Both external and internal pressures introduce constraints on the use of enterprise information. Financial reporting, regulatory compliance, and privacy policies are just a few examples of the kinds of pressures that prompt data management professionals and senior business managers to institute a framework for ensuring the quality and integrity of the data asset for all of its purposes. These challenges are magnified as data sets from different applications are consolidated into a master data environment. Numerous aspects of ensuring this integrity deal with the interactions between the applications, data, and individuals in the enterprise, and therefore it is worthwhile to explore the mechanics, virtues, and ongoing operations of instituting a data governance program within an organization.

At its core, the objective of data governance is predicated on the desire to assess and manage the many kinds of risks that lurk within the enterprise information portfolio and to reduce the impacts incurred by the absence of oversight. Although many data governance activities might be triggered by a concern about regulatory compliance, the controls introduced by data governance processes and protocols provide a means for quantitative metrics for assessing risk reduction as well as measuring business performance improvements. By introducing a program for defining information policies that relate to the constraints of the business and adding in management and technical oversight, the organization can realign itself around performance measures that include adherence to business policies and the information policies that support the business.

One of the major values of a master data management program is that, because it is an enterprise initiative, it facilitates the growth of an enterprise data governance program. As more lines of business integrate with core master data object repositories, there must be some assurance that the lines of business are adhering to the rules that govern participation. Although MDM success relies on data governance, a governance program can be applied across different operational domains, providing economies of scale for enterprise-wide deployment. In this chapter, we will look at the driving factors for instituting a data governance program in conjunction with master data management, setting the stage for deploying governance, critical data elements and their relation to key corporate data entities, stages for implementation, and roles and responsibilities.

One special note, though: the directive to establish data governance is a double-edged sword. An organization cannot expect to dictate into existence any type of governance framework without the perception of business value, which prevents the creation of a full-scale oversight infrastructure overnight. On the other hand, the absence of oversight will prevent success for any enterprise information initiative. This chapter, to some extent, presents an idealized view of how data governance is structured in the best of cases. However, the value of governance is linked to the value of what is being governed; incremental steps may be necessary to build of successes as a way of achieving “collateral.” Continuous reassessment of the data governance program is a good way to ensure that the appropriate amount of effort is spent.

There are different perceptions of what is meant by the term “data governance.” Data governance is expected to ensure that the data meets the expectations of all the business purposes, in the context of data stewardship, ownership, compliance, privacy, security, data risks, data sensitivity, metadata management, and MDM. What is the common denominator? Each of these issues centers on ways that information management is integrated with controls for management oversight along with verification of organizational observance of information policies. In other words, each aspect of data governance relates to the specification of a set of information policies that reflect business needs and expectations, along with the processes for monitoring conformance to those information policies.

Whether we are discussing data sensitivity, financial reporting, or the way that team members execute against a sales system, each aspect of the business could be boiled down to a set of business policy requirements. These business policies rely on the accessibility and usability of enterprise data, and the way each business policy uses data defines a set of information usage policies. Each information policy embodies a set of data rules or constraints associated with the definitions, formats, and uses of the underlying data elements.

Qualitative assertions about the quality of the data values, records, and the consistency across multiple data elements are the most granular level of governance. Together, these provide a layer of business metadata that will be employed in automating the collection and reporting of conformance to the business policies. Particularly in an age where noncompliance with external reporting requirements (e.g., Sarbanes-Oxley in the United States) can result in fines and prison sentences, the level of sensitivity to governance of information management will only continue to grow.

Every organization has a business strategy that should reflect the business management objectives, the risk management objectives, and the compliance management objectives. Ultimately, the success of the organization depends on its ability to manage how all operations conform to that business strategy. This is true for information technology, but because of the centrality of data in the application infrastructure, it is particularly true in the area of data management.

The challenge lies in management's ability to effectively communicate the business strategy, to explain how nonconformance to the strategy impacts the business, and to engineer the oversight of information in a way that aligns the business strategy with the information architecture. This alignment is two-fold—it must demonstrate that the individuals within the organization understand how information assets are used as well as how that information asset is managed over time.

These concepts must be kept in mind when developing the policies and procedures associated with the different aspects of the MDM program. As a representation of the replicated data sets is integrated into a unified view, there is also a need to consolidate the associated information policies. The union of those policies creates a more stringent set of constraints associated with the quality of master data, requiring more comprehensive oversight and coordination among the application owners. To prepare for instituting the proper level of governance, these steps may be taken:

A data quality and data governance assessment clarifies how the information architecture is used to support compliance with defined information policies. It suggests that data quality and data standards management are part of a much larger picture with respect to oversight of enterprise information.

In the siloed environment, the responsibilities, and ultimately the accountability for ensuring that the data meets the quality expectations of the client applications lie within the management of the corresponding line of business. This also implies that for MDM, the concept of data ownership (which is frequently treated in a cavalier manner) must be aligned within the line of business so that ultimate accountability for the quality of data can be properly identified. But looking at the organization's need for information oversight provides a conduit for reviewing the dimensions of data quality associated with the data elements, determining their criticality to the business operations, expressing the data rules that impact compliance, defining quantitative measurements for conformance to information policies, and determining ways to integrate these all into a data governance framework.

What truly drives the need for governance? Although there are many drivers, a large component boils down to risk. Both business and compliance risks drive governance, and it is worthwhile to look at just a few of the areas of risk associated with master data that require information management and governance scrutiny.

If these types of risks were not enough, the deployment of a master data management program introduces organizational risks of its own. As a platform for integrating and consolidating information from across vertical lines of business into a single source of truth, MDM implies that independent corporate divisions (with their own divisional performance objectives) yield to the needs of the enterprise.

As an enterprise initiative, MDM requires agreement from the participants to ensure program success. This leads to a unique set of challenges for companies undertaking an MDM program.

Preventing exposure to risk requires creating policies that establish the boundaries of the risk, along with an oversight process to ensure compliance with those policies. Although each set of policies may differ depending on the different related risks, all of these issues share some commonalities:

The upshot is that whether the objective is regulatory compliance, managing financial exposure, or overseeing organizational collaboration, centralized management will spread data governance throughout the organization. This generally happens through two techniques. First, data governance will be defined through a collection of information policies, each of which is mapped to a set of rules imposed over the life cycle of critical data elements. Second, data stewards will be assigned responsibility and accountability for both the quality of the critical data elements and the assurance of conformance to the information policies. Together these two aspects provide the technical means for monitoring data governance and provide the context to effectively manage data governance.

Key data entities are the fundamental information objects that are employed by the business applications to execute the operations of the business while simultaneously providing the basis for analyzing the performance of the lines of business. Although the description casts the concept of a key data entity (or KDE) in terms of its business use, a typical explanation will characterize the KDE in its technical sense. For example, in a dimensional database such as those used by a data warehouse, the key data entities are reflected as dimensions. In a master data management environment, data objects that are designated as candidates for mastering are likely to be the key data entities. Managing uniquely accessible instances of key data entities is a core driver for MDM, especially because of their inadvertent replication across multiple business applications.

Governing the quality and acceptability of a key data entity will emerge as a critical issue within the organization, mostly because of the political aspects of data ownership. In fact, data ownership itself is always a challenge, but when data sets are associated with a specific application, there is a reasonable expectation that someone associated with the line of business using the application will (when push comes to shove) at least take on the responsibilities of ownership. But as key data entities are merged together into an enterprise resource, it is important to have policies dictating how ownership responsibilities are allocated and how accountability is assigned, and the management framework for ensuring that these policies are not just paper tigers.

Critical data elements are those that are determined to be vital to the successful operation of the organization. For example, an organization may define its critical data elements as those that represent protected personal information, those that are used in financial reports (both internal and external), regulatory reports, the data elements that represent identifying information of master data objects (e.g., customer, vendor, or employee data), the elements that are critical for a decision-making process, or the elements that are used for measuring organizational performance.

Part of the governance process involves a collaborative effort to identify critical data elements, research their authoritative sources, and then agree on their definitions. As opposed to what our comment in Section 4.3.1 might imply, a mass assessment of all existing enterprise data elements is not the most efficient approach to identifying critical data elements.

Rather, the best process is to start at the end and focus on the information artifacts that end clients are using—consider all reports, analyses, or operations that are critical to the business, and identify every data element that impacts or contributes to each report element or analytical dimension. At the same time, begin to map out the sequence of processes from the original point of entry until the end of each critical operation. The next step is to assemble a target to source mapping: look at each of the identified data elements and then look for data elements on which the selected data element depends. For example, if a report tallies the total sales for the entire company, that total sales number is a critical data element. However, that data element's value depends on a number of divisional sales totals, which in turn are composed of business-line or product-line detailed sales. Each step points to more elements in the dependence chain, each of which is also declared to be a critical data element.

Each data element's criticality is proportional to its contribution to the ultimate end values that are used to run or monitor the business. The quality of each critical data element is related to the impact that would be incurred should the value be outside of acceptable ranges. In other words, the quality characteristics are based on business impact, which means that controls can be introduced to monitor data values against those quality criteria.

Information policies embody the specification of management objectives associated with data governance, whether they are related to management of risk or general data oversight. Information policies relate specified business assertions to their related data sets and articulate how the business policy is integrated with the information asset. In essence, it is the information policy that bridges the gap between the business policy and the characterization of critical data element quality.

For example, consider the many regulations requiring customer knowledge, such as the anti-money laundering (AML) aspects required by the USA PATRIOT Act. The protocols of AML imply a few operational perspectives:

But in essence, AML compliance revolves around a relatively straightforward concept: know your customer. Because all monitoring centers on how individuals are conducting business, any organization that wants to comply with these objectives must have processes in place to identify and verify customer identity.

Addressing the regulatory policy of compliance with AML necessarily involves defining information policies for managing customer data, such as the suggestions presented in the sidebar. These assertions are ultimately boiled down into specific data directives, each of which is measurable and reportable, which is the cornerstone of the stewardship process.

Any business policy will, by virtue of its implementation within an application system, require conformance to a set of information policies. In turn, each information policy should be described as a set of assertions involving one or more key data entities, examining the values of critical data elements, as can be seen in Figure 4.1. In other words, the information policy might be further clarified into specific rules that would apply to both the master data set as well as the participating applications. In the example that required the tracking of customer activity, one might define a rule prescribing that each application that manages transactions must log critical data elements associated with the customer identity and transaction in a master transaction repository. Conformance to the rule can be assessed by verifying that all records of the master transaction repository are consistent with the application systems, where consistency is defined as a function of comparing the critical data values with the original transaction.

Essentially, measurements of conformance to business policies define the key performance indicators for the business itself. This collection of key performance indicators provides a high-level view of the organization's performance with respect to its conformance to defined information policies. In fact, we can have each indicator reflect the rolled-up measurements associated with the set of data rules for each information policy. Thresholds may be set that characterize levels of acceptability, and the metrics can be drilled through to isolate specific issues that are preventing conformance to the defined policy, enabling both transparency and auditability.

But for the monitoring to be effective, those measurements must be presented directly to the individual that is assigned responsibility for oversight of that information policy. It is then up to that individual to continuously monitor conformance to the policy and, if there are issues, to use the drill-through process to determine the points of failure and to initiate the processes for remediation.

One of the biggest historical problems with data governance is the absence of follow-through; although some organizations may have well-defined governance policies, they may not have established the underlying organizational structure to make it actionable. This requires two things: the definition of the management structure to oversee the execution of the governance framework and a compensation model that rewards that execution.

A data governance framework must support the needs of all the participants across the enterprise, from the top down and from the bottom up. With executive sponsorship secured, a reasonable framework can benefit from enterprise-wide participation within a data governance oversight board, while all interested parties can participate in the role of data stewards. A technical coordination council can be convened to establish best practices and to coordinate technical approaches to ensure economies of scale. The specific roles include the following:

These roles are dovetailed with an organizational structure that oversees conformance to the business and information policies, as shown in Figure 4.2. Enterprise data management is integrated within the data coordination council, which reports directly to an enterprise data governance oversight board.

As mentioned at the beginning of the chapter, be aware that pragmatically the initial stages of governance are not going to benefit from a highly structured hierarchy; rather they are likely to roll the functions of an oversight board and a coordination council into a single working group. Over time, as the benefits of data governance are recognized, the organization can evolve the management infrastructure to segregate the oversight roles from the coordination and stewardship roles.

The data governance director is responsible for the day-to-day management of enterprise data governance. The director provides guidance to all the participants and oversees adherence to the information policies as they reflect the business policies and necessary regulatory constraints. The data governance director plans and chairs the data governance oversight board. The director identifies the need for governance initiatives and provides periodic reports on data governance performance.

The data governance oversight board (DGOB) guides and oversees data governance activities. The DGOB is composed of representatives chosen from across the community. The main responsibilities of the DGOB are listed in the sidebar.

The actual governance activities are directed and managed by the data coordination council, which operates under the direction of the data governance oversight board. The data coordination council is a group composed of interested individual stakeholders from across the enterprise. It is responsible for adjusting the processes of the enterprise as appropriate to ensure that the data quality and governance expectations are continually met. As part of this responsibility, the data coordination council recommends the names for and appoints representatives to committees and advisory groups.

The data coordination council is responsible for overseeing the work of data stewards. The coordination council also does the following:

The data steward's role essentially is to support the user community. This individual is responsible for collecting, collating, and evaluating issues and problems with data. Typically, data stewards are assigned either based on subject areas or within line-of-business responsibilities. However, in the case of MDM, because the use of key data entities may span multiple lines of business, the stewardship roles are more likely to be aligned along KDE boundaries. Prioritized issues must be communicated to the individuals who may be impacted. The steward must also communicate issues and other relevant information (e.g., root causes) to staff members who are in a position to influence remediation.

As the person accountable for the quality of the data, the data steward must also manage standard business definitions and metadata for critical data elements associated with each KDE. This person also oversees the enterprise data quality standards, including the data rules associated with the data sets. This may require using technology to assess and maintain a high level of conformance to defined information policies within each line of business, especially its accuracy, completeness, and consistency. Essentially, the data steward is the conduit for communicating issues associated with the data life cycle—the creation, modification, sharing, reuse, retention, and backup of data. If any issues emerge regarding the conformance of data to the defined policies over the lifetime of the data, it is the steward's responsibility to resolve them.

Data stewardship is not necessarily an information technology function, nor should it necessarily be considered to be a full-time position, although its proper execution deserves an appropriate reward. Data stewardship is a role that has a set of responsibilities along with accountability to the line-of-business management. In other words, even though the data steward's activities are overseen within the scope of the MDM program, the steward is accountable to his or her own line management to ensure that the quality of the data meets the needs of both the line of business and of the organization as a whole.

For companies undertaking MDM, a hallmark of successful implementations will be the reliance and integration of data governance throughout the initiative. The three important aspects of data governance for MDM are managing key data entities and critical data elements, ensuring the observance of information policies and documenting and ensuring accountability for maintaining high-quality master data.

Keeping these ideas in mind during the development of the MDM program will ensure that the master data management program does not become relegated to the scrap heap of misfired enterprise information management initiatives. Rather, developing a strong enterprise data governance program will benefit the MDM program as well as strengthen the ability to manage all enterprise information activities.