The Digital Transformer: Thoughts on Data Governance

betz_aug_colGovernance is on my mind, as I just finished writing a textbook chapter about it. Given that the focus of this site is on data, what can we say about the intersection of governance and data?

Let me re-purpose some of what I’ve written for my students, for the data community.

The Cadbury report defines governance as, “The system by which organizations are directed and controlled.” Not too helpful, right? COSO (The Committee of Sponsoring Organizations of the Treadway Commission) further defines a key governance concept—internal control—as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

A process? Now perhaps we are getting somewhere. Maybe governance is just management by another name?

No; ISACA asserts that there is “a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes . . . In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson [while] management is the responsibility of the executive management under the leadership of the CEO.”

All clear as mud, right?

Let’s look at an analogy. (Credit where due: heard this verbally in a presentation by Brian Barnier circa 2011).

Suppose you own a small retail store. For years, you were the primary operator. You may have hired an occasional cashier, but that person had limited authority; they had the keys to the store and cash register, but not the safe combination—nor was their name on the bank account. They did not talk to your suppliers. They received an hourly wage, and you gave them direct and ongoing supervision.

In this case, you were a manager. Governance was not part of the relationship.

ART02 - img 02

image credit, commercial use permitted.

Now, you wish to go on an extended vacation—perhaps a cruise around the world, or a trek in the Himalayas. You need someone who can count the cash and deposit it, as well as  place orders with and pay your suppliers. You need to hire a professional manager.

They will likely draw a salary, perhaps some percentage of your proceeds, and you will not supervise them in detail as you did the cashier. Instead, you will give overall guidance and expectations for the results they produce. How do you do this? Perhaps even more importantly, how do you trust this person?

Now you need governance.

In political science and economics, the need for governance is seen as an example of the principal-agent problem. Our shopkeeper example illustrates this. The hired manager is the “agent,” acting on behalf of the shop owner, who is the “principal.”

In principal-agent theory, the agent may have different interests than the principal. The agent also has much more information (think of the manager running the shop day to day, versus the owner off climbing mountains).

The agent is in a position to do economic harm to the principal; to shirk duty, to steal, to self-deal. Mitigating such conflicts of interest is a part of governance.

But what does this mean in terms of data? Data governance?

Governance is concerned with the overall context of the organization, and the influences affecting it. See an overview of these properties below:

ART02 - img 01

Your organization started with a focus on the customer, and the market they represented. Sooner or later, you encountered regulators and adversaries; competitors and cybercriminals. These external parties intersect with your reality via various channels:

  • Your brand, which represents a sort of general promise to the market.
  • Contracts, which represent more specific promises to suppliers and customers.
  • Laws, regulations, and standards, which can be seen as promises you must make and keep in order to function in civil society, or in order to obtain certain contracts.
  • Threats, which may be of various kinds:
  • legal,
  • operational,
  • intentional,
  • unintentional,
  • illegal,
  • or environmental.

We can see data and information in all of these channels. If your company suffers a major data breach, your brand is compromised. You are also responsible for following relevant regulations, and managing information according to your internal policies (e.g. records management retention schedules).

Data represents both value and risk. Managing and measuring its value and risk requires a clear line of sight to enterprise governance. By maintaining that line of sight to the enterprise drivers of effectiveness, efficiency, and risk management, we can start to develop a reasonable understanding of data governance, one that is in harmony with well accepted definitions of organizational “governance.”

Next column, we will talk more about how governance relates to management in the context of data and information.

Portions of this blog derived from author’s work in process book, Digital, from Startup to Enterprise © 2016 Charles Thomas Betz. Used by permission.

Share this post

Charles Betz

Charles Betz

Charlie Betz is the founder of Digital Management Academy LLC, a training, advisory, and consulting firm focused on new approaches to managing the “business of IT.” He has previously held positions as enterprise architect, research analyst, developer and product owner, technical account manager, network manager, and consultant. From 2005-2011 he was the VP and chief architect for the "business of IT" for Wells Fargo, responsible for portfolio management, IT service management, and IT governance enablement. He has also worked for AT&T, Target, Best Buy, Accenture, and the University of Minnesota. As an independent researcher and author, he is the author of the forthcoming Agile IT Management: From Startup to Enterprise, the 2011 Architecture and Patterns for IT Management, and has served as a ITIL reviewer and COBIT author. Currently, he is the AT&T representative to the IT4IT Forum, a new IT management standard forming under The Open Group. He is a member of the ACM, IEEE, Association of Enterprise Architects, ISACA, and DAMA. Currently, he serves on the board of the Minnesota Association of Enterprise Architects chapter and is the organizer of the Agile Study Group, a working group of local practitioners and faculty examing Agile methods from the perspective of theory and pedagogy. Charlie is an instructor at the University of St. Thomas, and lives in Minneapolis, Minnesota with wife Sue and son Keane.

scroll to top