The Six Questions every Organization

should ask about Data Governance

Steven B. Adler

IBM Data Governance Solutions

adler1@us.ibm.com

http://www.ibm.com/itsolutions/datagovernance

Why Data? Why Governance?

§ Data:

§ Structured

§ Unstructured

§ Metadata

§ Video, Audio, Multi-Media

§ Print, Email, and Archived

§ Software Code

§ Patents, IP

§ Protocols, Message Streams

§ These are all digital assets

§ Governance:

-Corporate governance is about controlling human self-interest to benefit the common good:

§ Increased Revenue

§Lower Costs

§Reduced Risk

§ IT has become the engine for business innovation and growth and it must be governed to demonstrate contribution to the business bottom-line.

§ To govern IT effectively, the value of Data must be assessed, Risk calculated, outcomes measured and constantly re-evaluated.

07/31/072

Without Data Governance…

§ People make mistakes…

§ Those mistakes more commonly result in losses than hackers…

§ Those losses effect every aspect of IT and business

§ But data is still an abstract concept and governance needs technology to be improved…

The IBM Data Governance Council was formed in 2004 to explore enterprise challenges and develop solutions

Customers Business Partners Academia

Abbott Freddie Mac AirMagnet

ABN Amro Huntington Bank Application Security

Alltel IBM CIO Office Axentis Bucerius Law School

Continuity Software

Bank of America MasterCard Guardium

Merrill Lynch Intellinx

Bank of Tokyo/Mitsubishi Lumigent

Bell Canada Novartis OpenPages

Nordea Bank Organizational Policy Inst.

Cadence Design Northwestern Mutual Paisley

PNC RiskWatch

Regions Financial Corp. SecNap

Semantic Arts

Discover Financial VP Securities Services Tizor

Equifax Washington Mutual Valid Technologies

ZANTAZ

The World Bank

North Carolina State University Nova Southeastern University

American Express Key Bank

Bank of Montreal

Monaris

BITS Financial Services Roundtable

Citigroup

City of New York, FISA

Danske Bank TIAA-CREF

Deutsche Bank TeliaSonera SPS Security

Fannie Mae Wachovia

5 07/31/07

There are Six Questions every organization should ask themselves about Data Governance today

§ Do we have a Government?§ Who is responsible for governing?§ How do we share accountability across the enterprise?

§ How do we assess our situation?§ Are benchmarks available?§ How do we measure our Maturity?

§ What is our Strategy?§ How do we get from here to there?§ What does our CEO and Board want?

§ What is our data worth?§ How much revenue is it producing?§ How much does low quality data cost?

§ What are our vulnerabilities?§ How do we calculate risk?§ Which risks do we accept, mitigate, transfer?

§ How do we measure progress?§ What do audits tell us?§ How do we report results that matter?

1. Do we have a Government?§ Who are the leaders?

§ What does the DG Committee look like?

§ What power centers should be at the table?

§ How many business representatives are in the Council?

§ What is the charter of the group?

§ How are issues raised, discussed, and resolved?

§ How are requirements gathered?

§ How are policies communicated?

§ What are our legislative powers?

§ How do we govern?

A Government has these basic powers

§ To discourage behavior:§ Make something expensive

§ Make something difficult to do

§ Make something illegal

§ To encourage behavior:§ Make something cheaper

§ Make something easier to do

§ Make something legal

§ To record results:§ Census

§ GDP, CPI, etc.

What will our organization look like to exercise these powers?

ExecutiveLeadership

Data Governors

Data Stewards

Policy DecisionsRequirements Definition

Decision Making Input

Each governor represents an interest

group and line of business within the

organization and makes policy decisions on

behalf of the interests and the enterprise.

This ensures clear accountability for all

aspects of data governance within each line of business as well

as across the entire organization.

End Users, Customers, etc.

User Acceptance Testing

2. How do we assess our situation?

§ Assessment criteria

§ Benchmarks

§ Categories or Disciplines

§ Using existing assessments

§ Scope of effort

§ Public statements vs. internal reality

10

Elements of Effective Data Governance

10

Enhance

10

DataQualityManagement

InformationLife-CycleManagement

InformationSecurity and Privacy

Core Disciplines

Data Risk Management &Compliance

Outcomes

Value Creation

Data Architecture

Classification &Metadata

Audit InformationLogging & Reporting

Supporting Disciplines

Organizational Structures & Awareness

Enablers

Policy Stewardship

Requires

Supports

How do DG domains come together establish DG within an organization?

§ An organization can start with any of the 11 domains, and is likely on the path to maturity for one or more of these domains.

§ By grouping the 11 domains of Data Governance, for which organizations can assess their current maturity, some insight into how to establish a road map can be gained.

§ An initial high level grouping of DG domains, and showing primary relationships between these groupings, may help organizations to build a road map:

§Outcomes

§Enablers

§Core Disciplines

§Supporting Disciplines

6:47 PM Confidential Draft - not for distribution

DataQuality

Management

InformationLife-Cycle

Management

InformationSecurity

and Privacy

Disciplines

Examples of relationships between DG Domains:

2

Quality and Security/Privacy requirements for data need to be assessed and managed throughout the information life-cycle

Organizational Structures & Awareness

Enablers

Policy Stewardship4

3

3

4

1 2&

Executive level endorsement and sponsorship is an enabler for stewardship of information that requires standardization across processes and functional boundaries

Consistency in practice can be enabled through Stewardship when there are

Enterprise-level policies and standards in place for DG disciplines.

1

IBM Data Governance Maturity Model and Assessment IBM has developed an assessment tool and maturity model to measure DG maturity

• Continuous Improvement• Innovation / Leadership• Collective / Shared Efforts• Consistent & Rigorous• Significant Automation

• Initial Process Definition• Basic Infrastructure

Modeling• Project Discipline• Automation Opportunities

• Measured and Managed Efforts• Understood / Shared Practices• Consistent Application• Improving Performance• Advancing Technology

• Consistent Performance Measurement against Stated Goals

• Objectivity and Trust• Advanced Tools / Usage

• Lack of Processes• Stand-alone Structures• No Tracking /

Management• Heroic Efforts• Ad Hoc Attempts

Business Transformation

Key contributors to maturity:§ Rigor§ Comprehensiveness§ Consistency

Customer Examples

§ Today, 10 members of the Data Governance Council are using the Maturity Model to transform their businesses§ Bottoms-up process transformation

§ Top-down governance models

§ Inside-out program funding

§ They use the Maturity Model to defining what is in scope for Data Governance, based on a benchmark created by peers.

3. What is our Strategy?

§ Where do you want to be in 3 years?

§ What is the gap between where you are today?

§ What milestones, specific tactics, and KPI’s?

§ How to get organizational support?

§ How to get Board support?

After the assessment, you need to benchmark where you are and where you want to go

Build a Data Governance Vision

§ Minimum Requirements

§ Milestones

§ Key Performance Indicators

§ Project Plans

§ Teams and structure

§ Enabling Technology

§ Desired Outcomes

§ Timeframe

Sell the Vision

§ To affect organizational change, everyone needs to be onboard

§ Getting everyone onboard can eat vast amounts of time and become process overkill

§ New methods of community-based consultation and eVoting are needed to get broad support for the vision

§ The CEO and Board are also important

4. What are our data assets worth?

§ How do we measure data quality?

§ What is the data landscape?

§ What is the data model?

§ What is metadata?

§ How does data contribute to business results?

§ How can we measure the ROI of data improvement projects?

The Value of Data is Dependent Upon the Value of IT

§ Value is dependent on Price

§ You can’t tell the value of something if it doesn’t have a market price

§ IT is run like a Command Economy.

§ Budgets are allocated centrally

§ Projects are managed based on labor value and infrastructure cost allocation

§ ROI is impossible to derive because there are no market mechanisms to determine the price of IT.

In the Perfect World…

§ IT would buy hardware, software, and services from other vendors at cost, mark them up, and resell those products to the business.

§ The business would negotiate prices with IT and each division would pay new project, operational, and maintenance prices on all IT services.

§ IT would only have an investment budget based on business needs.

§ This would create an internal market for IT services similar to the real-world external market.

§ The Value of IT would therefore be based on the utility of IT services.

§ The value of data could also be measured using Utility Theory, because data management costs would be factored into IT prices.

What is the value of Data?

§ Data is worth whatever someone wants to pay for it:

§$1 for the NY Times

§$93 for a stolen identity

§$259 for Windows Vista

§$20 for a book on Amazon

§$1.29 for a song on iTunes

§$5 for 512m2 of land in Second Life

§ How do you calculate the value of enterprise data?

§Build an enterprise marketplace and let data supply and user demand set the internal price

§Track data usage patterns to derive the Utility Value of Data

§Record the revenue generated with use of the data and subtract the utility price paid to calculate the net earnings on data (EOD)þ

Content Level Agreements

§ Content level agreements can contain numerous data quality performance metrics with corresponding data integrity and availability level objectives. Some examples are:

§ DQI (Data Quality Index): Index ratio of data quality.

§ DAR (Data Availability Rate): Percentage of time that contracted data was available to “consumers”

§ DIR (Data Integrity Rate): Percentage of time that contracted data was trusted and reliable.

§ DER (Data Error Rate) Number of data errors.

5. What are our vulnerabilities?§ Security Risks

§ Regulatory Concerns

§Different approaches in laws

§Related documentation and administration

§Bringing regulations and reality together

§ Reputation Risks

§Data leakage

§Protected data

§“sensitive data”

§Misuse of data

§Loss of Data

§Risk of “bad” data

Calculating Risks

§ Qualitative Analysis§ Assessment

§ Prioritization§ Weighting

§ Scoring

§ Quantitative Analysis§ Causes and Trends§ Incidents & Occurrences

§ Events§ Claims

§ Losses§ Probability Analysis

Data Risk Management Maturity

07/31/07

Benefits

from data risk mgmt

Level 1 Initial

“Bad Event” Driven“Faith-Based” FixesNo predictabilityNo cause/effect

Level 2 Repeatable

Create context for

“bad events”Collect, categorize, analyze all “actions

of interest”Broaden across multiple risk entities

Level 3 Defined

Combine with human behavior and “effect” dataCorrelate and develop compre-hensive Data Risk Assessment picture

Level 4 Managed

Level 5 Optimized

Find ways to leverage risk to corporate benefit.

WIN!

Risks “to” data

Risks “from” data

Make decisions to predict and control:

§ Managed risks§ Limited risks§ Process change§ Accountability§ Budgeting

ImplementMonitor/ReportAdjust

Other Risks

§ IT Project Risk?

§Defect Errors

§Process Mistakes

§Governance risks

§ Implementation Risks?

§ Interoperability

§ Deployment?

§Business Continuity

§Service Level Agreements

§ Globalization Risks?

Alternative Risk Transfer

“Alternative Risk Transfer (often referred to as ART) is the use of techniques other than traditional insurance and reinsurance to provide risk bearing entities with coverage or protection. The field of ART grew out of a series of insurance capacity crises in the 1970s through 1990s that drove purchasers of traditional coverage to seek more robust ways to buy protection.”

–Wikipedia

Alternative Risk Transfer Agreements

§ ART agreements can contain numerous risk metrics with corresponding protection level objectives. Some examples are:

§ IRE (Incident Rate of Exposure): Percentage of incidents to occurrences.

§ AIRT (Average Incident Response Time): Average time (usually in seconds) it takes for an incident to be responded by the service desk.

§ CA (Coverage Amount): Amount of risk transfer from department to organization on an aggregate basis.

§ RA (Reserve Amount): Amount of “premium” paid by each department, based on past losses, to cover future exposures.

§ Security Agreement: Common agreements include percentage of network uptime, power uptime, etc.

6. How do we measure progress?

§ Processes for capturing requirements

§ Processes for managing change

§ Processes for implementing policy

§ Using User Acceptance Test to measure how policy maps to requirements

§ Monitoring policy compliance

§Link to operational risk

What are we measuring?

§ Data Quality

§ Value of Data and IT Services

§ Probability of Risk

§ Policy Compliance

§ Regulatory Filings

§ Governance efficiency

§ Revenue Contributions

§ Cost Savings

Why CLA and ART

§ Because they provide market mechanisms to price content and risk in an enterprise

§ Incentives and Disincentives to motivate behavior

§ Those market mechanisms provide governing power to affect change

§ With that change comes accountability, efficiency, and enlightenment

§ Without them, we are just guessing at the value of data and the cost of risk.

32

Data Governance Balanced Scorecard

Element Current Maturity

DesiredMaturity

KPIs Outcome

Organization •Traditional Structure (2)þ

•community based self-governance (4)þ

•# new ideas implemented

•78% employee satisfaction rate

Stewardship •Data Stewards only (2)þ

•Stewardship in every discipline (3)þ

•# stewardship communities

•125% more stewards

Policy •Ad-hoc policy management (1)þ

•Structured policy management (3)þ

•45% increase in reg. compliance

Data Quality •Spreadsheet-based DQ program (1)þ

•Process oriented DG program (4)þ

•Data utility index•Price of data

•24% reduction in fraud

Architecture •Stovepipes of data (1)þ •Federated and integrated (4)þ

•Data availability index•Data supply ratio

•Lower data management costs

Metadata •No metadata management (0)þ

•End-to-end metadata management (4)þ

•Business glossary•Metadata elements

•12% reduction in policy failure

Security •Enterprise Access Control

•Context-based entitlements

•# Incidents • 98% Customer satisfaction

Risk •Faith-based Risk Management (1)þ

•Fact-based Risk Forecasting (4)þ

• $ Capital Reserve • # Losses

•12% net underwriting profit

Value •Command Economy•Labor Theory (1)þ

•Demand Economy•Utility Theory (5)þ

•Efficiency of IT service pricing

•8% Net IT operating profit

ILM •Enterprise Backup (2)þ •Policy-based backup (3)þ

•Retention/deletion ratio

•23 Terabytes saved

Audit •Quarterly Audits (1)þ •Automated self-assessments (5)þ

•# Failures reported•# audits passed

•24% reduction in IT project failure

Questions?

Click on the questions tab on your screen, type in your question (and name if you wish) and hit send.