How to craft a Data Governance Strategy?
In my quest to simplify the language of data under the Data View House publication, I endeavoured to bundle my take on crafting a data governance strategy in this blog. Before I jump into the data governance strategy, let’s look at the foundational principles (or bias) of the strategy that I learned or self-realised while working on and with data over a decade.
Foundational Principle 1 — The race of datum to intelligence.
In the data view house school of thought, the data lifecycle is seen as a race of datum to intelligence span across four phases — From the origin of a single data element, namely “Datum”, to its storage, process and access of inferred intelligence and information. A business that could win the race of data to intelligence by converting its business data to intelligence faster would do better than its competition. Please note that Data retention/disposal management is part of the “Storage” component. You can find more about the race of “Datum to Intelligence” in the Data View House Genesis blog .
Foundational Principle 2— No Silver Bullet.
The intensity and objectives of a data governance program in an FMGC company would differ from those of a nuclear plant or a national statistics department. There was never and will never be a silver bullet solution for any problem, and this applies to data governance as well. The nature of the business and the industry would drive the culture and appetite for data governance.
Foundational Principle 3— The Order of Significance.
A business (of any kind) does not exist to implement the best data governance. Rather, a business needs the best possible data governance that can enable it to meet its objectives. Therefore, a sustainable and effective data governance strategy should stem from the data strategy, which is guided by business and IT strategies formed to meet business objectives.
Data Governance Strategy — Balancing Conformance and Performance
A data governance program is initiated to meet two objectives — 1. Data Conformance to comply with regulations and 2. Data Performance to leverage the business data for critical business decisions confidently.
Forming a data governance strategy is collaborative, requiring combined inputs and guidance from IT, business, and legal representatives. This collective effort is the art and science of balancing data conformance and performance to meet short-term and long-term business objectives. Data performance deliverables of a data governance program would focus on optimising the trust, quality and value of the business data and inferred intelligence while data conformance deliverables are about meeting regulatory compliances.
With collaboration as the key, the data governance strategy should focus on producing a charter that defines the purpose of data governance ( i.e conformance or performance or a mixture of both — Why we doing what we doing ?) , forming a steering committee with a rotating chair, and identifying data stewards. These stewards are entrusted with propagating data governance practices throughout the enterprise, making them an integral part of our strategy.
The Data Management Body of Knowledge (DMBoK) defines strategy as “a set of choices and decisions that chart a high-level course of action to achieve high-level goals.” With this definition of strategy, forming a data governance strategy would require adopting a set of choices that meet data conformance and performance goals derived from the business objectives. In a heavily regulated industry, an IT-led data governance strategy may solely focus on conformance, where data governance is seen as a subset of IT governance, and achieving ISO 270001 or ISO/IEC 38505–1:2017 standard is deemed sufficient.
In order to achieve long-term goals, the data governance strategy should include a roadmap with milestones that meet data conformance and performance objectives. Conformance milestones should address data security, classification, and access management policies, led by IT and legal teams. On the other hand, performance-oriented milestones should involve the implementation of a business glossary, data catalogue, and data quality management, data lineage and impact analysis led by business units aiming to strategically utilize business data.
Where to Start
Based on the foundational principle 2 — “No Silver Bullet”, data governance strategies will vary between two organisations depending on their industry and business needs. However, every data governance strategy should accommodate three management areas (shown below) early on for data produced by critical business systems, processed by data management tools, and consumed by reporting systems.
Metadata Management
You need information about the data to make governance decisions about it. Thus, regardless of conformance or performance, every data governance initiative would demand extracting and managing metadata in a repository (data catalogue) to classify and tag data assets. Metadata must be collected for the entire data lifecycle, including business systems where business data is originated, data storage and processing systems where data is transformed into business information, and finally, the reporting and API systems from where information consumers share or access data.
Risk Management
Risk is an adverse consequence associated with some indicator of the severity and frequency of occurrence. However, if magnitude and frequency can be accurately measured, the risk quantification process is crucial. It allows us to nominally quantify risk as frequency times magnitude, clearly understanding the potential impact [2]. Therefore, a data governance strategy should adopt and leverage quantitative risk analysis frameworks to identify and quantify data risks and ensure mitigation actions are taken.For example, Factor Analysis of Information Risk (FAIR) is a quantitative risk analysis methodology for calculating information security risk, while Factor Analysis of Information Risk for Privacy (FAIR-P) focuses on quantifying data privacy risks.
It is worth investigating if any existing, already in-use risk management framework can be leveraged for data governance. A large and regulated enterprise usually have formal enterprise risk management framework based on OWASP Risk Rating Methodology whereas IT security team could already be using Microsoft DREAD for the cyber security risk assessment.
Master and Reference Data Management
Every business collects transactional data about its core entities, such as customers, products, vendors, and business sites, a type of master data. Reference data provide more context to the master data, i.e., gender, product type, customer category, etc. Therefore, a data governance strategy should prioritise streamlining master and reference data management practices in early milestones of data performance. This initiative will set the foundation for data performance optimisation and eventually touch upon various knowledge areas listed in the DAMA Wheel, such as data quality, integration and business intelligence guided by busines priorities or pain-points.
Conclusion
The DAMA wheel from DMBoK is a comprehensive artifact that includes all areas a data governance program must address. However, every initiative starts with a first step and a long roadmap that is strategically aligned with business objectives. Above was my attempt to share my ideas on defining those first steps and the roadmap to craft a data governance strategy that balances data conformance and performance objectives. In the next blog, I will cover a specific example where we can apply the strategy discussed above.
I see myself as a perpetual student of data management and would love to hear your thoughts and feedback in the comments about my brief take on the data governance strategy.
References:
- DAMA. Earley, S., & Henderson, D., Sebastian-Coleman, L (Eds.). The DAMA Guide to the Data Management Body of Knowledge (DAMA-DM BOK). Bradley Beach, NJ: Technics Publications, LLC. 2017.
- 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) — Quantitative Privacy Risk Analysis
