We at Kalido frequently describe data governance as the business process of managing data assets. Data governance processes are day-to-day activities no different than other end-to-end business processes like order-to-cash and procure-to-pay. Data policies are the instruments of data governance; therefore, activities of data governance should be based on the lifecycle of data policies. We can divide these activities into three sequential steps: policy definition, policy implementation and policy enforcement.
Many data policies are, in effect, service level agreements (SLA) between multiple parties, including data providers and data consumers. In the billing address example I discussed in my last blog, Order Entry process is one of the “Providers” of data, and Invoicing is the “Consumer” of data. The agreement holds the Providers accountable to a certain standard. The Consumer defines a set of needs linked to expressed business benefits, and the Providers agree to meet these needs. If there are multiple providers, such as a third party or Customer Service who may also enter customer billing addresses, then all providers need to sign up to the SLA. The process of creating and changing policies involves multiple steps and multiple stakeholders. Policies may need approval by the Data Governance Council. A crude analogy is that Policy Definition is similar to the legislative process of making laws.
After a policy is defined and approved, the next step is implementation. Individuals affected need to be notified of the new policy. The audience is often much broader than the key stakeholders involved in policy definition. This is particularly true for policies that deal with human behavior. In the billing address example, we would notify all the order entry clerks, and sales representatives, and any other parties that can create and modify customer data and order data. They need to know that they’re accountable for ensuring the correct billing address is entered into the system. The policy covers outsourced business processes and third-party data providers and holds them accountable for the data they produce.
In addition to notifying the business side, a policy may call for changes to IT systems. An executive at a healthcare insurance company once explained to me a data governance problem he faced. His company receives the entire US Postal Service (USPS) address file. For free. USPS also issues a postal “Change of Address” file on a regular basis. Companies that receive data from USPS are required to apply the change of address files in a timely manner to all the databases where customer addresses are stored. This requirement can be defined as a policy for the benefit of regulatory compliance. The owners of all systems that store customer addresses need to be notified of the policy, and they need to commit to making the required changes within a certain timeframe.
Once a policy is implemented, it needs enforcement. How would we enforce our example policy for customer billing address? One way is to put in place an automated monitoring mechanism. For example, we can put a process in place on the database that Invoicing uses to look at whether each order to be invoiced indeed has a valid billing address. This monitoring process needs to be executed regularly – daily or weekly – to report violations. Depending on severity, violation could trigger remediation steps, which should also be treated as a business process involving data stewards, business process owners and IT.
Finally, the compliance data generated by the monitoring process needs to be collected, compiled and reported on. These metrics provide the entire organization information on the overall state of data assets, highlighting their trustworthiness. We can see if improvements are being made. And, we can use these metrics to hold the parties that have agreed to policies accountable.
In my next blog, I’ll write about how to organize for data governance.
This blog is part 5 of a multi-part series of blogs on the topic of Enterprise Data Governance. To read other posts from this series, please see below.