1. The Six Questions
every Organization
should ask about Data Governance
Steven B. Adler
IBM Data Governance Solutions
adler1@us.ibm.com
http://www.ibm.com/itsolutions/datagovernance
2. Why Data?
Why Governance?
§ Governance:
§ Data:
-Corporate governance is about
§ Structured controlling human self-interest to
§ Unstructured benefit the common good:
§ Metadata § Increased Revenue
§ Video, Audio, Multi-Media § Lower Costs
§ Reduced Risk
§ Print, Email, and Archived
§ Software Code § IT has become the engine for
business innovation and growth and
§ Patents, IP it must be governed to demonstrate
§ Protocols, Message contribution to the business bottom-
Streams line.
§ These are all digital § To govern IT effectively, the value of
Data must be assessed, Risk
assets calculated, outcomes measured and
constantly re-evaluated.
2 07/31/07
3. Without Data Governance…
§ People make mistakes…
§ Those mistakes more
commonly result in losses
than hackers…
§ Those losses effect every
aspect of IT and business
§ But data is still an abstract
concept and governance
needs technology to be
improved…
4. The IBM Data Governance Council was formed in 2004
to explore enterprise challenges and develop solutions
Customers Business Partners Academia
Abbott Freddie Mac AirMagnet North Carolina State
ABN Amro Huntington Bank University
Nova Southeastern
Application Security
Alltel IBM CIO Office University
Axentis Bucerius Law School
American Express Key Bank Continuity Software
Bank of America MasterCard Guardium
Bank of Montreal Merrill Lynch Intellinx
Bank of Tokyo/Mitsubishi Monaris Lumigent
Bell Canada Novartis OpenPages
BITS Financial Services Nordea Bank Organizational Policy Inst.
Roundtable
Cadence Design Northwestern Mutual Paisley
Citigroup PNC RiskWatch
City of New York, FISA Regions Financial Corp. SecNap
Danske Bank TIAA-CREF Semantic Arts
Deutsche Bank TeliaSonera SPS Security
Discover Financial VP Securities Services Tizor
Equifax Washington Mutual Valid Technologies
Fannie Mae Wachovia ZANTAZ
The World Bank
5. There are Six Questions every organization should ask
themselves about Data Governance today
§ Do we have a Government?
§ Who is responsible for governing?
§ How do we share accountability across the enterprise?
§ How do we assess our situation?
§ Are benchmarks available?
§ How do we measure our Maturity?
§ What is our Strategy?
§ How do we get from here to there?
§ What does our CEO and Board want?
§ What is our data worth?
§ How much revenue is it producing?
§ How much does low quality data cost?
§ What are our vulnerabilities?
§ How do we calculate risk?
§ Which risks do we accept, mitigate, transfer?
§ How do we measure progress?
§ What do audits tell us?
§ How do we report results that matter? 07/31/07
5
6. 1. Do we have a Government?
§ Who are the leaders?
§ What does the DG Committee look like?
§ What power centers should be at the table?
§ How many business representatives are in the
Council?
§ What is the charter of the group?
§ How are issues raised, discussed, and resolved?
§ How are requirements gathered?
§ How are policies communicated?
§ What are our legislative powers?
§ How do we govern?
7. A Government has these basic powers
§ To discourage behavior:
§ Make something expensive
§ Make something difficult to do
§ Make something illegal
§ To encourage behavior:
§ Make something cheaper
§ Make something easier to do
§ Make something legal
§ To record results:
§ Census
§ GDP, CPI, etc.
8. What will our organization look like to exercise these
powers?
Each governor
represents an interest
group and line of
Executive business within the
Leadership organization and makes
policy decisions on
behalf of the interests
Decision Making Input
and the enterprise.
Data Governors This ensures clear
accountability for all
Policy Decisions aspects of data
Requirements Definition governance within each
line of business as well
as across the entire
organization.
Data Stewards
User Acceptance
Testing
End Users, Customers, etc.
9. 2. How do we assess our situation?
§ Assessment criteria
§ Benchmarks
§ Categories or Disciplines
§ Using existing assessments
§ Scope of effort
§ Public statements vs. internal reality
10. Elements of Effective Data Governance
Outcomes
Data Risk Management &
Value Creation
Compliance
Enablers
Organizational Structures & Awareness
Requires
Policy Stewardship
Enhance
Core Disciplines
Data Information Information
Quality Life-Cycle Security
Management Management and Privacy
Supports
Supporting Disciplines
Data Classification & Audit Information
Architecture Metadata Logging & Reporting
10
10
10
11. How do DG domains come together
establish DG within an organization?
§ An organization can start with any of the 11 domains, and is
likely on the path to maturity for one or more of these
domains.
§ By grouping the 11 domains of Data Governance, for which
organizations can assess their current maturity, some
insight into how to establish a road map can be gained.
§ An initial high level grouping of DG domains, and showing
primary relationships between these groupings, may help
organizations to build a road map:
§Outcomes
§Enablers
§Core Disciplines
§Supporting Disciplines
12. Examples of relationships between DG
Domains:
1 & 2 Quality and Security/Privacy requirements for data need to be assessed
and managed throughout the information life-cycle
Disciplines
Data Information Information
Quality 1 Life-Cycle 2 Security
Management Management and Privacy
3 Executive level endorsement and sponsorship is an enabler for stewardship of
information that requires standardization across processes and functional boundaries
4 Consistency in practice can be enabled through Stewardship when there are
Enterprise-level policies and standards in place for DG disciplines.
Enablers
3
Organizational Structures & Awareness
Policy 4 Stewardship
6:47 PM Confidential Draft - not for
distribution
13. IBM Data Governance Maturity Model and Assessment
IBM has developed an assessment tool and maturity model to measure DG maturity
Key contributors to maturity:
§ Rigor
§ Comprehensiveness
Business Transformation § Consistency
• Continuous Improvement
• Innovation / Leadership
• Collective / Shared Efforts
• Consistent & Rigorous
• Significant Automation
• Consistent Performance
Measurement against
Stated Goals
• Objectivity and Trust
• Advanced Tools / Usage
• Measured and Managed Efforts
• Understood / Shared Practices
• Consistent Application
• Improving Performance
• Advancing Technology
• Initial Process Definition
• Basic Infrastructure
Modeling
• Project Discipline
• Automation Opportunities
• Lack of Processes
• Stand-alone Structures
• No Tracking /
Management
• Heroic Efforts
• Ad Hoc Attempts
14. Customer Examples
§ Today, 10 members of the Data Governance
Council are using the Maturity Model to transform
their businesses
§ Bottoms-up process transformation
§ Top-down governance models
§ Inside-out program funding
§ They use the Maturity Model to defining what is in
scope for Data Governance, based on a
benchmark created by peers.
15. 3. What is our Strategy?
§ Where do you want to be in 3 years?
§ What is the gap between where you are
today?
§ What milestones, specific tactics, and KPI’s?
§ How to get organizational support?
§ How to get Board support?
17. Build a Data Governance Vision
§ Minimum Requirements
§ Milestones
§ Key Performance Indicators
§ Project Plans
§ Teams and structure
§ Enabling Technology
§ Desired Outcomes
§ Timeframe
18. Sell the Vision
§ To affect organizational change, everyone needs to
be onboard
§ Getting everyone onboard can eat vast amounts of
time and become process overkill
§ New methods of community-based consultation and
eVoting are needed to get broad support for the
vision
§ The CEO and Board are also important
19. 4. What are our data assets worth?
§ How do we measure data quality?
§ What is the data landscape?
§ What is the data model?
§ What is metadata?
§ How does data contribute to business results?
§ How can we measure the ROI of data improvement
projects?
20. The Value of Data is Dependent Upon the Value of IT
§ Value is dependent on Price
§ You can’t tell the value of something if it doesn’t have a
market price
§ IT is run like a Command Economy.
§ Budgets are allocated centrally
§ Projects are managed based on labor value and
infrastructure cost allocation
§ ROI is impossible to derive because there are no
market mechanisms to determine the price of IT.
21. In the Perfect World…
§ IT would buy hardware, software, and services from other vendors at
cost, mark them up, and resell those products to the business.
§ The business would negotiate prices with IT and each division would pay
new project, operational, and maintenance prices on all IT services.
§ IT would only have an investment budget based on business needs.
§ This would create an internal market for IT services similar to the real-
world external market.
§ The Value of IT would therefore be based on the utility of IT services.
§ The value of data could also be measured using Utility Theory, because
data management costs would be factored into IT prices.
22. What is the value of Data?
§ Data is worth whatever someone wants to pay for it:
§ $1 for the NY Times
§ $93 for a stolen identity
§ $259 for Windows Vista
§ $20 for a book on Amazon
§ $1.29 for a song on iTunes
§ $5 for 512m2 of land in Second Life
§ How do you calculate the value of enterprise data?
§ Buildan enterprise marketplace and let data supply and user demand
set the internal price
§ Track data usage patterns to derive the Utility Value of Data
§ Record the revenue generated with use of the data and subtract the
utility price paid to calculate the net earnings on data (EOD)þ
23. Content Level Agreements
§ Content level agreements can contain numerous data
quality performance metrics with corresponding data
integrity and availability level objectives. Some examples
are:
§ DQI (Data Quality Index): Index ratio of data quality.
§ DAR (Data Availability Rate): Percentage of time that
contracted data was available to “consumers”
§ DIR (Data Integrity Rate): Percentage of time that contracted
data was trusted and reliable.
§ DER (Data Error Rate) Number of data errors.
24. 5. What are our vulnerabilities?
§ Security Risks
§ Regulatory Concerns
§Different approaches in laws
§Related documentation and administration
§Bringing regulations and reality together
§ Reputation Risks
§Data leakage
§Protected data
§“sensitive data”
§Misuse of data
§Loss of Data
§Risk of “bad” data
26. Level 5
Data Risk Management Maturity Optimized
Find ways to
leverage risk to
Level 4 corporate benefit.
Managed WIN!
Make decisions to
predict and control:
Level 3 § Managed risks
§ Limited risks
Defined § Process change Benefits
Combine with § Accountability from data
human behavior § Budgeting
risk mgmt
and “effect” data
Level 2 Correlate and Implement
Repeatable develop compre- Monitor/Report
hensive Data Risk Adjust
Assessment Risks “from” data
Create context for
picture
“bad events”
Level 1 Collect, categorize,
Initial analyze all “actions
of interest”
“Bad Event” Driven Broaden across
“Faith-Based” Fixes
No predictability multiple risk entities
No cause/effect Risks “to” data
07/31/07
27. Other Risks
§ IT Project Risk?
§ Defect Errors
§ Process Mistakes
§ Governance risks
§ Implementation Risks?
§ Interoperability
§ Deployment?
§ Business Continuity
§ Service Level Agreements
§ Globalization Risks?
28. Alternative Risk Transfer
“Alternative Risk Transfer (often referred to as
ART) is the use of techniques other than
traditional insurance and reinsurance to provide
risk bearing entities with coverage or protection.
The field of ART grew out of a series of insurance
capacity crises in the 1970s through 1990s that
drove purchasers of traditional coverage to seek
more robust ways to buy protection.”
– Wikipedia
29. § ART agreements can contain numerous risk metrics with
corresponding protection level objectives. Some examples
are:
§ IRE (Incident Rate of Exposure): Percentage of incidents to
occurrences.
§ AIRT (Average Incident Response Time): Average time
(usually in seconds) it takes for an incident to be responded
by the service desk.
§ CA (Coverage Amount): Amount of risk transfer from
department to organization on an aggregate basis.
§ RA (Reserve Amount): Amount of “premium” paid by each
department, based on past losses, to cover future exposures.
§ Security Agreement: Common agreements include
percentage of network uptime, power uptime, etc.
30. 6. How do we measure progress?
§ Processes for capturing requirements
§ Processes for managing change
§ Processes for implementing policy
§ Using User Acceptance Test to measure how policy
maps to requirements
§ Monitoring policy compliance
§ Link to operational risk
31. What are we measuring?
§ Data Quality
§ Value of Data and IT Services
§ Probability of Risk
§ Policy Compliance
§ Regulatory Filings
§ Governance efficiency
§ Revenue Contributions
§ Cost Savings
32. Why CLA and ART
§ Because they provide market mechanisms to
price content and risk in an enterprise
§ Incentives and Disincentives to motivate behavior
§ Those market mechanisms provide governing
power to affect change
§ With that change comes accountability,
efficiency, and enlightenment
§ Without them, we are just guessing at the value
of data and the cost of risk.
32
33. Data Governance Balanced Scorecard
Element Current Desired KPIs Outcome
Maturity Maturity
•Traditional Structure •community based self- •# new ideas •78% employee
Organization (2)þ governance (4)þ implemented satisfaction rate
•Data Stewards only •Stewardship in every •# stewardship •125% more stewards
Stewardship (2)þ discipline (3)þ communities
•Ad-hoc policy •Structured policy •45% increase in reg.
Policy management (1)þ management (3)þ compliance
•Spreadsheet-based •Process oriented DG •Data utility index •24% reduction in
Data Quality DQ program (1)þ program (4)þ •Price of data fraud
•Stovepipes of data (1)þ •Federated and •Data availability index •Lower data
Architecture integrated (4)þ •Data supply ratio management costs
•No metadata •End-to-end metadata •Business glossary •12% reduction in
Metadata management (0)þ management (4)þ •Metadata elements policy failure
•Enterprise Access •Context-based •# Incidents • 98% Customer
Security Control entitlements satisfaction
•Faith-based Risk •Fact-based Risk • $ Capital Reserve •12% net underwriting
Risk Management (1)þ Forecasting (4)þ • # Losses profit
•Command Economy •Demand Economy •Efficiency of IT service •8% Net IT operating
Value •Labor Theory (1)þ •Utility Theory (5)þ pricing profit
•Enterprise Backup (2)þ •Policy-based backup •Retention/deletion •23 Terabytes saved
ILM (3)þ ratio
•Quarterly Audits (1)þ •Automated self- •# Failures reported •24% reduction in IT
Audit assessments (5)þ •# audits passed project failure
34. Questions?
Click on the questions tab on your screen, type in your
question (and name if you wish) and hit send.