In my discussions with CIOs over the last several years, they have repeatedly told me that they strongly dislike traditional data governance. And asked at times, could they just be data custodians. When I asked why, they said they either forced it top-down on their organization, and everyone disliked them for doing it; or, IT took on data governance themselves.
It is not surprising, therefore, that many executives have come to “perceive data governance to be bureaucratic, complex, expensive, and largely discretionary.” (Data Governance for Dummies, page 7).
Yet, failing to implement data governance is harmful because it remains a fundamental DataOps process. Without question, data governance that is top-down or overly centralized has failed organizations that implemented it. These approaches are less centralized but allow organizations to federate their governance efforts. For example, Mukul Sood, Chief Architect at Slalom, says that “the federated model distributes a team of data governance resources among the business functional teams, and a centralized data governance leader is accountable for the overall data governance program. This model is recommended to enable lean and nimble data governance without unnecessary hierarchy and tiers.”
Decentralized plus federated governance makes sense for a number of data governance missions. For example, data governance for data quality could start with just one data domain. However, even here, there is a point at which, for example, financial teams need to move into other systems managed by other groups. So, it can make sense to start small with a domain team and then clone this into a federated model. The fact is we live in a connected world of applications and domains. It is hard to say just one team should be involved.
Centralized Versus Decentralized
Without question, centralized data governance ended up being implemented in a command-and-control fashion. In some cases, it created a centralizing team that owned data. These people often became effectively a tax for the organizations for which they managed data governance.
Its leaders controlled master data, including the data stewards that managed data creation and data access control. This put in place a central body with authority, responsibility, and control over data access. Often, this method tended to focus more on data controls and limitations. This kind of tight control over data was more focused on restricting data use versus enabling self-service use and discovery.
The problem with this is it runs counter to the research of Raffaella Sadun of the Harvard Business School, Philippe Aghion of the Collège de France, Nicholas Bloom and Brian Lucking of Stanford, and John Van Reenen of MIT, which showed “a company’s performance during and after a recession depends not just on the decisions it makes, but also on who makes them. In particular, this research found that decentralized firms may be better positioned to weather macro shocks because the value of local information increases.”
The above research makes effectively the business case for self-serving most elements of data management and utilization. Appropriately managed decentralized governance, says Data Leadership Collaborative’s Advisory Board Member Mark Palmer, means “each citizen plays their part, and the federation swings into action to add engineering, governance, and compliance built around this effective workflow and culture.” Without question, decentralized data governance is a newer approach to data governance. It is supported by new concepts including data mesh. In this approach, data producers and domain experts are empowered to manage and monitor data flows and access points on their own.
Federated Data Governance
Federated Governance argues for centralized standards, policies, and governance, but only centralized governance aimed at allowing for de-duplication of effort and preventing similar issues across business groups. It recognizes that decentralized approaches are problematic for some areas of governance. For this reason, it is critical that organizations be clear from the start about their objectives for data governance.
According to The Data Governance Institute, there are six different focus areas for data governance, including:
- Policy, standards, and strategy
- Data quality
- Privacy, compliance, and security
- Architecture and integration
- Data warehousing and business intelligence
- Management support
I would argue that data quality, data warehousing, and business intelligence can clearly be implemented in decentralized form. This is especially so if the data involved is not a data product, and it is primarily focused on a single business unit or function. However, the other types of data governance require federated data governance from the start.
Data Security Governance
One of the areas that screams out for centralization depending upon the corporate operating model is privacy, compliance, and security. This is what we refer to as data security governance. How this is implemented matters. This is because most enterprise data flows between corporate systems.
And while one could clearly start the process by governing domains, it is problematic when one takes an enterprise architecture perspective. What happens, for example, when customer data flows between Salesforce automation to customer support and financial systems? Clearly, the rules of the road need to operate consistently across different functional areas. Add to this compliance, which needs to be consistently managed across enterprise systems. There are clear penalties for doing it any other way.
However, there is good news. In the past, much of the difficulty concerning centralization was due to the need to manually manage data access system by system. Fortunately, new technologies make it possible to simultaneously discover risky data and implement a single policy and control for managing that data across the data estate — without coding. There is no penalty for centralization of privacy, compliance, or data security governance. This type of data governance is a lever of probability. Good governance reduces the probability of risk. It doesn’t eliminate it, but it goes a long way in mitigating. Bad governance or no governance is a formula for high risk.
Without question, data governance strategies need to be more nuanced. Top-down and forced data governance failed the organizations that tried to implement it. In fact, analysts have found that these approaches tend to fail. It makes sense to decentralize and federate. However, for data security governance, it makes sense to centralize for compliance and federate across the organization from the start.