Making a successful case for a unified governance program
In my role as the executive director of the Compliance, Governance and Oversight Counsel, I meet a wide range of data professionals: data privacy and regulatory compliance experts, database security experts, data analytics experts, data quality experts and so on. Most of them are exceptionally good at their jobs, but when I ask them about their strategies for coordinating their individual activities with the other data professionals in their organizations, the majority answer, “What strategies?”
That’s when I say, “We should talk about unified governance.”
Modern big data and digital transformation initiatives depend on three underlying conditions. Data must be accurate and current. Data must be secure. And data must comply with evolving and increasingly complex regulations. This is especially true in the area of data privacy, given the impending implementation of the EU’s General Data Protection Regulation (GDPR).
Historically, achieving the first two conditions has been a data management function handled by IT and security, while the third has been an information governance (IG) function falling mainly to the legal, records and compliance teams.
These roles can no longer function in isolation. Those responsible for data management must recognize they can’t ensure accurate, secure data or enable business insight without proper IG to safeguard data integrity.
At the same time, those responsible for IG must accept that their mission has dramatically expanded from simply ensuring and proving regulatory compliance for auditing purposes to helping businesses achieve a single version of the truth, expose and extract value from information assets, and reduce a much wider array of risks associated with data.
A UG program enables organizations to operationalize this needed interdependence.
The Scope of UG
Consider some of the activities and processes driving today’s use of data.
For example, to achieve faster and more efficient patient care, a healthcare company needs business users to have ready access to patient information and other data assets in a collaborative self-service mode. Users, however, can’t wait for IT to provision the data and instead look for workarounds.
Meanwhile, throughout the enterprise, new APIs have been implemented allowing use of the underlying repositories and analytics through new and diverse tools. All these activities increase the risk of a data compromise.
At the same time, sensitive and private information increasingly resides beyond the corporate firewall in multiple public cloud environments. The handling of this information, as well as the information shared with legal and supply chain partners, must comply with new and complex data privacy regulations.
Finally, true business insight can come only from a combination of structured and unstructured information assets managed within a unified framework that spans policy management, monitoring and enforcement, metadata management, data stewardship and information discovery.
Only a UG program can create this unified framework, reduce the risk associated with how data is accessed, and maintain compliance in a systematic way. The main functional elements of a UG program include:
- Data quality – To derive actionable insight from structured and unstructured data, analysis must be performed on the most accurate, up-to-date information. You must have the ability to delete or tier data and unify or sync it across multiple systems to avoid performing analysis on outdated, inaccurate or inconsistent data.
- Data security and privacy – Only by knowing where your data resides – in the cloud, on mobile devices, in the hands of partners – and clearly distinguishing valuable data from redundant, obsolete and trivial data (ROT), can you understand how to protect it.
- Internal compliance – You must rigorously comply with internal standards for data storage and access to safeguard the integrity of the data business users need for their projects and to ensure they use data properly.
- Regulatory compliance – A robust regulatory compliance program that is inextricably a part of every data process is now essential. Failure to achieve this can lead to significant fines and reputation loss.
- Legal compliance – Only by identifying who is producing and accessing data and how it is stored – and deleting old and irrelevant data you can legally eliminate – can you control the cost of an e-discovery request and avoid producing far more data than necessary, which can create legal jeopardy.
- Information governance – IG comprises the specific policies, processes and controls that enable an enterprise to ensure data accuracy, assess information value, reduce regulatory and legal risk, and defensibly dispose of information the organization no longer needs. IG makes UG possible.
Making It Happen
How can you bring UG to your organization? Start with a strong business case to engender support from top management. This is the only way to secure broad operational support for the necessary activities, as well as the ongoing investment to sustain the program. This will also typically involve the addition of a chief data officer (CDO) to take responsibility for enabling the organization with a core set of information and analytical capabilities to support the evolving program.
The Information Governance Reference Model (IGRM) is an excellent resource for helping you build the business case. It delineates the links between the value of information, the duties that must be performed to manage data, and the specific data stores that IT manages. The Information Governance Process Maturity Model (IGPMM), produced by the CGOC, is a comprehensive guide to maturing the policies, processes and controls required for UG.
Launching a UG program may at first seem daunting. However, the benefits – increased business efficiency and insight, decreased long-term costs, and significantly reduced risks – make UG one of the best long-term investments your organization can make.