Align Data Governance with Board Governance Imperatives

ART01x - image - EDGovernance – managing decision-making and control while balancing the interests of stakeholders – is as relevant to the Enterprise Data Council (EDC) as it is to the Board of Directors (BoD). The EDC, representing the interests of data consumers by ensuring alignment between data initiatives and business objectives, acts like the BoD, who represents shareholders by ensuring alignment between management’s initiatives and shareholder-approved business objectives. This article contextualizes the phrase, “data as an asset,” and significantly, finds 16 areas of alignment between DAMA’s data governance framework and Deloitte’s corporate governance framework. Rarely covered, the analysis also exposes succession risk in the data governance organization. The article concludes explaining how the purposeful alignment of Data Governance and Corporate Governance increases the profile of Data Governance at Board level. This serves to increase its access to corporate resources, which are then deployed to create the kind of risk-sensitive value that shareholders demand.

1. Introduction

Data Governance (DG) spans much of the data universe, as summarized by the elements presented in Figure 1. It includes data quality (DQ), master and reference data management, and defining a common language for the business’ data artifacts (metadata). Data governance is of as much interest to regulators as it is to the organization in the process of conducting its business.

Figure 1: The scope of Data Governance according to DAMA

Figure 1: The scope of Data Governance according to DAMA.

Data governance is also the Board’s ally. Besides helping to fulfil regulatory requirements e.g. RDARR (Basel BCBS239), data governance also helps prevent negative reputational incidents involving poor data quality – review TechTarget (2007) to see some examples of the latter. In fact, avoiding negative publicity really matters to the Board, because its top responsibility is to protect the organization’s reputation (Dowling, 2006).

From inside the organization, the head of data – generically called the Chief Data Officer (CDO) here – should be involved in measurably helping to achieve the organization’s strategic objectives. This is because a key performance indicator of a CDO is how well the role works with the Board and C-levels to forge links between data, analytics, processes, and ultimately, business outcomes (Moore, 2016).

Like regulatory compliance and reputation management, positive business outcomes are a Board-level imperative. If data governance measurably and positively influences any of them, then the CDO will have successfully aligned with at least one corporate governance imperative. Such alignment is not achieved by accident.

Corporate Governance versus Data Governance

Corporate Governance is the highest level of abstraction of organizational management, exercised by the Board who oversee the organization’s activities from the point of view of investors (shareholders). Its role includes defining purpose and strategy, overseeing compliance, and ensuring that management is held accountable for its actions, especially those related to business performance. On the other hand, Data Governance concerns the management of the data universe, as represented by Figure 1.

Data Governance gathered momentum with the 2003 joint sitting of the Basel Committee on Banking Supervision (Basel), the International Organization of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS), which recognized the need for better data quality. The global financial crisis then drove Basel’s BCBS 239 Risk Data Aggregation and Risk Reporting (RDARR) publication in 2013, which qualified the expectations of banks by regulators with respect to data quality, the formal roles and responsibilities for data, and the need for standardized metadata. CDOs were granted a Board mandate to comply with this regulation, with 25% of CDO roles having been established by the Board (Logan et al, 2016).

2. If data is really an asset, then it must perform like one.

Logan et al (2016) also found that 46% of CDOs cite value creation and revenue generation as their top priority, predicting that 66% of CDOs will have this as their top priority by 2021. From a corporate governance perspective, this is hardly surprising, because revenue growth is a priority business outcome; shareholders demand it. Now if revenue generation is as much of a priority as claimed, then some CDOs may need to reflect on the meaning of the often loosely used phrase, “data as an asset.”

Shareholders and organizations invest in assets because they expect financial returns from those investments. They grudgingly invest in low or negative return assets, because doing so negatively impacts profitability. In general, some shareholders rather pay the penalty imposed by regulators than make investments to avoid the penalty, if the penalty proves to be less than the investment required.

Similarly, some organizations are reluctant to invest in data, because they don’t see returns for their investment. They would much rather minimize the costs associated with holding data than invest in it.

For data to be worthy of investment, it must produce value commensurate with those investments. Revenue is one such measure of value. As an individual investor, you would never invest with a broker who only has fluffy comments about the financial performance of an investment. Yet some expect their organizations to invest in data while providing little concrete evidence of the value (e.g. revenue enablement) that will be generated by that investment.

Weak business cases for data result in declined requests for funding; non-financial measures of value simply carry less weight when it comes to evaluating and approving investments in assets, ultimately on behalf of shareholders and investors.

3. A Basis for Assessing Alignment

Deloitte’s corporate governance model (2013) and DAMA’s data governance model (DAMA) are used here as bases for assessing alignment.

From a corporate governance perspective, we have the following:

Figure 2: A six-pillar corporate governance framework, with data governance perspectives expressed on the periphery. The Data Governance Organization (DGO) - a formal or informal subset of the business' organizational structure – implements DG initiatives.

Figure 2: A six-pillar corporate governance framework, with data governance perspectives expressed on the periphery. The Data Governance Organization (DGO) – a formal or informal subset of the business’ organizational structure – implements DG initiatives.

While from a data governance perspective, we have the following:

Figure 3: A data governance framework with corporate governance perspectives expressed on the periphery.

Figure 3: A data governance framework with corporate governance perspectives expressed on the periphery.

4. Examining the Alignment

There are at least 16 areas of alignment between the selected Corporate Governance and Data Governance models summarized in Table 1 and Table 2. Let’s examine some of these.

From Table 1, the intersection of “Strategy” with “Manage Data Quality & Metadata” is important in the context of the annual organizational strategic review. The review gives the organization the opportunity to reflect on its challenges and performance (all of which need data), and to institute corrective action with respect to the overall organizational strategy.

Sadly, many strategic planning sessions begin with no data at all, often because it is too difficult to extract, or because it is quite simply wrong. For an organization to go into strategic planning session without the relevant data of the right quality does bring into question the quality of the decisions being made about the organization’s future. This in turn has significant corporate governance implications.

At the intersection of “Governance” with “Data Security”, the key is to recognize that data security extends beyond technology’s general focus on viruses, hackers, and malware. They are important, but PWC (2014) finds that “insider crimes are more costly or damaging than incidents perpetrated by outsiders.” Business processes also pose a large a risk to data security, largely because too many of them – even in large organizations – remain undocumented, making the risk difficult to assess. It is useful to note that data governance has at least four key roles to play in facilitating cyber risk mitigation (Pearce, 2017), relevant in the context of the board’s cyber security agenda.

Table 1: A mapping of the benefits of data governance alignment with corporate governance pillars 1 to 3.

Table 1: A mapping of the benefits of data governance alignment with corporate governance pillars 1 to 3.

From Table 2, the intersection of both the “Integrity” and “Risk” columns with “Manage Data Quality & Metadata”, as well as the intersection of “Integrity” with “Perform Data Governance” are all corporate governance imperatives for RDARR, as revealed earlier.

Also, the entire “Talent” column is important, because the Data Governance Organization (DGO) – consisting of a formal or informal hierarchy of data stewards with different levels of responsibility – poses risks to successfully implementing the organization’s data strategy in much the same way as key people in the organization could pose risks to the successful implementation of the organization’s corporate strategy.

Figure 4: The DGO, overlaid on the enterprise organogram in bold lines. It has different responsibilities for different parts of the enterprise's data, and is often an increase in the responsibilities of existing roles rather than being new roles.

Figure 4: The DGO, overlaid on the enterprise organogram in bold lines. It has different responsibilities for different parts of the enterprise’s data, and is often an increase in the responsibilities of existing roles rather than being new roles.

So to ensure the sustainability and productivity of the DGO, the implementation of the data strategy, and the intellectual property related to regulatory compliance, remember to pay due attention to identifying key staff, succession planning, and training. Also ensure that the relevant processes, whether formal or informal, are documented to a relevant degree of detail, and that they are saved in an appropriate repository as part of succession risk mitigation.

Furthermore, the intersection of “Risk” with both “Perform Data Governance” and “Manage Data Quality & Metadata” serves to mitigate the reputation risk illustrated in Section 1.

Table 2: A mapping of the benefits of data governance alignment with corporate governance pillars 4 to 6.

Table 2: A mapping of the benefits of data governance alignment with corporate governance pillars 4 to 6.

From these two tables, it should immediately be clear that there is strong alignment between the objectives of Data Governance and the objectives of Corporate Governance. This alignment is enabled by ensuring that corporate governance leverages data governance for strategy, business performance monitoring, and enterprise risk management as in Figure 1, and that data governance enables corporate governance with respect to regulatory compliance and cyber security as in Figure 2.

5. Conclusion

The better the CDO understands the Board’s agenda and the better the CDO is able to articulate how it serves that agenda, the more topical the conversation with the Board or even C-Levels will be. Examples include enabling better business outcomes for a given investment (Performance pillar), while another might be improved cyber risk mitigation (Risk pillar).

The alignment of data governance with corporate governance has the added benefit of increasing the profile of data in the organization. It also elevates the data agenda, which facilitates any conversation about the allocation of financial and other resources to the required data initiatives.

Because the data governance team has framed its data objectives in a corporate governance context, it makes sense that it becomes the steward of those initiatives on behalf of the enterprise. This would help reduce the incidence of many similar data-related projects across the organization – most of which are trying to achieve the same goal – thus increasing organizational efficiency by reduced duplication, and increasing organizational effectiveness by leading enterprise-scope projects at the right level.

In terms of cyber risk mitigation, in some jurisdictions, there are regulatory expectations of the Board and of management if an organization is exposed to a data breach. These expectations relate to three of Deloitte’s corporate governance pillars: Governance, Integrity, and Risk. One of those expectations is that the organization identifies the location and extent of the exposed data as soon as possible, to fulfil the requirement of accurately reporting the breach to the regulator. Data governance initiatives can enable accurate and timely breach reporting, implying good alignment with the Integrity and Risk pillars of corporate governance. With cyber security at the top of the modern Board agenda, the Board would welcome this alignment, in turn giving further impetus to DG activities.

Shareholder expectations of “value” were outlined in this article, as were consequent considerations for how one should think about the phrase, “data as an asset.” An expectation of data governance by shareholders is that it adds shareholder value in the same way that shareholder value is added in the deployment of traditional assets. Notice also how data governance activities mitigate various risks to the organization, including reputational, legal, and financial risks, adding a risk sensitivity to value creation.

The enthusiasm with which this value conversation is embraced by the organization depends on how well the organization truly understands what “data as an asset” means. It also depends on whether it recognizes the strategic threat in the finding that most CDOs in the foreseeable future expect to create value or generate revenue as a value-added outcome of their data governance activities. If anything, the message in all this is clear: “Don’t be left behind in the value conversation!”


References

  1. DAMA (n.d.). Body of Knowledge. https://www.dama.org/content/body-knowledge
  2. Deloitte (2013). The Role and Benefits of a Corporate Governance Framework. http://deloitte.wsj.com/riskandcompliance/2013/05/24/the-role-and-benefits-of-a-corporate-governance-framework/
  3. Dowling, G (2006). Reputation risk: it is the board’s ultimate responsibility. Journal of Business Strategy, Vol. 27 Iss: 2, pp.59 – 68
  4. Logan, V.A., Popkin, J., and Faria, M (2016). Gartner CDO Survey Reveals That Chief Data Officers Drive Both Data Management and Analytics for Maximum Impact. Gartner. https://www.gartner.com/doc/3514317
  5. Moore, S (2016). Build Your Career Path to the Chief Data Officer Role. Gartner. http://www.gartner.com/smarterwithgartner/build-your-career-path-to-the-chief-data-officer-role/
  6. Pearce, G (2017). Four ways data governance and enterprise data management boost cyber security. ISACA online-exclusive article to be published on 31 May 2017. isaca.org
  7. PWC (2014). Managing cyber risks in an interconnected world. http://www.pwccn.com/en/retail-and-consumer/rcs-info-security-2015.pdf
  8. TechTarget (2007). Data quality management: Problems and horror stories. http://searchdatamanagement.techtarget.com/feature/Data-quality-management-Problems-and-horror-stories

Share this post

Guy Pearce

Guy Pearce

Guy Pearce (BSc, BCom, MBA) has 12 years' experience in data governance. This journey started two years after the 2003 joint sitting of Basel, IOSCO and IAIS, where data quality was first globally identified as a major financial services issue. He has since presented university lectures on data leverage, published journal articles on cyber risk, and has been promoting the alignment of data governance with corporate governance since 2014. From a corporate governance perspective, he has served on five Boards of Directors and two Management Boards in private and publicly traded banks, financial services organizations, and retailers, including three Finance and Audit Committees, three Risk Committees, and two IT Committees. His direct business experience derives from having been CEO of a retail credit business serving 100,000 customers across three countries.

scroll to top