C-level collaboration
  • Open, shared governance
  • Top priority business needs
  • Urgent situations (cybersecurity/regulatory incidents)

Whether a formal organizational chart relationship exists between the CIO and CDO or they are peers, CIOs believe information governance function must be formalized and include both. The specific RACI roles/rules should be tailored by the organization. As with most things, open communication is always advised.

In general, CIOs say the RACI needs to be a core part of a business even before taking the data governance journey. Where a company utilizes DevSecOps (security by design), the CDO and IT will be steps ahead. CIOs believe that it's often access to that data from specific areas of the organization that makes their success possible. It's access to that data from specific areas of the organization that makes their success possible.

Certainly, in higher education, a lack of access to specific decision-making data in a timely manner is the difference between success and failure. Open communication is always advised, but beyond a basic answer, CIOs say the RACI needs to be a core part of a business even before taking the data governance journey.

Where a data governance program is lacking, how can CIOs best sell it?

This clearly depends on the industry. For some, it involves demonstrating increased revenue with data governance. For others, it is demonstrating significant risk avoidance/mitigation. Regardless of approach, the CIO needs to be committed to implementing technology solutions that work. These solutions should importantly not create more threat surfaces. The CIO needs to be personally invested in implementing a governance program that can reduce risk.

CIOs say a data governance program is not only a matter of selecting tools or even implementing processes. Getting people involved is the key to its success. Therefore, CIOs with influence need to bring in the right people to improve a data governance program that is lacking.

Often CIOs can tie data governance to a large upcoming project to make the case. For example, getting a new ERP that will change lots of business processes. So, it should be a no-brainer to get a data governance group up and running around an ERP project. With this said, CIOs stress that data governance is not a project or a check the box activity. It’s a culture!

Sometimes governance is the right term for the C-suite (showing a maturing organization). Just making sure you understand corporate governance before you start throwing the term around. CIOs suggest that it makes good sense to always tie information and data governance to overarching corporate governance.

One CIOs said that in their efforts to mobilize data governance, they focus on tying efforts to revenue generating/cost savings initiatives. CIOs stress that executives understand dollars better than data governance. Unfortunately, they say often takes regulations/audit findings/incidents to get the attention of executives and to secure appropriate funding for data governance. 

With business support, CIO need to hire/appoint an information governance expert to spearhead data governance. CIOs need to make sure that a maturity assessment is done. They should take findings to leadership with the business case for what to improve and the business impact. CIOs say the inability to make effective organizational decisions because data is inaccurate or untrustworthy. 

Encompassing a changing data landscape

CIOs say in this process it’s important to encompass the changing data landscape. Data no longer lives within a handful of in-house applications. It is time to think about the data you use that lives off-network in SaaS providers. Data governance must consider all solutions.

One CIO said here that they put the effort into understanding where their data is first and what impact it must have upon grow or transform business strategies. Once you have this, you can sell it as either a hygiene requirement to move forward or the foundation. The CIO can best sell a data governance program by:

  • Showing the value proposition and what's in it for each stakeholder
  • Showing it supports top strategic priorities
  • Showing how it enables, not constraints
  • Being inclusive
  • Offering to pay for it

CIOs suggest that it is important to explain how not having data governance is hurting the organization. Sometimes this about explaining how this is risk avoidance/risk mitigation. For example, CIOs need to recognize that GDPR remains a very powerful fear factor for many organizations needing to start working on the process. At the same time, the inability to make effective organizational decisions because data is inaccurate or untrustworthy. Insecurity represents risk.

It is important to stress that the data governance program is not just a matter of selecting tools and even implementing processes. People are key to success. For this reason, a CIO will have to use their influence to bring in the right people to help improve or establish a data governance program. Unfortunately, too many organizations look at this as an initiative that is just a project with an ending date. Governance must at its core always supports the mission and strategy of the organization.

CIOs say finally that organizations need to evolve so the program encompassing a changing data landscape. Data governance must evolve as solutions evolve. The goal should be a culture where the importance of data and the risks are understood and considered without a special program.

Data governance really matters these days. For this reason, CIOs need to establish a cross organizational team. The team needs to effectively manage the people, the process, and then the selected technology. Where one exists, the CIO should partner with the CDO. This includes selling the organization on the business impacts and the risk mitigation of establishing a data governance program.

This article is published as part of the IDG Contributor Network. Want to Join?

Copyright © 2019 IDG Communications, Inc.

Get the best of CIO ... delivered. Sign up for our FREE email newsletters!