2. Data Governance

Noted mathematical physicist Edmund Whitaker (1873–1956) once remarked, “When by purely scientific methods we trace the development of the material universe backwards in time, we arrive ultimately at a critical state of affairs beyond which the laws of nature, as we know them, cannot have operated.”¹

1. See Silk (2005).

A popularly held belief is that our universe had a beginning, whether through evolution or by creationism. Ostensibly, since the beginning, our universe has been governed—at the very least, governed by the laws of physics. Therefore, no matter what we do in this world, we are already under some type of governance initiative.

Regardless of whether the laws or constants of physics are products of chance or provisions of a deliberate design, the application of the physical laws in our universe appear to hold everything together (based on the general understandings of relativity and the uncertainty principle).

If an occasional event or transpired happening seems to defy all sense of physics, then permitting a deviation (i.e., accommodating the sporadic miracle or unexplainable event here and there) is certainly a valuable attribute or quality of governance. Although governance can be used to provide a cadre of oversight mechanisms that help stay behaviors and push to establish consistency, governance should not necessarily be an unbending and unwavering mechanism.

In terms of governance, knowing the when, where, how, and why a deviation should be permitted may not only be in the best interest of the universe, but also in the best interest of organizations that have chosen to adopt a governance program. As a maxim, recognizing the strategic efficacy of allowing or encouraging a transition from the norm is in the self-interest of a governance body, but also serves to enrich the function of the governance body. Potentially, the prudent allowance of a deviation is the one mechanism that keeps a governance body vital and sustainable in an organization.

Arguably, the entire concept of business is one of the most complex creations man has ever devised. Even though man is already being governed as being a part of the universe, in business additional layers of governance often seem to be required. Like much of what happens on our planet, additional types of governance prove quite useful—for example, Mother Nature (e.g., survival of the fittest, instinct, and so on) and so, too, mans’ creations often benefit from additional layers of governance.

Public corporations normally have a layer of corporate governance established by the board of directors. The board of directors is a separate, independent body of the corporate structure and uses governance to help assert oversight. Corporate governance is further influenced or governed by a series of commercial laws. In addition to corporate governance, a business often injects other layers of governance throughout the organization. Within information technology, data governance is one example of an additional layer of governance.

Regardless of the managerial structure adopted by an organization—hierarchical, matrix, or flat—the function of management, along with an arsenal of business policies, operating models, strategies, directives, and so on, is all too often insufficient to help steer the actions of the organization consistently and predictably. Business is generally influenced by the following basic tenets:

• Having a determination and dedication to a cause

• Having a culture that embraces, accepts, and tolerates the cause

• Having adequate resources and technology to support the cause, and anything that is unknown can be overcome or worked out in a timely manner

• Having belief that the cause can be successful within a reasonable time frame

• Having access to sufficient finances to undertake the cause

• Having organization leadership with the authorization to discipline, reward, or punish to ensure compliance

These tenets, or six laws, are irrefutable for the science of embarking on a cause for business—especially a project-based cause. If any one of these laws is removed or violated, the entire project may collapse. The six laws form the basic physics of project-based service-oriented architectures and data management.

To ensure compliance, an organization generally requires something over and above a set of laws. To help ensure desired actions, rules of compliance are needed. Rules of compliance can be used to explain exactly how each law is to be obeyed. Consider, for example, the U.S. law requiring payment of income taxes. That is the law. To comply with that law, the U.S. Congress prepared a list of rules. The rules became so complex that they were given their own name: the U.S. Tax Code.

Whereas laws tend to be irrefutable, rules are not. For a law to change, the underlying science has to have been changed (or at least our understanding of the underlying science). Rules, on the other hand, may be challenged and changed as circumstances warrant. However, any challenges or changes must comply with the present (understanding of the) laws.

Rules of compliance constitute one type of rule set, but a business may utilize many types of rule sets. Rules of behavior are another type of rule set found in an organization. Rules of behavior do not demand compliance. In turn, they address how people think and act and are typically rooted in culture and education. Rules of behavior address the issues associated with a discipline. For a governance program to be successful, obliging or influencing the rules of behavior is a priority.

While management may appear sufficient when considering various rules of compliance, the need to address behaviors (such as ego, fiefdoms, complacency, passive aggressiveness, and the quirky not-invented-here syndrome) may require some further oversight in the form of governance to facilitate matching behaviors and work products.

An intention of governance is to oversee and influence behaviors or outcomes in some manner. However, many individuals in the workplace can be seen to govern themselves. For example, employees tend to show up at an agreed to work location and then work for a predefined period of time; this pattern has the appearance of being successfully repeated on a regular basis.

If an employee is tasked as a programmer, the primary function that person performs is programming. Programmers operate within the boundaries of the syntax associated with a given programming language. (The syntax serves to govern how the programmer prepares the program.) People can often work in environments where the appearance of self-governance is taking place. Self-governance may not result in the acceptance of a work product by a manager or peer, but self-governance allows people to control their own actions.

Work teams can invoke governance through peer pressure and managers of teams and individuals can also govern their workforces. Managers may often make sure that employees follow standards and acceptable work practices, especially in the disciplines of programming and database administration. Although governance appears to naturally affect all work practices, governance around management activities and the self-governance imposed by an individual is considered separate from the type of governance associated with data governance (see Figure 2-1).

Figure 2-1 Shades of governance.

Literally anything can be said to be governed or governable. However, to serve a purpose, the function of data governance should be distinct and distinguishable from normal work activities. Therefore, data governance should be distinguishable from data management, programming, database administration, data entry, and so on.

The use of a governance body should be to primarily undertake that which individuals or individual managers cannot undertake for themselves. Along the shades of governance, the use of the governance body is not confused with the acts of governance performed in one’s own interest. In this model, governance is reserved for external governance bodies.

For example, if a data management department institutes a data governance initiative, the governance mechanism could be viewed as self-serving for the data management manager or the department as a whole. In this case, the governance body is organizationally protected from other external influences and may limit its governance directives for the perceived good of the data management department instead of the perceived good of the overall organization.

Some corporate governance initiatives rebuke the notion of having a chief executive officer serve as the chairman of the board. One rationale for this type of decision is to remove a potential conflict of interest when the board monitors the chief executive officer and other senior management in terms of competency and the evaluation of ethical behavior when running the day-to-day operations.

Likewise, when a department sponsors a governance initiative, the likelihood of a conflict of interest also arises. Therefore, governance mechanisms should have an external overarching interest and should not be established for self-interest. Although the function of oversight and control are shared concepts by both the external overarching governance mechanism and the self-interest governance mechanism, discerning the difference can become confusing.

To help illustrate a potential confusion about what can be regarded as governance, consider the following situation:

A data management department is responsible for creating logical data models. Over time, the department compiled and published a comprehensive set of standards for creating logical data models. The standards dictate the diagramming notation, the data modeling tool, guidelines for creating entity and attribute descriptions, naming standards, and so on.

A data modeler tasked with interpreting and handling a business requirement, created a new logical data model. The core part of the model used an entity to manage customer information (see Figure 2-2). While interpreting a separate business requirement, the same data modeler created a separate model to also handle customer information (see Figure 2-3).

Figure 2-2 Logical data model handling customer information from requirement 1

Figure 2-3 Logical data model handling customer information from requirement 2.

The abridged logical data models shown in Figures 2-2 and 2-3 are intended to be fully compliant with all prescribed logical data modeling standards. Both logical data models are capable of managing the same information, but do so using two distinct abstractions.

In this case, the logical data modeling standards, although put in place to drive consistency, failed to control or influence how a person thinks through a given problem. On the one hand, the standards can be viewed as failing to sway consistency in creative thinking. On the other hand, governance can be used as a mechanism to fill a gap left by the standards. In this situation, the data modeler aware of the circumstance can decide how to handle this anomaly. The data modeler has chosen to engage in governance.

Within the data management department, two separate data modelers each created one of the logical data models; one data modeler created the model shown in Figure 2-2, and the second data modeler created the model shown in Figure 2-3. The two data modelers may be unaware of the overlap in handling a common concept using the two disparate abstractions. In this case, the department manager may be required to have the requisite oversight and step in to manage the situation, thus acting as a governor.

In a third scenario, the model shown in Figure 2-2 is created by a data modeler in the data management department, and the model shown in Figure 2-3 has been acquired through a commercial software package. In this scenario, the software package is managed by a separate group. A data governance body could provide oversight as an independent group separate from the data management department and the group handling commercial software packages.

Having broad, independent oversight, the data governance group can help drive a consistent outcome in the abstraction or choose to permit a deviation in having two distinct representations for a common concept within the enterprise. How a data governance body chooses to exercise its control is an important aspect in terms of a governance body achieving and sustaining success within the corporate culture.

Alternative situations could have readily been used in place of the logical data model scenario. For example, the situation could have been based on a composite service, an orchestrated workflow, or an Extensible Markup Language (XML)-based message.

A separate example involves the maintenance of a mailing address in a party-centric master data management solution, whereby the effort to govern a consolidated view may simply result in a corporate punt and the opportunity to govern may be circumvented. To punt is to give up or to defer until an unspecified point of time in the future.

Organizations with multiple lines of business and a service-oriented master data management solution often punt opportunities. Typically, each line of business is allowed to preserve its own mailing address rather than be governed to resolve to a single overarching view of the party. Should this situation occur, the mastered data becomes an aggregation hub. Seen from the viewpoint of the enterprise, the addresses become a collection of facts and not a singular point of truth.

To successfully avoid viral data in a service-oriented master data solution, the data store should contain a series of truths without a direct business context. A line of business adds a specific type of business context. Adding a context into a solution intended to be without a context increases the potential for a viral data pandemic.

In the example involving the logical data models, the initial data modeler, the department manager, and the data governance body all participated in governance. However, the data modeler and the department manager dealt with the situation in terms of self-interest, which from a governance perspective is coined intra. Intrasituations of governance fall under the umbrella of traditional management. The data governance body dealt with the situation in terms of an overarching interest, which is coined inter. Intersituations are deemed as a suitable governance paradigm and separate from that of management.

The term intra connotes that something is within. In the first two cases, reconciling differences in the logical data modeling abstractions lay within the data management department. Situations that can be classified as occurring within are candidate to be handled by management processes.

The term inter connotes that something transcends. In the third situation, the inconsistency occurs between two disparate groups. The data governance body acts to reconcile a situation for which traditional leadership may be unable to anticipate, identify, or resolve.

Although all three situations in the logical data modeling example were governed, intrasituations are best handled by managing. Distinguishing between governing and managing helps to reinforce and strengthen the role and function of the manager. Some organizations may view governance as an optional function or method, whereas managing is not something that can be construed as an option. Distinguishing between acts of management and acts of governance help set scope and purpose for a formal governance function.

Furthermore, optional mechanisms or programs are more likely to be affected by fluctuations in budgetary allocations. Delineating between the purpose of governance in a governance program and governance as part of the natural course of management can help prevent disruption caused by budgetary (or organizational) adjustments should a governance program encounter a fiscal disruption. The distinction also helps when a governance body is mandated to help achieve regulatory compliance.

As mentioned earlier, how personnel in a governance program communicate can contribute to the overall success of a governance initiative. “The primary role of establishing SOA data governance and auditing services is to enable and manage the enforcement of business and security policy as it is applied to data... data governance provides a level of accountability.”² The communication traits associated with the accountability or oversight can be described following the FARMADE technique:

2. See Hurwitz (2006).

FARMADE represents a list of communication styles that may be adopted by a data governance body. Which style is best or which combination of styles should be used is based on a number of factors. Those factors can include corporate culture, the degree of authority granted to the governance body, and the degree by which that authority is recognized:

• As a facilitator

Governance personnel are responsible for coordinating resolution activities across the involved groups, departments, or communities. In this case, the governance body is not expected to act as the sole decision-making body.

• As an arbitrator

Governance personnel are used to help decide a dispute, settle differences, or resolve a direction by being the final decision maker.

• As a representative

Governance personnel are colocated across departments or groups to ardently oversee activities or products being produced. The use of representatives acts to partially decentralize the function of data governance.

• As a mediator

Governance personnel act to seek reconciliations to differences.

Facilitation and mediation are sometimes seen as two interchangeable terms because they can both be used to readily accommodate the involvement of an independent group such as a data governance body into a resolution process without giving the data governance body sole decision-making authority. In addition, the terms can be used as a means to alter the dynamics (behavioral or technological) between various departments so that opportunities for collaboration can improve.

As a distinction, data governance in mediation can be used to help departments deal with a particular conflict that has yet to be addressed. Here is an example of using data governance as a means to achieve a resolution for which no single manager has the authority to mandate. The core objective of facilitation is to provide the means of structure and process for solving problems and for expeditiously making decisions so that goals can be achieved and overall effectiveness realized. In addition, managing conflict can be an important part of facilitation, but conflict resolution is not always the primary focus.

In mediation, data governance may intervene once an impasse has been recognized. In facilitation, data governance typically steps in before the impasse is reached.

• As an authoritarian

Governance personnel can dictate or mandate a resolution without regard for consensus or an agreement.

• As a director

Governance personnel act proactively to help thwart issues before they arise.

• As an envoy

Governance personnel act as a channel to senior management, other governance bodies (such as IT governance), or to other areas of the organization such as a separate line of business.

“Data Governance Council responsibilities usually encompass all aspects of data use and management, including strategic, tactical, and operational.”³ However, as previously mentioned, data governance can best serve the organization as an independent body or council and not as an encompassing body as conflicts of interest may arise. Instead of providing strategic, tactical, and operational positions, data governance can complement its oversight by demanding that certain types of controls be put in place (see Figure 2-4).

3. See Inmon (2008).

Figure 2-4 Metamodel for data governance.

The metamodel for data governance is aimed at asserting control throughout the life cycle of a solution or practice, from inception to retirement, and may include modeling, programming, deployment, security, privacy, and data entry. The four primary areas overseen include controls associated to ensure, assure, insure, and reassure. Each area of control is duly influenced by directives and the means of oversight. The controls are used to measure or influence the work conducted for which the governance body requires oversight.

Ensure deals with controls for operating; assure deals with controls for performing (work); insure deals with controls for sustaining (an operation); and reassure deals with controls of continuity that results from quality, consistency, and integrity.

The controls for operating are used to identify the knowledge and prerequisites that must be established before initiating any given activity. For example, processes to establish atomic, fine-grained, or composite services must be in place before a programmer writes a service. The controls identify what needs to be known, what must be followed, and what must be delivered. In other words, the control results in something that can be measured. In addition, the control must be testable, capable of being inspected, accommodate an audit, and any undesirable outcomes must result in the control being adjusted.

Controls for operating are put in place to strengthen the ability to achieve an outcome. The outcome might be a service, a data model, a layer of security, or entered information. The ensure controls hold a priori that if the controls are created and followed, the probability of a desirable outcome is strengthened.

The ensure controls may be classified as regulations, processes, roles, methods, guidelines, and so on. Furthermore, these controls may help influence the conduct of day-to-day and other routine activities. The use of the ensure controls is to influence and steer a community, such as a team of service developers or data stewards, to the desired level of performance. Therefore, the controls are beneficial as a means of forward-looking prevention and assist to avoid immediate or future negative outcomes.

An activity such as the creation of a service may require more than one control. For example, modeling a schema and metadata management are separate activities, and yet both activities are necessary to the singular activity of creating a service. In a master data initiative, establishing a new customer includes the collection of identifying information, establishing a profile (such as a preferred customer), and possibly recording the line of credit. Each set of facts may require its own controls.

When a control is used in association with assurance (performing), insurance (sustaining), or reassurance (continuity), the control should be directly associated with least one of ensure (operating) control. For example, designing a business service model must be coupled with operating controls for service standards and modeling processes. In the end, a control for operating serves to anchor a spectrum of controls for performing, sustaining, and continuity.

Controls for performing (assure controls) provide for regulating activities before, during, and even after they have been worked on. Controls must indicate how the outcomes can be measured, and each outcome should be tangible. Something that is measurable and tangible can be weighed or evaluated objectively.

Assure controls do not necessarily address the work within a given activity, but certainly focus on the outcome. For example, while establishing a grid environment to support a series of Web services, the plan, design, construction, test, and deployment activities form a life cycle upon which an outcome occurs at each point in the life cycle. At each point in the life cycle, the outcome can be assessed against the control as part of achieving a desired outcome.

Sample classifications for performing controls include proactive, reactive, and evidentiary. Proactive controls occur in advance as a means to support an upcoming activity, whereas reactive controls are placed at critical points to assure achievement of the outcome concurrently while the activity is being performed. Evidentiary controls accompany proactive and reactive controls and provide a means by which evidence is created and collected for future proof of assurance.

Proactive controls are positioned to channel an activity toward achieving a desired outcome. Such controls may influence the sequence in which an existing task is performed, or placed to capture additional defining information, or even placed in a procedural process.

Proactive assure controls can act as a point of reference for other controls; some may be established at the beginning of an activity. An example of a leading control might be to document the upcoming activity, including descriptions and other pertinent facts from which acceptance criteria can be defined.

At each instance of a measurement point, a corresponding measurement technique must exist. Although points of measurement are provided through the assure controls, the chosen measurement technique results in a sustaining control. Controls for sustaining, the insure controls, provide for a variety of techniques by which the assure control are measured. Sustaining controls are means to regulate consistent measurement activities and assist in insuring that measurements are sustainable over time.

Although assure controls provide for the placement of measurements points, the measurement itself is what insures whether the desired result has been achieved. A successful measurement within an activity provides assurance, but only if the measurement technique used insures the desired result and the required resulting actions are performed.

Classifications for sustaining controls include measurement and procedural. A measurement control is a uniform measurement technique that can be embedded within a different type of control, such as ensure, assure, and reassure. Types of measurement techniques include peer reviews, document approval, checkpoints, testing, control reviews, committee reviews, inspections, and audits. Procedural activities afford a uniform process for a course of action based on the interpretation of a measurement result. For example, the violation to a policy may initiate an associated activity within issue management, risk management, and change management.

Characteristics of insure controls include standardization, broadly adoptable, common understanding, and organic. Standardization insures consistent use, and broadly adoptable insures and eases enterprise use. Both of these characteristics convey consistent understanding and provisioning across the enterprise. Controls can be organic when the resulting activity measurements are fed back into the control development process to modify the control itself. For instance, when performing an inspection to assure the comprehensiveness of documented controlled vocabularies, a control was modified to limit authoring of terms to appointed stewards.

The fourth type of control, called continuity controls or reassure controls, offers a means to independently regulate, validate, or attest. Findings from a reassure control serve to demonstrate whether an observed control helped support the outcome from the controls of operating, performing, and sustaining. In addition, other than observing conformance, activities associated with reassure may prescribe actions to be carried out based on findings. Typically, when uncovering a situation of nonconformance, escalations and work stoppages as part of issue management may be assessed.

Reassure controls carried out in real time are known as inspections. After-the-fact controls are called audits or certification. In the case of an inspection control, the results are witnessed as performed, whereas audits use evidentiary documentation. A certification can be used to document how the independent data governance body reassures the outcome achieved within the scope of focus. When a reassure control is established to validate test results from a service-oriented solution, an initial assessment may have been performed to determine the sufficiency of the development team’s existing controls. This process may lead to the completion of a continuity activity to certify the outcome and provide reassurance.

Within the setup of the metadata, personnel representing the governance body are directly accountable to produce a control of continuity. The data governance body is also responsible for establishing the degree of formality for the consideration of each control.

The use of a reassure control may also be applied to one of the other types of control (ensure, assure, or insure). For example, a reassure control may validate an ensure control to validate that any prerequisites exists. In the case of an assure control, a reassure control may validate that any stipulated acceptance criteria was sufficient and that the outcomes complied with that criteria. With insure controls, reassure may be used to verify that the actual measurement techniques performed as required.

Sometimes inspections and audits are considered reactive-type controls, but if these control types are performed within a proactive assurance control such as an architecture review, the inspection or audit is considered a proactive control. Ultimately, all the controls are used to lead the organization to a sense of trust. Trust can be qualified by the assurances achieved and the knowledge that:

• An activity resulted in a desirable outcome.

• The measurement points were appropriate for achieving the outcome.

• The activity performed complied with the controls for operating, performing, sustaining, and continuity.

• All evidentiary documents remain available.

The metamodel for data governance is designed to encompass all the activities or products produced by the data governance body and all the activities and products produced by those areas (departments, groups, and communities of interest) that the data governance body oversees.

The metamodel is formalized around governing those activities and products classified as requiring an inter type of oversight—in other words, those activities and products that require an overarching and independent presence. Without the notion of reassure, the metamodel becomes a suitable metamodel for governing intra types of oversight—in other words, those activities and product that are governed through management as part of governing through self-interest.

Data governance can be used as an overloaded term, and “many people confuse data quality, data governance, and master data management.”⁴ Therefore, in addition to distinguishing between the roles and functions of a data governance body with that of management, the types of controls associated with ensure, assure, insure, and reassure help affirm distinctions between data governance and other necessary activities that an organization must perform.

4. See Dyché (2006).

Embedded rules in a Web service to constraint data values as part of data quality initiative, or interfaces that permit a knowledge worker to rectify data values, are not performing acts of data governance. These are acts of data quality, which are independent from that of data governance. Data quality initiatives can subsequently be governed to make sure that all the requisite outcomes comply with the appropriate controls associated with the four control points: ensure, assure, insure, and reassure.

Data governance is a function that can act as an oversight mechanism and can be used to enforce controls over data quality and master data management, but also over data privacy, data security, identity management, risk management, or be accepted in the interpretation and adoption of regulatory requirements.

When data governance is viewed as dealing with “the ongoing management of the risk of unauthorized collection, use, disclosure, transfer, modification, and/or destruction of information through physical, procedural, and technical mechanisms,”⁵ a burden is placed on the role of governance as a function of doing rather than functioning in the role of oversight. Positioning data governance as doing (or carrying out) is a similar mistake to when data quality is attributed as data governance.

5. See Power (2005).

Data by itself is inert; programs or services are required to make data actionable or to simply provide access to the data for a person to take action. Therefore, understanding a security framework around a service-oriented architecture is a mandate to ensure the integrity of all transient and persistent data. While the service actions on the data, the data ceases to be in an inert state.

Compliance with the Sarbanes-Oxley Act of 2002 is of significance to all data governance bodies. The act went beyond the Foreign Corrupt Practices Act of 1977 and the Securities Exchange Act of 1934 to raise the standards for management’s attention to internal controls. Because organizations are predominately siloed, a strong case can be made for an oversight practice such as a data governance body to become the eyes and ears, as well as the glue, to help achieve a compliant enterprise.

The Health Insurance Portability and Accountability Act (HIPAA) “provide(s) insurance portability, fraud enforcement, and administrative simplification.”⁶ Although primarily intended for the health-care industry, the act is of noteworthy attention for data governance bodies because the standards could serve as a benchmark and be borrowed for other regulations and statutes that demand tighter scrutiny on the control of corporate data.

6. See Beaver (2004).

The Safeguarding Customer Information rule associated with the Gramm-Leach-Bliley Act of 1999 significantly impacts master data initiatives and subsequently the services that maintain master data. Section 314.4 of the Safeguarding rule⁷ stipulates that an organization must:

7. See FTC (2002).

• Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. Risks could result from the unauthorized disclosure, misuse, alteration, destruction, or any other means that may compromise the customer information.

• Assess the sufficiency of any safeguards in place to control risks. A risk assessment should evaluate hardware, networks, software design, as well as information processing, storage, transmission, and disposal.

• Be able to detect, prevent, and respond to attacks, intrusions, or other system failures.

• Continually evaluate and adjust all mechanisms in light of the results from ongoing testing and monitoring.

Basel II, U.S. Federal Trade Commission Standards, and international data privacy laws (such as Canada’s Personal Information Protection and Electronic Documents Act, Australia’s Privacy Act, United Kingdom’s Data Protection Act, and Holland’s Personal Data Protection Act) regulate business requirements, export control limitations, contractual requirements, record retention requirements, preservation of data per litigation hold requirements, and the avoidance of data spoliation through the intentional tampering of viral or trusted information. All these regulations affect the deployment of services, the management of data, and the scope of reach for a data governance body.⁸

8. In addition, Dreilbelbis (2008) contains a list of more than 30 regulations and their descriptions that apply to master data management.

The notion of data in the role of oversight and control by a data governance body also requires clarification. Data should not be used as a means to limit scope, but instead as a means to create an anchor point from which all other things are viewed, measured, and assessed. Data governance places data as a central topic of interest from which the rest of information technology and the rest of the business can be viewed, assessed, and reasoned upon. A data governance body holds data as a primary interest, but should also hold as a primary interest any activity, product, or discipline that is viewed as a consumer or provider of data.

Obviously, when “the key objective of data governance is to create a framework aimed at continuous data quality, measurement, and improvement,”⁹ the benefits although positive are potentially too limiting and serve to undermine the full potential of what a data governance practice can become.

9. See Berson (2007).

Figure 2-5 illustrates a framework that builds upon the data governance metamodel and from which operating models for data governance can be subsequently derived.

Figure 2-5 Generalized framework for data governance.

At the core of the data governance body consists a charter and a series of subcommittees that can be organized to focus on discrete disciplines. The charter for data governance outlines the rationale and sponsorship for the existence of the data governance body and states its purpose and reach. The charter should clearly articulate the difference between governance functions that are managed through self-interest (intra) versus those that are managed through an overarching interest (inter).

Because of the vast array of topics that data governance covers, subcommittees are used to create special oversight groups capable of functioning in discrete disciplines. For example, a special oversight group for regulatory compliance may need different skill sets than an oversight group focused on modeling, interoperability, and messaging technology.

The framework is split along two halves. One side deals with data governance issues that are always responded to in a reactive manner; the other side deals with issues in a proactive manner.

All directives are treated in a reactive manner, whether from internal sources (such as corporate values, infrastructure, habit, or management prerogative) or from external sources (such as the environment, technology, regulation, suppliers, competitors, and so on). Any directive must be known to exist, or a belief that there exists a possibility of existence now or in the future such that the directive acts as an influencing force on decision making.

Any resulting policies, standards, rules, or other elements of guidance issued as the result of a directive become an accumulative part of the collective of directives. A directive to measure trust in information may lead to a policy on interoperability that permits consuming or publishing data only to certified data stores. In addition, other elements of guidance might be put in place to continually measure trust and recertify data stores and how to respond should a previously certified data store cease to regain certification.

The proactive counterpart to the directive is the type of enforcement attributed to a directive. A directive to prevent customer information from being serviced and moved to countries that do not meet a standard of adequacy for privacy protection might be enforced as a mandate. In this case, a mandate offers no relief, and the directive must be followed without exception. Any violation by an individual could result in a dismissal and potential legal action.

Other types of enforcement include standards and guidelines. Whereas a mandate offers no relief to a directive, a standard affords relief through permission from a superior. Consider if a directive requires all new data stores to be deployed in a clustered environment, permission from a superior might grant the use of a grid configuration instead. Here, a deviation from the standard is granted.

In a guideline situation, individuals are empowered to make their own final decisions. In the case of a guideline, a directive exists and offers a preferred means or method by which something should be followed. However, a directive enforced as a guideline allows the individual to deviate if that individual believes that an alternative solution or method is warranted. Other variations of enforcement types are strict, deferred, preauthorized, post-justified, and override.¹⁰

10. See OMG (2006).

Strict: Strictly enforced. (If you violate the rule, you cannot escape the penalty.)

Deferred: Deferred enforcement. (Strictly enforced, but enforcement may be delayed—e.g., waiting for resource with required skills.)

Preauthorized: Preauthorized override. (Enforced, but exceptions allowed, with prior approval for actors with before-the-fact override authorization.)

Post-justified: Post-justified override. (If not approved after the fact, you may be subject to sanction or other consequences.)

Override: Override with explanation. (Comment must be provided when the violation occurs.)

Guideline: Guideline (Suggested, but not enforced.)

The other major element in the framework is time. Reactively, time spans from real time to after the fact. Proactively, time spans from before the fact to real time. Separating any overlap in real time is based on how an area of the organization chooses to interpret the concept of now. For example, now could represent this second, this minute, this hour, this day, this week, this month, this quarter, this year, and so on. In financial accounting, now can be construed as this quarter, the current period of time for which a public corporation must produce a 10-Q report for the U.S. Securities and Exchange Commission.

For corporations that trade equities, now can represent a split second. The Dow Jones Industrial Average index and individual stock prices are posted for public consumption with a 15-minute delay. Although 15 minutes might not seem very long, the delay is considered long enough to reduce to the real value of the information.

“Data governance embodies the synchronization of [directives] policies, standards, procedures, organization, and technology for the management of data. Governance is based on identifying ownership, and instilling a level of accountability in data processes.”¹¹ Within the framework, accountability is viewed as a proactive measure that is further complemented by the levels of enforcement.

11. See Elgood (2008).

When establishing a chart of accounts, the hierarchy of segments is an important factor. Segment examples include company, department, account, project, and region. “Strong data governance for the segments and their associated values is essential.”¹² The general traits of data governance used to ensure consistency across the chart of accounts are ubiquitous to all avenues of governance:

12. See Roehl-Anderson (2008).

• Initial creation of the segments and their data values

• How data values are maintained over time

• Who defines and communicates standards within the organization

• Centralizing or decentralizing maintenance

The effectiveness of data governance depends on how the governance body reacts and adapts to the cultural environment. To that end, data governance may have to continually adjust its modus operandi or help to influence a change in corporate behavior. In either case, data governance must manipulate or tweak its operations. This notion is known as dialing (see Figure 2-6).

Figure 2-6 Dialing data governance.

The model in Figure 2-6 gives an overview of the data governance operational adjustment process. The process consists of five main dials, with one subdial to form the acronym ED-SODA:

ED-SODA identifies core operations that can be tuned to meet the cultural style and objectives for data governance:

• Experiences

Evaluating operational experience of deployed solutions to ensure that quality and integrity are preserved and sustained and that all regulatory and other requirements are consistently met.

• Directives

Developing directives such as policies and guidance and the interpretation of other internal and external influences.

• Sanctions

Licensing or certifying data stores in terms of trusted information and intended use. In addition, data consumers and data providers are authorized so that an inventory is maintained to assist in the tracking of the provenance of all data.

• Oversight

Overseeing data-oriented activities to ensure that integrity, compliance, and consistency are achieved and sustained.

• Decisions

Conducting research on data-related issues, holding meetings to address any concerns a community of interest may have, and working with other governance bodies within the organization to ensure symmetry in decision making.

• Advocacy

Promoting the successes achieved by the organization to the organization as a whole. Advocacy becomes the marketing (promotion) arm of data governance.

The dials are also affected as the data governance body strives to improve its processes in these five areas through assessing risk. Within data governance, risk combines the probability of noncompliance with the consequence of noncompliance, and finally, how to optimally mitigate an issue should noncompliance occur.

A data governance body uses risk information to reduce the probability of an issue arising and determine ways to mitigate an issue that has surfaced. Probabilities of a risk occurring are often ranked as high, medium, or low; and the consequence of occurring is also ranked as high, medium, or low. For example:

• Risk: Failure to meet logical data model naming standards

• Probability: High

• Consequence: Medium

• Mitigation: Have the data model fix nonconforming names

• Risk: Incorrect data values introduced into a master data management data store

• Probability: Low

• Consequence: High

• Mitigation: Develop a model to evaluate trust prior to persistence

The dial for operational experiences (Ed-soda) is adjusted based on decisions involving event assessment and general issues:

• Event assessment: Daily review and long-term trend analysis of measurable activities or work products being governed.

• General issues: Identifying and resolving issues that affect more than one community of interest.

The dial for directives (eD-soda) is adjusted based on decisions involving rule making, guidance development, general communications, and standards development:

• Rule making: Developing and amending policies that departments, work groups, or communities of interest must follow to preserve quality, consistency, and integrity of all data assets.

• Guidance development: Developing and revising guidance documents, such as regulatory interpretation guides, standard review plans, and inspection manuals to aid in delivering consistent advice to the organization as a whole.

• General communications: Proactively informing the organization of planned changes, pending changes, and implemented changes to data governance operations or to any data governance collateral. From time to time, data governance communications may require a response from each recipient.

• Standards development: Monitoring industry standards bodies such as the World Wide Web Consortium, International Standards Organization, national governments, and so on for modifications to standards or regulations that might affect the organization or the information technology products produced or used by the information technology department.

The dial for licensing and certification (ed-Soda) is adjusted based on decisions involving licensing, decommissioning and sunsetting, and certification:

• Licensing: Authorizing a community or set of information technology services to consume or modify data.

• Decommissioning and sunsetting: Activities and communications to cease using a data store or service, and in the case of a data store, whether or not the data should be disposed, migrated, or archived.

• Certification: Formally acknowledging a data store as being trustworthy. Certified data stores also become key sources for data for interoperability.

The dial for oversight (ed-sOda) is adjusted based on decisions involving inspection, enforcement, assessment of performance, allegations, and investigations:

• Inspection: Verifying activities are properly conducted to assure outcomes are consistent and maintain integrity and quality.

• Enforcement: Escalating issues to upper management for which data governance itself is unable to control.

• Assessment of performance: Through the evaluation of activities and work products that are being governed, the data governance body can be self-reflective as to the impact its presence is making in the organization.

• Allegations: Responding to reports of risk.

• Investigations: In addition to resolving a risk, taking a lessons-learned approach to try to avoid future occurrences of a problem.

The dial for support for decisions (ed-soDa) is adjusted based on decisions involving research activities, issue management, risk assessment, advisory activities, adjudication, and deviation management:

• Research activities: Technical studies and analyses to help the data governance body make realistic decisions, assess the integrity of potential technical issues, and prepare the organization for the future by evaluating potential issues involving new designs and technologies.

• Risk assessment: Use of risk analysis methods and performance insight to support decision making throughout the organization.

• Advisory activities: Review and assessment of proposals received by a data governance subcommittee, another governance body within the organization, or a community or interest or department.

• Adjudication: Listening and responding to concerns.

• Deviation management: Review requests for exceptions and granting a permission to deviate as prudent. In addition, deviation management allows the maintenance of an accurate inventory of all information technology collateral and intellectual property.

The dial for using governance as an advocate (ed-sodA) is a subdial of the decisioning dial. Within the governance function, the use of an advocate can provide a type of balance that can avoid the constraining perceptions of oversight. The end result would include control while using governance to help champion a cause:

• Executive communication: Reporting to senior management on accomplishments attributable to data governance or individual teams

• Oversight communication: Reporting to project teams and departments on favorable outcomes due to data governance or individual team efforts

• Champion: To seek improvement and positive results on behalf of project teams that may be beyond the normal scope of control

Each of these factors is weighed for dialing in terms of the maturity of the data governance organization, the maturity of the information technology department, the capacity of an organization to support a data governance function, and the overall collateral available to pursue a data governance function. Therefore, the dials on each of these six process areas can be set, monitored, and adjusted over time to achieve an effective data governance program.

Any dialing can be expressed using the data governance metamodel by applying the dial within one or more ensure, assure, insure, or reassure controls.

Systemic problems associated with viral data require an active data governance program to help the organization as a whole prevent, monitor, and address viral issues. The model to transport data—viral or trusted—is covered in the reference model. The reference model provides a basis to start the development of data governance controls.