Governance is on my mind, as I just finished writing a textbook chapter about it. Given that the focus of this site is on data, what can we say about the intersection of governance and data?
Let me re-purpose some of what I’ve written for my students, for the data community.
The Cadbury report defines governance as, “The system by which organizations are directed and controlled.” Not too helpful, right? COSO (The Committee of Sponsoring Organizations of the Treadway Commission) further defines a key governance concept—internal control—as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
A process? Now perhaps we are getting somewhere. Maybe governance is just management by another name?
No; ISACA asserts that there is “a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes . . . In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson [while] management is the responsibility of the executive management under the leadership of the CEO.”
All clear as mud, right?
Let’s look at an analogy. (Credit where due: heard this verbally in a presentation by Brian Barnier circa 2011).
Suppose you own a small retail store. For years, you were the primary operator. You may have hired an occasional cashier, but that person had limited authority; they had the keys to the store and cash register, but not the safe combination—nor was their name on the bank account. They did not talk to your suppliers. They received an hourly wage, and you gave them direct and ongoing supervision.
In this case, you were a manager. Governance was not part of the relationship.
Now, you wish to go on an extended vacation—perhaps a cruise around the world, or a trek in the Himalayas. You need someone who can count the cash and deposit it, as well as place orders with and pay your suppliers. You need to hire a professional manager.
They will likely draw a salary, perhaps some percentage of your proceeds, and you will not supervise them in detail as you did the cashier. Instead, you will give overall guidance and expectations for the results they produce. How do you do this? Perhaps even more importantly, how do you trust this person?
Now you need governance.
In political science and economics, the need for governance is seen as an example of the principal-agent problem. Our shopkeeper example illustrates this. The hired manager is the “agent,” acting on behalf of the shop owner, who is the “principal.”
In principal-agent theory, the agent may have different interests than the principal. The agent also has much more information (think of the manager running the shop day to day, versus the owner off climbing mountains).
The agent is in a position to do economic harm to the principal; to shirk duty, to steal, to self-deal. Mitigating such conflicts of interest is a part of governance.
But what does this mean in terms of data? Data governance?
Governance is concerned with the overall context of the organization, and the influences affecting it. See an overview of these properties below:
Your organization started with a focus on the customer, and the market they represented. Sooner or later, you encountered regulators and adversaries; competitors and cybercriminals. These external parties intersect with your reality via various channels:
- Your brand, which represents a sort of general promise to the market.
- Contracts, which represent more specific promises to suppliers and customers.
- Laws, regulations, and standards, which can be seen as promises you must make and keep in order to function in civil society, or in order to obtain certain contracts.
- Threats, which may be of various kinds:
- or environmental.
We can see data and information in all of these channels. If your company suffers a major data breach, your brand is compromised. You are also responsible for following relevant regulations, and managing information according to your internal policies (e.g. records management retention schedules).
Data represents both value and risk. Managing and measuring its value and risk requires a clear line of sight to enterprise governance. By maintaining that line of sight to the enterprise drivers of effectiveness, efficiency, and risk management, we can start to develop a reasonable understanding of data governance, one that is in harmony with well accepted definitions of organizational “governance.”
Next column, we will talk more about how governance relates to management in the context of data and information.
Portions of this blog derived from author’s work in process book, Digital, from Startup to Enterprise © 2016 Charles Thomas Betz. Used by permission.