It's been reassuring to see so much attention turned to data governance and its importance as a foundational mark of maturity. It says we're moving past our fixation on technology requirements to policies and controls to define and configure data for productive use.
The enthusiasm has extended to some of the product marketing I've seen in recent months. Some software folks are now proposing that the implementation of master data management should be redefined as the implementation of data governance. That's a head-scratcher to me because governance might be called a framework or a practice, but certainly not a product. While they go hand in hand, to say MDM is actually governance sounds to me like saying a BMW is actually a set of traffic regulations.
That leads to the small bone I have to pick and it's already gotten me into a bit of trouble. As a set of policies and controls, governance is a rulebook for who owns data, who can access it and who can manipulate it. What governance is not -- and was never intended to be -- is a playbook for how effectively we use, or more appropriately, measure our effective use of data.
This occurred to me long before I reconnected with Tom Davenport a couple of weeks ago, but he reinforced the point when he said, "I talk to a number of organizations that say, 'we do great analytical work, we have great data, but we still make lousy decisions.'"
There is a chicken and an egg at work. We cannot make good use of information if it is not available or of dependable heritage and quality.
But governance does not equal good decision-making. I really don't want to sound impatient here, because I believe governance is essential as much as the next fellow does. But I wonder if governance, the requirement, won't become governance, the panacea.
You'd hate to see governance be a rehash of the old approach to building something comprehensive -- like a data warehouse -- before you know where or how it will be used. That would be chasing a problem by the tail rather than facing it head on. If that's the case, we'll eventually be calling IT irrelevant once again, or at least not the problem. When problems are no longer tied to bad data policy, they'll be tied to a lack of performance management and to no honest review of the decisions we made and did not revisit for their merit.
To the extent that it rolls up into governance, risk and compliance, the "C" in GRC is a natural for data governance. Compliance is precisely where you want policies, rules and controls, controls being the limits for what you can and can't do with data. Compliance also means dealing with some pretty deep technical architecture, and is well served by the creation of automated roadblocks.
When we look at the "R" in GRC, it seems that risk (and opportunity) management don't flow as naturally from governance, though to some degree they are supported by it.
Last week I listened in to a smart panel of SAP GRC customers who described how those three letters are being addressed at businesses like Becton Dickinson and Pearson Education. It's an interesting story that deserves to be written about on its own and it looks like SAP is onto something with GRC that is very relevant. It was a perfect jumping off point for my question as well.
So I asked the customer panel whether they were measuring the end effect of the decision-making that flowed up from GRC. The gentleman from Pearson pointed to a cost reduction from automated risk reporting that was near impossible to do manually. He can very quickly report that there are no compliance violations or conflicts across his systems. He also monitors events that might lead to access violations or to the risk of fraud. Monitoring and alerting to identified risks is a very good thing, but not really to my question (which might have been unfairly posed in the context of this panel).
At some point governance just seeks to put the best information into the hands of the right decision-makers responsible for managing risk and seizing opportunity. Davenport on the other hand had pointed out that decision support was once more tightly tied to a problem at hand than to some under-arching infrastructure designed to support any eventuality.
I asked Rob Karel at Forrester Research about this separately and he said that governance might be a set of controls, but one that needs to be "ongoing and invasive and plugs into these ongoing initiatives like performance management." Rob disagrees with my "rulebook" analogy in that sense, but I know other folks who see that governance is first and foremost about defined limits of activity.
While we can see that the complexity of doing business today requires a comprehensive approach to governance, I'm not sure we spend as much time measuring our effectiveness as problem solvers as we spend trying to fix the problems under the covers. I'm looking for examples of GRC's connection to performance management beyond compliance. Maybe it just means that not all problem-solvers are equal, or that not all decisions are suitable for analytic automation.
Or maybe it means we're getting closer. Challenges come so fast now that we rarely have time to measure our performance based on our decisions based on our data. But I'm hoping we will.