Home > Risk > Understanding Data Governance and Data Quality

Understanding Data Governance and Data Quality

February 7, 2011 Leave a comment Go to comments

This morning, I read an interesting blog on the topic of “Data Governance in Silos? Bad Idea” in ITBusinessEdge. Intuitively, the idea of a corporate-wide standard for data governance and data quality makes sense. I also like the idea that it is both more effective and efficient when data quality is done in a standard fashion, by experts using common tools. Managing data in silos certainly seems inefficient, and likely to leave gaps in coverage.

The author, Loraine Lawson, links to an earlier post where she talks to the very important topic of ensuring the reliability of the data used to make decisions (the data used by business intelligence software, residing in enterprise applications and warehouses).

I wholeheartedly agree with her that before you embark on a business intelligence journey (or simply one of enhancing your analytics) you need confidence that the underlying data is complete, accurate, timely, and current. Enterprise information management (EIM) software can be of great assistance (SAP and IBM are examples of vendors with a range of solutions).

But, just what is data governance anyway? I found a valuable 2007 article in CIO. It says:

“Data is valuable. As the challenge of protecting customer data mounts, more and more businesses are embracing data-governance strategies to manage the information that serves as the lifeblood of the company. Without a doubt, data has become the raw material of the information economy, and data governance is a strategic imperative.

OK. I can accept the need to be concerned with the quality and use of corporate data.

Wikipedia has a page on the topic. It says that “Data governance encompasses the people, processes, and information technology required to create a consistent and proper handling of an organization’s data across the business enterprise.”

But, auditors and others have been talking about the integrity of data for ages: just think of good old input-output controls and concerns for data security. How is this different? Why do we talk about data governance separately from risk management and internal controls/security?

The Wikipedia piece also says:

“Data governance initiatives improve data quality by assigning a team responsible for data’s accuracy, accessibility, consistency, and completeness, among other metrics. This team usually consists of executive leadership, project management, line-of-business managers, and data stewards. The team usually employs some form of methodology for tracking and improving enterprise data, such as Six Sigma, and tools for data mapping, profiling, cleansing, and monitoring data.”

This doesn’t seem to include how data is created and transformed within business applications like accounts payable and manufacturing – where the focus has to be on controls within those processes to ensure the completeness, accuracy, and validity of the transactions. Or does it? Maybe the intent is that data governance includes the controls within business processes!

Let me propose this and ask for your comments:

  1. Data created or transformed during business processes should be subject to controls and security within those business processes. The level of resources allocated should be appropriate to the level of risk if that data is not correct.
  2. Once the business processes have led to data being retained for analysis, reporting, etc., controls need to be in place to ensure it remains complete and reliable.
    1. If risks to data (e.g., theft, loss, corruption, lack of integrity, unauthorized access) are significant to the organization, they need to be addressed.
    2. If your organization relies on corporate data as a source for reporting (for example for financial and operational reporting, providing management with information used as a basis for decisions, or for other regulatory reporting), the risk of errors or omissions in that data might be significant.

Focusing on just one of these cannot be right.

So, however you define data governance, you need to address:

  • How data is created and transformed during business processes
  • How data is stored and protected, so that it retains its integrity
  • How data is then used as a basis for analysis, business intelligence, decision-making, and reporting – which includes how data is transformed in that process (including aggregation of data from multiple sources)

Returning to the original “Data Governance in Silos? Bad Idea” article, I suggest that organizations should not only look at how they manage ‘data at rest’ in data warehouses and repositories – and avoid silos – but also consider the systems and processes where the data is created and transformed. Are those business processes and the related controls performed in silos? Are there opportunities to improve effectiveness and efficiency through standard approaches and tools?

I am interested in how you see this. Questions for you:

  • How do you define data governance?
  • Does it include controls and security within business processes like manufacturing and sales invoicing? Or does it only apply to ‘data at rest’?
  • Who is responsible for it? Process owners or IT, or both?
  • Do you have specialized tools to ensure the quality of data used in analysis and reporting?
  • Do you agree with what I have laid out?
  1. February 7, 2011 at 5:34 PM

    Norman,

    These are interesting points you have mentioned relating to data governance. In the present world of high dependency on technology and globalization, data governance is critical to an organization. In most cases there are Cheif Information Security officers and Cheif Information Assurance officers who are responsibile for data security and governance.

    As you have pointed out, data clasisfication on sensitivty and criticality of information is necessary. Customer data is extremely sensitive.

    However, in most cases, frauds are occuring because of data compromises. In my view, data compromises occur because of lakc of emphasis on risk management and security aspects. For example, for some banks it is perpetually coming in the media that they lost so much of data during transfer from one office to other, in the train etc. Whereas for other banks, there will not be a single instance.

    The point I am trying to make is, that frauds specially related to technology occur, because of three things 1) Lack of senior management interest in focusing on fraud, 2) Incapability of fraud investigation teams to prevent or detect frauds 3) Inadequate technology support or old technology used. However, where senior management is participating in fraud, the best of fraud investogators and technology are bound to fail since all business and technological controls will be bypassed. Controls are as good as the human managing it.

    Now you might disagree with me here. So I am giving you a very simple example of an account takeover fraud. Let us assume you have a bank account in XYZ bank, and you have activated telephone banking. Now to use telephone banking you normally have a password. Let us say you left your password at home, and want to use it urgently through office. It is quite simple, you have to pass the verification questions which the call center agent will ask. Normally they are – your full name, your account number/ debit card number, date of birth, address, secret verification question.

    Now if a call center agent can view all this information of your account just by clicking the account, this information can be stolen by the agent to do an account tkeover fraud. He/she can get someone to call and pass the verification questions, and do a funds transfer.

    If a bank is interested in data security, they will ensure that some information in the critical fields in encrypted exaple date of birth. So if the birth date is not available, the transaction cannot be processed, so there is enough data security.

    Now let us say, this point is hightlighted by fraud investigators and risk managers to the maangement, that one filed needs to be encrypted. The cost of encrypting, and developing a small software addition for it is negligible in comarasion to the fraud savings. However, the management and the CIO refuse to approve that small alteration for two to three years consequtively.

    Now is there any point in seeing the data governance and security classification. It is the tone at the top and the intention of the management which matters.

    Apologise for being a devils advocate out here in your post.

    Kind regards,

    Sonia

  2. March 14, 2011 at 12:39 AM

    Great post. I really found it interesting and educating.

  1. February 7, 2011 at 2:45 PM
  2. February 8, 2011 at 7:06 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: