Read an Excerpt

The IBM Data Governance Unified Process

Driving Business Value with IBM Software and Best Practices

MC Press

Introduction to Data Governance

Data Governance is the discipline of treating data as an enterprise asset. It involves the exercise of decision rights to optimize, secure, and leverage data as an enterprise asset. It involves the orchestration of people, process, technology, and policy within an organization, to derive the optimal value from enterprise data. Data Governance plays a pivotal role in aligning the disparate, stovepiped, and often conflicting policies that cause data anomalies in the first place.

Much like in the early days of Customer Relationship Management (CRM), organizations are starting to appoint full-time or part-time owners of Data Governance. As with any emerging discipline, there are multiple definitions of Data Governance, but the market is starting to crystallize around the definition of treating data as an asset.

Traditional accounting rules do not allow companies to treat data as a financial asset on their balance sheets, unless it has been purchased from an external entity. Despite this conservative accounting treatment, enterprises now understand that their data should be treated as an asset similar to plant and equipment.

Treating data as a strategic enterprise asset implies that organizations need to build inventories of their existing data, just as they would for physical assets. The typical organization has an excessive amount of data about its customers, vendors, and products. The organization might not even know where all this data is located. This can pose challenges, especially in the case of personally identifiable information ([PII). Organizations need to secure business-critical data within their financial, Enterprise Resource Planning, and human resource applications from unauthorized changes, since this can affect the integrity of their financial reporting, as well as the quality and reliability of daily business decisions. They must also protect sensitive customer information such as credit card numbers and PII data, as well as intellectual property such as customer lists, product designs, and proprietary algorithms from both internal and external threats. Finally, organizations need to get the maximum value out of their data, driving initiatives such as improved risk management and customer-centricity.

Data is at once an organization's greatest source of value and its greatest source of risk. Poor data management often means poor business decisions and greater exposure to compliance violations and theft. For example, regulations such as Sarbanes-Oxley in the United States, the equivalent European Sarbanes-Oxley, and the Japanese Financial Instruments and Exchange Law (J-SOX) dictate a balance between restricted access and the appropriate use of data, as mandated by rules, policies, and regulations. On the other hand, the ability to leverage clean, trusted data can help organizations provide better service, drive customer loyalty, spend less effort complying with regulations and reporting, and increase innovation.

Organizations must also consider the business value of their unstructured data. This unstructured data, often referred to as content, needs to be governed just as structured data does.

A good example of unstructured data governance is setting records management policy. Many companies are required to maintain electronic and paper records for a given period of time. They need to produce these records quickly and cost-effectively during the legal discovery process. They also need to be in compliance with the established retention schedules for specific document types. Several organizations use the term "Information Governance" to define this program. Although we use the terms "data" and "information" interchangeably, we will stick with the more commonly used term "Data Governance" throughout this book.

Here are some benefits that organizations can derive by governing their data:

• Improve the level of trust that users have in reports

• Ensure consistency of data across multiple reports from different parts of the organization

• Ensure appropriate safeguards over corporate information to satisfy the demands of auditors and regulators

• Improve the level of customer insight to drive marketing initiatives

• Directly impact the three factors an organization most cares about: increasing revenue, lowering costs, and reducing risk

Founded in November 2004 by Steve Adler, the IBM® Data Governance Council is a leadership forum for practitioners such as Data Governance leaders, Information Governance leaders, chief data officers, enterprise data architects, chief information security officers, chief risk officers, chief compliance officers, and chief privacy officers. The council is concerned with issues related to how an organization can effectively govern data as an enterprise asset. It focuses on the relationships among information, business processes, and the value of information to the organization.

According to findings published by Adler for the IBM Data Governance Council in the whitepaper The IBM Data Governance Maturity Model: Building a Roadmap for Effective Data Governance, these are the top Data Governance challenges today:

• Inconsistent Data Governance can cause a disconnect between business goals and IT programs.

• Governance policies are not linked to structured requirements-gathering and reporting.

• Risks are not addressed from a lifecycle perspective with common data repositories, policies, standards, and calculation processes.

• Metadata and business glossaries are not used to bridge semantic differences across multiple applications in global enterprises.

• Few technologies exist today to assess data asset values that link security, privacy, and compliance.

• Controls and architectures are deployed before long-term consequences are modeled.

• Governance across different data domains and organizational boundaries can be difficult to implement.

• What exactly needs to be governed is often unclear.

• Data Governance has strategic and tactical elements, which are not always clearly defined.

Data Governance is about decision rights and influencing human behavior. This book is a practitioner's guide based on real-life experiences with organizations that have implemented similar programs. It highlights specific areas where IBM software tools and best practices support the process of Data Governance.

The IBM Data Governance Unified Process

The benefits of a commitment to a comprehensive enterprise Data Governance initiative are many and varied, and so are the challenges to achieving strong Data Governance.

Many enterprises have requested a process manual that lays out the steps to implement a Data Governance program. Obviously, every enterprise will implement Data Governance differently, mainly due to differing business objectives. Some enterprises might focus on data quality, others on customer-centricity, and still others on ensuring the privacy of sensitive customer data. Some organizations will embrace a formal Data Governance program, while others will want to implement something that is more lightweight and tactical.

Regardless of these details, every organization should perform certain steps to govern its data. The IBM Data Governance Unified Process shown in Figure 2.1 maps out these 14 major steps (ten required steps and four optional tracks), along with the associated IBM software tools and best practices to support an effective Data Governance program.

The ten required steps are necessary to lay the foundations for an effective Data Governance program. An enterprise will then select one or more of the four optional tracks, namely Master Data Governance, Analytics Governance, Security and Privacy, and Information Lifecycle Governance. Finally, the Data Governance Unified Process needs to be measured, and the results conveyed to executive sponsors, on a regular basis.

Let's walk through the steps in the figure in further detail:

• 1. Define the business problem.

The main reason that Data Governance programs fail is that they do not identify a tangible business problem. It is imperative that the organization defines the initial scope of the Data Governance program around a specific business problem, such as a failed audit, a data breach, or the need for improved data quality for risk-management purposes. Once the Data Governance program begins to tackle the identified business problems, it will receive support from the business functions to extend its scope to additional areas.

2. Obtain executive sponsorship.

It is important to establish sponsorship from key IT and business executives for the Data Governance program. The best way to obtain this sponsorship is to establish value in terms of a business case and "quick hits." For example, the business case might be focused on householding and name-matching, to improve the quality of data to support a customer-centricity program.

As with any important program, the organization needs to appoint an overall owner of Data Governance. Organizations have historically identified the chief information security officer as the owner of Data Governance. Today, however, the ownership of Data Governance tends to reside within the CIO's office, in either the business intelligence or data architecture area. Data Governance leadership might also reside with the chief risk officer, especially in banks. A growing number of enterprises are staffing Data Governance roles on a full-time basis, with titles such as "data steward" indicating the importance of treating data as an enterprise asset. Regardless of title, the responsibility assigned to this role must be high enough in the executive ranks to ensure that the Data Governance program drives meaningful change.

3. Conduct a maturity assessment.

Every organization needs to conduct an assessment of its Data Governance maturity, preferably on an annual basis. The IBM Data Governance Council has developed a maturity model based on 11 categories (discussed in Chapter 5), such as "Data Risk Management and Compliance," " Value Creation," and "Stewardship." The Data Governance organization needs to assess the organization's current level of maturity (current state) and the desired future level of maturity (future state), which is typically 12 to 18 months out. This duration must be long enough to produce results, yet short enough to ensure continued buy-in from key stakeholders.

4. Build a roadmap.

The Data Governance organization needs to develop a roadmap to bridge the gap between the current state and the desired future state for the 11 categories of Data Governance maturity. For example, the Data Governance organization might review the maturity gap for Stewardship and determine that the enterprise needs to appoint data stewards to focus on targeted subject areas such as customer, vendor, and product. The Data Governance program also needs to include "quick hits" — areas where the initiative can drive near-term business value.

5. Establish an organizational blueprint.

The Data Governance organization needs to build a charter to govern its operations, and to ensure that it has enough authority to act as a tiebreaker in critical situations. Data Governance organizations operate best in a three-tier format. The top tier is the Data Governance council, which consists of the key functional and business leaders who rely on data as an enterprise asset. The middle tier is the Data Governance working group, which consists of middle managers who meet more frequently. The final tier consists of the data stewardship community, which is responsible for the quality of the data on a day-to-day basis.

6. Build the data dictionary.

Effective management of business terms can help ensure that the same descriptive language applies throughout the organization. A data dictionary or business glossary is a repository with definitions of key terms. It is used to gain consistency and agreement between the technical and business sides of an organization. For example, what is the definition of a "customer"? Is a customer someone who has made a purchase, or someone who is considering a purchase? Is a former employee still categorized as an "employee"? Are the terms "partner" and "reseller" synonymous? These questions can be answered by building a common data dictionary. Once implemented, the data dictionary can span the organization to ensure that business terms are tied via metadata to technical terms, and that the organization has a single, common understanding.

7. Understand the data.

Someone once said, "You cannot govern what you do not first understand." Few applications stand alone today. Rather, they are made up of systems, and "systems of systems," with applications and databases strewn all over the enterprise, yet integrated, or at least interrelated. The relational database model actually makes matters worse by fragmenting business entities for storage. But how is everything related? The Data Governance team needs to discover the critical data relationships across the enterprise. Data discovery may include simple and hard-to-find relationships, as well as the locations of sensitive data within the enterprise's IT systems.

8. Create a metadata repository.

Metadata is data about data. It is information regarding the characteristics of any data artifact, such as its technical name, business name, location, perceived importance, and relationships to other data artifacts in the enterprise. The Data Governance program will generate a lot of business metadata from the data dictionary and a lot of technical metadata during the discovery phase. This metadata needs to be stored in a repository so that it can be shared and leveraged across multiple projects.

9. Define metrics.

Data Governance needs to have robust metrics to measure and track progress. The Data Governance team must recognize that when you measure something, performance improves. As a result, the Data Governance team must pick a few Key Performance Indicators (KPIs) to measure the ongoing performance of the program. For example, a bank will want to assess the overall credit exposure by industry. In that case, the Data Governance program might select the percentage of null Standard Industry Classification (SIC) codes as a KPI, to track the quality of risk management information.

These are the first nine required steps. The final required step is discussed later in this chapter. The enterprise also needs to select at least one of the four optional Data Governance tracks (Master Data Governance, Analytics Governance, Security and Privacy, and Information Lifecycle Governance).

Let's select the Master Data Governance optional track and walk through the application of its required sub-steps. The organization will need to ensure that the business problem (such as customer-centricity) is clearly articulated, and that executive sponsors are identified in the business and in IT. The organization will conduct a short Data Governance maturity assessment and define a roadmap. There needs to be some level of Data Governance organization to align the business and IT, to ensure near-term benefits. Business terms such as "customer" need to be clearly defined, especially if "customer" is one of the master data domains. The Data Governance organization needs to understand existing data sources and critical data elements. The business definitions, and the technical metadata from the discovery process, need to be captured within a metadata repository. Finally, the Data Governance organization needs to establish KPIs, such as a reduction in customer duplicates, to measure the ongoing performance of the Master Data Governance program.

The level of emphasis on the required steps will vary based on the optional tracks that have been selected for Data Governance. As an example, let's review how step 7 ("Understand the Data") might be applied differently, based on the optional track or tracks selected. The Master Data Governance track will involve understanding the critical data elements to facilitate the mapping of sources to targets. The Analytics Governance track will involve understanding the relationship between key reports and critical data elements. The Security and Privacy track will involve understanding the location of sensitive data. Finally, the Information Lifecycle Governance track will enable the enterprise to understand the location of business objects, such as customer, as a precursor to an archiving project.

We will discuss these topics in greater detail in subsequent chapters, so we will just cover a few sample questions and potential focus areas for the remainder of this chapter. Here is a short description of the optional tracks within the IBM Data Governance Unified Process:

---

Excerpted from The IBM Data Governance Unified Process by Sunil Soares. Copyright © 2010 IBM Corporation. Excerpted by permission of MC Press.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---