Data governance lies at the heart of enterprise risk management. Access to consistent, accurate data enables informed decisions that drive your organization’s growth and success; protecting the integrity and correct use of data is critical for security, usability and regulatory compliance.
This article aims to help you understand the basics of data governance and learn how to structure a strong data governance program and set priorities for more effective risk management.
Every organization has rules around using, organizing, securing, testing, monitoring and disseminating data. These policies and internal standards comprise the organization’s data governance program and control every aspect of data management.
Data governance is a comprehensive term covering many different aspects of the way team members relate to the organization’s data. It includes sweeping security policies as well as small details that are nonetheless important for ensuring the consistency and usability of data.
Enterprise-level organizations typically have a formal data governance program that includes designated data stewards and comprehensive written policies. These policies are clearly communicated to employees and leaders throughout the business and are included in onboarding of new hires.
Data governance programs take into consideration compliance with applicable regulatory requirements, such as EU and U.S. federal and state-based privacy legislation (e.g., CPRA, GDPR, HIPAA). Frameworks, such as NIST PF (privacy), NIST CSF (cybersecurity), AI RMF (AI Risk Management Framework) may also support the data governance program.
In addition, a strong data governance policy increases operational efficiency by ensuring that employees have access to information that’s accurate, timely and consistent across the organization. Properly implemented data governance also leads to improved data, facilitates better business decisions and allows maximum benefit from advanced data analytics techniques to evaluate and improve business performance.
Your data governance strategy makes it clear where your data originates, where it's stored, what safety and security protocols are in place to protect data, how data is processed and shared, and which users can access certain types of data. Organizations often go wrong by not having a strategy that is well-planned and detailed. Implementing an effective data governance strategy that is well documented and consistently applied will help you achieve better quality data, improve organizational effectiveness and contribute to regulatory compliance.
Your data governance strategy should create consistency and efficiency by providing structure for the many details in data governance, aligning policies in different parts of your organization. To achieve this, your strategy must address all of the following areas:
Your strategy should clearly describe processes and rules that apply to each of the areas listed above, along with defining specific responsibilities and the individuals responsible for meeting them. It should also offer guidance on how to measure success and compliance with the policies.
Design your data governance strategy by methodically evaluating the basics of data and associated governance needs for each area, thinking in terms of people, processes and technology as you work through four distinct steps:
These steps are the core pillars that allow you to create foundational processes for governing data throughout your organization, including data considerations related to vendors and third-party relationships. When complete, your data governance strategy should define policies tailored for each type of data that follow it throughout the data lifecycle.
The same evaluation process can help you assess the completeness of your current data governance program and how well it’s working.
People: Who uses and owns the data? Which teams are responsible for systems that process the data (typically the IT team)? Who implements the data governance program?
Processes: Where are the touchpoints for each type of data? What policies control how data is used, stored and accessed from when it enters the organization until it is purged or deleted?
Technology: Which tools can help you accelerate your data governance program? What are the internal tools you’re already using to collect, process, manage and secure data?
Tracking and coordinating data across your organization is one of the most challenging and valuable aspects of data governance. Using appropriate tools can make this job easier, but that doesn’t necessarily mean easy. Data governance must be a high priority as you select systems and platforms to achieve various business objectives.
Most businesses rely on many different data governance tools — everything from customer relationship management, fintech and corporate performance management solutions to SOX reporting and various industry-specific business intelligence tools. Additional vendor management tools, as well as privacy and cybersecurity tools and protocols the company has in place typically overlay the data management capabilities that accompany your various business solutions.
The limiting factor is more often the architecture of the program rather than a particular tool. You can avoid many data governance difficulties by paying close attention to the interoperability of various tools under consideration, especially those that help automate business processes.
Your organization’s data governance needs are similar to many other businesses in some respects; other needs are unique to your industry and your particular organization. For example, healthcare providers, insurers and others that handle health-related information must implement policies to comply with HIPAA.
To enable the approach to data governance that’s right for your organization, it’s imperative to conduct a thorough assessment of your current security, privacy and AI practices. You’ll also need to refer to established frameworks that address these concerns, including NIST CSF (security), NIST PF (privacy) and AI RMF (AI). Some organizations may want or need to adopt strategies that ensure compliance with frameworks such as HITRUST or seek certifications to verify a rigorous security posture.
It's also important to understand that like choosing business technology, your data governance strategy is not a “one and done” process. Rather, it’s an evolving approach to risk management that must be consistently refined and adapted in response to a shifting threat landscape and changes within your organization — again, including people, processes and technology.
New legal requirements are emerging as well, especially in regard to privacy. So, it’s important to monitor proposed laws and regulatory frameworks in your location and your industry. And with multiple legal frameworks in play, your data governance program must comply with all applicable legislation and include enough flexibility to allow changes as new standards and rules appear.
Given the vast scope of data governance across a large enterprise, it’s easy to view understanding and managing your total data flow as an overwhelming challenge. Instead, focus on identifying the critical systems and then turn to relevant teams in each area to support your efforts.
When you’re designing and implementing your data governance program, keep these additional tips and best practices in mind to make your program easier to manage and more effective:
A data governance team includes the following members:
Data administrator – Responsible for managing the data governance program and helps resolve any data-related issues
Data steward – Helps connect the IT team with the rest of the business, including the leadership team, and helps facilitate user access to the appropriate data
Data custodian – Handles data storage, security and user access as well as data quality issues
Data user – Analyzes data to uncover valuable insights and apply learnings to make informed decisions or revise a business strategy
The members of your data governance team will perform best when they collaborate and share the insights, obstacles and solutions they encounter in their distinct roles.
The following list illustrates the breadth and variety of data governance considerations but is by no means inclusive:
Businesses often struggle with data governance risks related to vendor and third-party relationships. These relationships demand close attention and monitoring to ensure they do not create excess risk and they comply with your organization’s overall data governance program.
The following process can help you identify and mitigate this kind of data risk:
Scrutinize vendor onboarding questionnaires closely and follow up for more detail or clarification, if necessary, as accurate onboarding questionnaires are essential for efficient vendor management.
Proper collaboration between your security and privacy teams plays an important role in managing third-party-related risks as well. Following individual review of the questionnaires by both teams, it’s often helpful to perform a second joint review to ensure clarity, compliance and coordination.
Data governance is a complex challenge that impacts your organization’s risk matrix as well as its profitability and competitive edge. But you don’t have to face this challenge alone. Turn to the data governance experts at Armanino for guidance and support in this ever-more critical aspect of success in a digital world.
