I flew to Las Vegas on Sunday evening. It had been a few weeks since I had last boarded an airplane and I was excited to go anywhere, even Las Vegas. The flight out was great, but the airport was like Shinzuku Station at 7am when I landed at 11pm. One-legged trolls must be hand-carrying the bags from the planes to baggage claim because it took a nervous and smokey hour to reclaim my luggage. Welcome to Las Vegas.
I was there to participate in the IBM Information on Demand Conference. This event was so good I completely forgot how much I despise that sunny city. I really don't know why anyone needs to have a gambling mecca in a city with nice weather because the hotels make it practically impossible to even see the sun on most days.
That aside, IOD was terrific. The sessions were excellent. I spoke in so many different sessions on Data Governance that I barely had time to hear other speakers. My sessions were packed with passionate participants. I took home fist-fulls of business cards and was deeply impressed with the knowledge and interest of my audiences. There were some sure who weren't doing Data Governance yet, but they were the minority and the questions and interest demonstrated to me that Data Governance is now a market that is aware of itself. Things are happening independent of IBM. The demand is there across industries. It is our opportunity to lose; customers and business partners are keenly interested in joining the Data Governance Council and learning about the Maturity Model.
For me, the event was a vindication of all the hard work the Council has put in the past three years. My congratulations to the entire IBM IOD team who put on this excellent event.[Read More]
Adler on Data Governance
From archive: October 2007 X
I'm not normally a reader of USAToday. The colors and quick articles always feel superficial and empty to me. But I was caught in a hotel restaurant this evening, on the last night of a long road-trip, and the only intellectual distraction was the pastel paper left in my hotel room. Some normal blather on the front page, and most of the paper was forgettable. But on the last page, there was an opinion piece by Alan Webber which perfectly described my own fears and experiences travelling abroad, looking back at America through the eyes of our long despairing friends in Europe. I commend this article to anyone who cares deeply about how far we have drifted from what we once were:
On September 25th, I hosted an ISACA e-Symposium on Data Governance. ISACA reports there were close to 3000 people registered for the webinar. It was conducted live, over IP and VOIP. I gave an introductory presentation on Data Governance, and we had excellent presentations from Bank of Montreal, Key Bank, and Discover Financial.
This call represents the first time the Data Governance Maturity Model has been shared with such a large audience. Participant feedback was excellent. We had many great questions on the line, and hundreds more were sent in via email.
Enclosed are some of those questions and my answers (names withheld to protect privacy):
Question: "In your opinion which one can be more cost effective and considered best approach? A. Invest in the development of a Data Governance Programme as a separate entity. OR B. Leverage existing asset management processes, such as ITIL and ISO27001 to accomodate Data Governance?"
Answer: Data Governance is more than asset management, and one the key problems we've been trying to solve is more political than technical - it's how to get many different people from different disciplines to work together and solve complex problems. Some of these problems involve managing data as an asset, but some also involve managing the risks to the assets, being rigorous about policy definition, developing stewardship programs, storage and discovery rules, metadata and compliance.
I would always tell my customers that Data Governance is a new way of thinking about old problems and strategically should be integrated alongside existing models, like ITIL, that already work and are understood. But it isn't one or the other. It's both.
Question: "How do you impress top management with the importance of Data Governance?"
Answer: Data Governance is as much a political challenge as it is technical. Two things are going to get your program off the ground fast - acknowledged deficiencies across the organization that management can easily understand and quantify, or a determined sales program on your part to sell Data Governance as a solution that can solve many individual problems. In either case, start with executive interviews. The Data Governance Council Maturity Model can provide a framework for the interviews by segmenting issues and suggesting natural assessment questions. Whether you use the Maturity Model or develop your own questions, you have to do the legwork to discover their needs, classify the opportunities, and develop an internal sales strategy to rally your support.
Question: "data or information is intangible. Is there any specific model or method to quantify the value of data and information?"
Answer: The value of anything is determined by its price. There are many different ways of setting price. Markets set prices for stocks, bonds, and other financial instruments. Manufacturers set prices for cars, refrigerators, etc. Countries set prices on taxes, trade duties, and government services. IT can set prices on data, which is not really intangible. You pay for it all the time, when you buy a newspaper, rent a DVD, purchase software, why even your monthly broadband bill is a contract for data services. What we have yet to accomplish in internal IT is more specific mechanisms to establish the value of data based on its utility, demand, and ultimately price end-users will pay for it.
Question: "You mentioned that 10 companies have adopted the Maturity Model in some form. Can you identify any of them and speak to the results they've experienced?"
Answer: No, I can't. Those companies will identify themselves when they are ready to go public. But I do hope that the Maturity Model, through venues such as ISACA, can inspire a broader public discussion about Data Governance and successful implementations.
Question: "Love the notion of allocating costs for Content Level Agreements & Alternative Risk Transfer Agreements! What is this seen as a separate focus rather than being totally integrated with IT Governance (e.g., may be seen as extending some CobiT control objectives)"
Answer: As I said in my presentation, IT today is run like a Command Economy, with projects centrally funded and managed and no real economic tools to modify user behavior regarding perceived value of IT or need to mitigate risk. Internal funding agreements like Content Level and Alternative Risk Transfer are new economic policy alternatives that business can use to price and sell data internally based on the business demand for quality, availability, integrity, and security, as well as "tax" business units for the losses they create. I hope businesses will begin to leverage economic tools like these to turn the IT department into a P&L Center, and represent the aggregate internal IT rates of return in the financial balance sheet.
Question: It is considered best practice to hold end users or local managers responsible for data accuracy - is data governance an attempt to centralise this concept?
Answer: I think Data Governance is ultimately successful when it pushes organizational responsibility and policy obligations out from the center to every employee. Look, we buy gas, pizza, clothing, and other consumer goods every day and we don't need to consult with Congress or carry law books with us everywhere we go to conduct those transactions in a lawful way. We have, as a society, learned to conduct business in lawful ways that are for the most part free of vice, corruption, and crime. We call this civilization, the rule of law, etc, and these are examples of self-governance. We need to ultimately achieve the same degree of self-governance in our own organizations, employees who all understand their obligations to govern their use of data appropriately.
Are we there yet today? Not in all cases, and we still need central institutions to create policy and push compliance out to the organization. But this is the goal we should strive for - delegated responsibility and accountability.
Question: "have you defined "standard" quantitative measures to assess data governance maturity or data quality?"
Answer: The Data Governance Maturity Model does define five levels of DG Maturity, and insofar as those levels can be seen as quantitative the answer is yes. In the real world, it's not so simple. Maturity is relative to peers in an industry, and what is today to be considered a mature state at say level 2 might tomorrow be considered immature. Ultimately, it is for every company on their own to determine what the levels mean to them and what goals they need to set to achieve their maturity. We'd discussed this many times in the Data Governance Council, especially on the topics of what is mature and how many categories in the Model should everyone use. In the end, we decided we should let the market decide and the best thing we can do is collect implementation examples and share them with other practitioners to allow everyone to pick and choose the categories and levels that best meet their needs and culture.
Question: "Not really a question... It would seem that the processes that transform data into information (or information into organizational knowledge) must also fall under the control of general data governance, since it is possible to take perfectly sound data and transform it into bad information."
Answer: I get this question often. Many people think that data is in a database, and when human beings use it it becomes Information. I personally think this is applying industrial assembly line metaphors of production to information. In some ways this is a rather vain metaphor, because we humans like to think we improve on data when we transform it in our brains into information. We are better after all than mere machines. But of course, humans also degrade information, on a regular basis, when we use it. So data can also become pollution when put into human production. We have enormous stockpiles of data pollution throughout the internet. :-)
In the end, I don't think these distinctions add much value to the challenge of Governance.
Data=Information. These are synonymous terms from a policy perspective, because ultimately the data/information has to be stored someplace. And the policies we write are intended to govern how human beings, and computers as their tools, control that data/information where-ever it is stored - in a database, on a web page, in a spreadsheet, in a video, on a printed page, or retained in a person's memory. Policy should apply, and stewards should enforce, regardless of storage medium, and what we should be more concerned about is metadata to describe more distinct attributes of data/information, like its quality, integrity, reliability, business uses, past modifications, etc. With these tools we can better apply Policy to data wherever it resides, however it has been improved or degraded by humans and machines.
Question: " You have indicated that there are two avenues to pursue to obtain compliance, reward vs punishment. Which process have you found most effective or a combination of both for global enterprise?"
Answer: I don't think I called them reward vs. punishment. I think I said that an governing power has a few fundamental policy instruments - to make things cheaper, legal, or easier to do, or to make them more expensive, illegal, and painful to do. Both levers have pros and cons. And both have different effects on human behavior given different circumstances. I don't advocate one vs another. Human beings have to choose their policy tools and how each best fits their policy goals. Like our own Congress, trial, error, and evolutionary improvement are still the only model we can deploy to guide policy. In the future, however, I do hope we can develop better technology tools to help policy makers analyze different variables, model potential outcomes, and determine the best policy mechanisms for each challenge, and measure results based on forecasts.
Question: "Is data classification accross the organization a key element for Data Governance?"
Answer: Emphatically YES! Most Data Classification is a blunt Security-based tool. We call data Top Secret, Secret, Classified, Public, etc, never indicating much about its business uses, quality, integrity, storage location, etc. We need business glossaries to understand business definitions and we need to link these to technical metadata to enable policymakers to search for policies, data assets, and exposures across our enterprise like we today search for news, ideas, and communication on internet search engines. We need a broader view of metadata and Data Classification and while business people may never fully understand this area of IT, we need to develop better tools to enable them to use it without having to understand it.
Question: "You cited USA laws and regulations. What about leveraging on different areas (Europe, Asia) where you have different ones for multinational public companies ? Besides what about financial risks, like different currencies and related fluctuation in outsourcing, offshore, etc.?"
Answer: You are right, all these are equally important issues. We are probably just mid-way through an IT regulatory cycle that began seriously with the EU Data Protection Act of 1996 and the HIPAA Act of 1998. SOX, Basel II, PCI, SB1386, and so many more regulations are changing the nature of IT development and deployment. Just as at the dawn of the 20th Century, when governments around the world passed industrial regulation, so too today are our countries grappling with the best way to regulate the impact of IT on our societies. I do wish that countries would make technology a cabinet level policy position, because we need better IT advice in public policy-making.
Question: "what measure is put in place to encourage data governance and privacy law compliance in africa?"
Answer: "Good question. I don't know. But I will look into that and write about it on a later blog."
Question: "Could you talk more about selling this approach to clients? What method do you use to persuade them not only to the general concepts, but also to really invest in going down this path?"
Answer: Most of the clients we deal with are already sold on the need for Data Governance. Three years ago, when we started the Data Governance Council, the numbers of believers were very small. That's why we organized the Data Governance Council - to gather together the innovators and early adopters and build a community that could learn from each other and synthesize that knowledge into methods the broader marketplace could adopt. The Data Governance Maturity Model is the product of this process, and I would encourage every company interested in Data Governance to explore it's potential. While I can't publish its contents here, I will tell you that it is extremely detailed - 11 categories, with many sub-categories, all with 5 levels of maturity. It is an excellent tool to model a Data Governance program and benchmark internal practices against levels of maturity created by industry peers.
Question: "Could you provide a link to Data Governance Counsel?"
Question: "Any example companies that have implemented an ART approach to charging user departments for risky IT behavior and how has that gone?"
Answer: Any large bank complying with Basel II and using the Advanced method of operational risk calculation already have the methods in place to create an internal market for Alternative Risk Transfer. They could even, potentially, setup their own Self-Insured Retention to "pay" out internal losses based on the "premiums" collected from their organizational stakeholders. In reality, every company already self-insures against their own IT and operational losses. The problem is often that these losses are not recorded in a systemic way, the information is not analyzed to detect loss patterns, and few organizations have the actuarial mechanisms to leverage their loss data to forecast future exposures. But all of this is business as usual for any large E&O insurer or Basel II conforming bank.
Question: "How to justify penalizing business for data incidents as the common perception is that IT department is responsible for taking care of data?"
Answer: Anyone carrying a Blackberry with customer data should be responsible for taking care of data. Data doesn't just live on a green-screen connected to a massive mainframe any longer. It's mobile, its everywhere. And every employee is creating and exposing it to value and harm. That's why Governance is a group activity involving stakeholders from IT and Business. Everyone is responsible and therefore you need everyone involved.
Question: "How is the model accessible? Is it possible to buy/download it somehow?"
Answer: Not yet. We'll have to look into that.
Question: "Which organizational model is best suited for Data Governance?"
Answer: In the short run, it's the one that best fits your organizational culture. In the long run, in globally integrated enterprises with employees in every timezone, working from home or on the road, I think we will need more distributed organizational models and I look forward to inventing that next.
Question: "Would COBIT be an appropriate reference to implement data governance in terms of how to?"
Answer: COBIT would be an excellent reference if that's what your company is already using. We have so many alphabet standards today that don't talk to each other. When you implement Data Governance in your company, try to bridge reference standards as you also try to bridge organizational stovepipes. They have the same effects to divide and separate people and what you need is to bring people together.
Question: "With regart to using ART, how do you avoid the pitfalls of departments getting into "fingerpointing" arguments with one another where more resources are spent on blamimg each other for the cuase of the data integrity/quality issue rather than actually addressing the root cause."
Answer: Let each department determine it's own root causes for loss. What you care about is the levying the financial premium for the loss. The payment itself is an incentive to fix the problem.
Question: "Have you distinguished the difference between data and information in the studies you have conducted? Data becomes information when it is synthesized or crunched in a system and then reported as information. ....Data in...Information Out... Where is the starting point of governing data and when do other IT governance models take over? When data becomes information? Thank you."
Answer: We've discussed this distinction many times in the Data Governance Council and we've always agreed that Data and Information are synonymous. The way you phrased your question, however, makes me realize that you are applying an industrial production metaphor to data/information usage. It's like raw materials entering an assembly line with finished product popping out the back.
But people and IT systems don't use data/information in this way. If you take a data element out of a database, crunch it in a spreadsheet, send it to colleagues for interpretation, and turn it into a powerpoint, this "information" is still data stored in a spreadsheet cell, email, or presentation chart. It is structured or unstructured information. From an asset and liability perspective, the values may change, and therefore we may qualify the asset with new metadata, but the way we can write policies to govern human usage of stored data/information is more sensitive to storage content and usage context than front-end description of it as data or information.
So, my personal view is that the data vs information distinction doesn't add any value to the challenge of governance. It's what is in the container and the intent of the user that are more important to Data Governance.
Question: "With content level agreements does data confidentiality have any role with the objectives?"
Answer: Yes. If the sensitivity of data has a higher business utility then an end-user is likely to pay more for it. The extra premium for the higher sensitivity would pay for the additional security needed to protect the data in the agreement. This is how you can get end-users to pay for, and appreciate fully, the value of data and security.
Question: "In point 2 How do we acess our situation. In benchmarking how can governance take decisions in a flunctuating legal environment, since an organization is affected by the global regulatory environment?"
Answer: Assessments are a snapshot of your organization in time. Don't let the snapshots get old and faded. Make self-assessment a normal part of every new business process, and re-assess yourself on macro topics on a regular basis. In this way, you can stay on top of ever changing global business regulations and requirements.
Question: "Do you see Data Governance as a process that creates a burden on existing resources, or an investment in the future? This may sound like a silly question, but a lot of organisations are reluctant to change and see Data Governance as an additional cost on people's time."
Answer: Every organization is already Governing Data:
A. They don't know it.B. They are doing it badly.
The burden is already there, uncounted. Count up how much its costing not knowing how to Govern Data effectively and you will make your business case for change. Bring the change on slowly, and integrate it into governance models already under way and you will achieve a higher comfort factor with your changes.
Question: "Is there a checklist available for DG self assessment to identify gaps and also for implementing them?"
Answer: The Data Governance Maturity Model provides that kind of self-assessment checklist and it is available to members of the Data Governance Council. Information is available on this website on how to become a Council members: www.ibm.com/itsolutions/datagovernance.
Question: "Sorry, but I missed the explanation for the contituents of the members at the data Governance Council and who's sponsoring it?"
Answer: IBM sponsors and runs the Data Governance Council, and membership information can be found on the website posted above.
Question: "Does this governance structure and process require full time staff to implement, monitor, and measure success? If so, how many FTE's would recommended for an organiztion of 10,000 employees?"
Answer: Yes. Many organizations today are investing in various Stewardship programs to provide full time staff to implement governing policies and monitor results. These are your organizational doers and while they can be part-time in early DG pilots to get your program off the ground, a DG program will require full time Stewards to be effective. Start small and grow fast. Let your stewardship number be proportional to the value they can create. Measure that value through data quality, process efficiency, and risk mitigation metrics. Report it often.
Question: "Please explain Value Creation with reference to data governance?"
Answer: Value Creation is several things:
A. A measure of the value created through the use and enhancement of data to your business bottom line.B. The yardstick of performance of your Data Governance program overall
We are Governing Data to create more value and we want to measure and report it on a frequent basis. I hear many people get caught up in complex qualitative measures of data, metadata, and value. Keep it simple. Measure productivity, labor saved, more efficient business processes, higher customer satisfaction, increases in revenue, reduced risk. These things are quantitatively measurable. If you don't know how to measure them, ask your CFO for guidance.
Question: "is Data Govenance in any way conected to corporate,enterprise and IT governance?"
Answer: Yes, Data and IT Governance describe new forms of corporate governance below the board level. All these governing bodies should use similar policy processes, have the same kinds of roles and responsibilities, and have well defined agenda and reporting rules with common charters that contain similar language. What you want is a system of governance in which the people may change but the powers remain the same. If you are creating governing structures that all have different charters, roles, and structures, you are creating complexity and your governance programs will fail.
Question: "IT Governance vs. Data Governance ... do you all consider this same thing?"
Answer: Same answer as per above. I don't consider them the same thing, but I do consider them different parts of a similar problem. IT is no longer a back-office function with no front-office dependencies. In many companies, IT is the front display window, the main method for interacting with customers, the brand a customer sees when they first contact the organization. Governing the human use of IT assets has become a central challenge in many organizations, and IT and Data Governance are different approaches to common challenges.
I would always tell my customers that Data Governance is a new way of thinking about old problems and strategically should be integrated alongside existing models, like ITIL, that already work and are understood. But it isn't one or the other. It's both.
Question: "Can you recommend tools that may be available in the market for data governance assessments / maturity modeling?"
Answer: IBM provides data governance consulting and assessment services and a wide range of software tools.
More information can be found here: http://www-306.ibm.com/software/tivoli/governance/servicemanagement/data-governance.html