This quarter’s column is co-authored with Anthony Mazzarella, a fellow practitioner-academic doing research into what makes data governance “tick.” There has been a lot of commentary on social media and elsewhere in recent months about how data governance has failed and how we need to reframe the discussion on what it means to govern data, particularly in the context of AI adoption in organizations. This discussion has dovetailed with topics that have arisen in the research both of us have been doing. And it raises some important questions for the planning and execution of data governance initiatives and how we define and envision what “success” looks like in these kinds of initiatives.
If We Build It, They Will Come …
Regardless of why people in organizations start a data governance or AI governance initiative in an organization, inevitably we need to get people coordinating and collaborating on data issues. Often internal leadership or external consultants crack open the DMBoK or similar reference model and begin the process of creating the standard “three steps to heaven” governance framework of operations-level data stewards, line management steering committees, and executive-level governance councils. After all, it’s what all the standards like ISO38505-1:2017 and frameworks like the DMBOK tell us this needs to look like.
If we are lucky, we get some motivated sponsors, engaged stakeholders, and data stewards who have an interest in improving things. More often we encounter sponsors who are doing it because someone (regulator, internal audit, external audit) told them it had to be done (with one or two engaged leaders who see the strategic value for them), line management who see it as another thing to add to the already full to-do list (with a sprinkling of engaged people with a problem), and data stewards in operations roles who are trying to keep up with the change agenda of the month.
Progress is made. Policies are defined. Processes are implemented. The seeds of data literacy are planted. And then something happens. A regulatory or enforcement shift, or a change of leadership, or a merger, or the emergence of a new technology. Regardless of the trigger, the cracks in the foundations of our data governance structure become exposed: Budget is diverted, key stakeholders or participants move on, or the strategic priority and backing moves on to the next thing. And people declare the “data governance thing” a failure.
Organizational ADHD (The “Shiny Object Syndrome”)
W. Edwards Deming’s 14 “Points for Transformation” famously called on management to “adopt the new philosophy” and “create a constancy of purpose”.1 We shudder to think what Dr. Deming would make of the organizational ADHD that often plagues data governance initiatives. However, his 7 Deadly Diseases of Management contain a few relevant points: Lack of Constancy of Purpose, Emphasis on Short-term thinking, and Mobility of Management are all factors in the “Shiny Object Syndrome” that impacts the bedding in of data governance and data culture change in organizations.
The current focus on adoption of generative AI and other artificial intelligence tools in organizations is the latest iteration in the cycle of “Shiny Object” occurrences in the data world. It is one that promises (or threatens, depending on your point of view) to make many data management tasks easier and remove the need for human actors in processes. As such, it is disrupting data governance initiatives, both positively and negatively. One benefit is that it highlights the importance of good quality, well-managed, and curated data and content. One negative is that there is a stampede of attention (and budget) to “AI governance” as a new thing when the things that need to be governed in the implementation of AI are, by and large, not widely removed from the core elements of data governance.2,3
Looked at through the lens of Deming, perhaps a more appropriate definition of success for a data governance initiative is whether it can persist and deliver value to the organization in the face of changes in the environment in which the organization is operating. This environment would include external factors such as regulatory change, emergence of novel technologies, economic conditions, or global pandemics. It also includes internal factors such as resourcing, sponsorship, organization structure, or changes in business model or strategic priorities.
Sustainable Governance vs. Resilient Governance
Academic study in organizational resilience has increasingly disambiguated the topic of resilience from the related topic of sustainability. This is an important distinction. Resilience emerged in business literature in the 1980s. It deals with how organizations respond to external threats. Sustainability generally refers to environmental, societal, and economic sustainability — with organizations.4 When doing literature reviews to find research on how to keep data governance initiatives going (i.e., make them sustainable) we have found ourselves having to exclude the growing body of research and industry analysis of how poor data management and governance practices contribute to issues in environmental or energy consumption sustainability.
These definitions are useful, but not entirely helpful when we are trying to assess what we need to do to ensure that organizations are consistent in their adoption of the ‘new philosophy’ of governing data and are constant in their purpose that data is something that needs to be governed. What is needed is an operational definition of what it means for a data governance change to be sustainable in an organization and what it means for data governance structures in an organization to be resilient.
Sustainable Governance of Data
Point 5 in Deming’s “14 Points for Transformation” tells us that management need to adopt a continuous improvement approach to “improve constantly and forever the system of production and service.” The implementation and execution of governance for data in organizations equally needs to be continually improving. In our experience, governance of data is often introduced for a particular data domain or in response to a specific regulatory driver (e.g., EU’s GDPR). But the practices, controls, and disciplines required in one aspect of an organization’s data can usually be applied (with appropriate modification where necessary) to other data in other domains.
The continuous evolution of data governance in the organization and the expansion of the “market share” for data governance across stakeholders should create an environment in which the organization’s leadership and management are receptive to and engaged with data governance as a fundamental management discipline that creates better outcomes for the organization. Those outcomes may come through the adoption of new technologies in a responsible way with appropriate data, through the successful integration of acquired businesses, or the reduction in cost, risk, or complexity of digital transformation or strategic change.
Note that this is a forward-looking concept for the organization. Sustainable data governance is data governance that continues to grow and evolve in the organization, even in the face of evolving business needs, organizational change, or technology shifts. This is data governance on what Daragh refers to as the “happy path.” In that context, we propose the following definition of “sustainable data governance”:
A sustainable data governance implementation in an organization is one which continues to evolve and adapt to new domains in the organization and is actively considered and engaged in strategic planning and change management activities affecting people, processes, or technology in response to external or internal needs with appropriate management engagement and executive support.
Resilient Governance of Data
If sustainable data governance reflects Point 5 of Deming’s 14 Points, resilience in data governance reflects Points 1 and 2 — the need to have constancy of purpose and engagement with the underlying philosophy of governance applied to data. Where sustainable data governance is forward-looking and asks if the organization’s data governance model can grow ‘market share’ or ‘mind share’ in the organization, resilience asks whether the data governance function can hold its ground in the face of internal or external shocks.
For example, if the roll out and operation of data governance in the organization is dependent on the passion and vision of a handful of key early adopters and leaders, what happens if they leave the organization or are transferred away from roles where they can influence or impact the culture and values underpinning the philosophy and practice of data governance in the organization? If the operating model for governance of data requires people to be co-located to collaborate, what happens if there is an external event that requires everyone to work remotely (weather, pandemic, or war)? What happens if there is a change of ownership or change of CEO and the headline of the organization’s strategy seems downplay data’s role as an asset? What happens if there is a sudden reduction in force in the organization that removes key data stewards from the equation? And these are just the ‘people’ aspects that might affect the governance of data. The potential impacts of new technologies such as Generative AI or Agentic AI could also affect the systems and processes for governing data. As could more mundane technology changes such as migrations of data or processes to SaaS platforms or simple business process automation activities.
All too often in our experience, organizations build their data governance frameworks for the organization that exists today and do not consider how that framework might need to evolve or adapt to serve the organization of tomorrow. And all too often, organizations risk slavishly adopting a ‘three steps to heaven’ operating model that risk baking in potential points of failure because of the assumptions made about the internal operating factors (operating model, resourcing, budgets) or external environmental factors (e.g. regulation, regulatory enforcement, economic factors) of today being applicable in the future. In light of these factors, we propose the following definition of “resilient data governance”:
A resilient data governance implementation in an organization is one which continues to function and support the organization’s data needs irrespective of changes in personnel internally in the data governance function, changes in the wider organization stakeholder group, or changes in the macro-environment affecting the organization (regulation, market conditions, economic factors).
Reframing Our “Definition of Done”
Has data governance failed? We don’t think so. Where we may have failed as a profession is in not learning the lessons of the TQM evolution in business where many organizations adopted the form and function of quality management without heeding Deming’s words about the importance of constancy of purpose and the importance of the philosophy of quality. Today, organizations are replete with slide decks and organograms showing variations on the ‘three steps to heaven’ model for governance of data described in various references. Rather than building our castles to a generic blueprint, but building them on sand, we need to establish as part of our ‘definition of done’ for data governance some key criteria for ensuring that the foundations of our castles are solid to support sustainable expansion and evolution of governance of data whilst at the same time being resilient enough to weather storms or attacks and stay standing no matter what is thrown at us.
References
1 Deming, W.E. (2000) Out of the Crisis, Cambridge, Mass. ; MIT Press.
2 Abraham, R., Schneider, J., and vom Brocke, J. (2019) ‘Data governance: A conceptual framework, structured review, and research agenda’, International Journal of Information Management, 49, 424–438, available: doi.org/10.1016/j.ijinfomgt.2019.07.008.
3 Schneider, J., Abraham, R., Meske, C., and Vom Brocke, J. (2023) ‘Artificial Intelligence Governance For Businesses’, Information Systems Management, 40(3), 229–249, available: doi.org/10.1080/10580530.2022.2085825.
4 Weber, M.M. (2023) ‘The Relationship between Resilience and Sustainability in the Organizational Context—A Systematic Review’, Sustainability, 15(22), 15970, available: doi.org/10.3390/su152215970.
About the Co-Author Anthony “Tony” Mazzarella
Anthony “Tony” Mazzarella is a veteran data leader and PhD candidate in Computer and Information Science with a focus on Information Quality at the University of Arkansas at Little Rock (UALR). With over 20 years of IT and data management experience, he has led enterprise data programs in large financial services firms, including Fortune 100 companies, advancing initiatives in data governance, data quality, metadata management, analytics, master data management (MDM), and generative AI. A thought leader committed to advancing practice, he has served as a board member and advisor to industry and professional associations, and is a mentor to data professionals as well as a trusted collaborator to academics and business leaders. His academic research, conducted in partnership with the EDM Council, examines the human and organizational dimensions of data governance to better connect research and real-world application.
