Ibm data governance framework

24,266 views

Published on

Data governance

Published in: Economy & Finance

Ibm data governance framework

  1. 1. The Six Questions every Organization should ask about Data Governance Steven B. Adler IBM Data Governance Solutions adler1@us.ibm.com http://www.ibm.com/itsolutions/datagovernance
  2. 2. Why Data? Why Governance? § Governance: § Data: -Corporate governance is about § Structured controlling human self-interest to § Unstructured benefit the common good: § Metadata § Increased Revenue § Video, Audio, Multi-Media § Lower Costs § Reduced Risk § Print, Email, and Archived § Software Code § IT has become the engine for business innovation and growth and § Patents, IP it must be governed to demonstrate § Protocols, Message contribution to the business bottom- Streams line. § These are all digital § To govern IT effectively, the value of Data must be assessed, Risk assets calculated, outcomes measured and constantly re-evaluated. 2 07/31/07
  3. 3. Without Data Governance… § People make mistakes… § Those mistakes more commonly result in losses than hackers… § Those losses effect every aspect of IT and business § But data is still an abstract concept and governance needs technology to be improved…
  4. 4. The IBM Data Governance Council was formed in 2004 to explore enterprise challenges and develop solutions Customers Business Partners Academia Abbott Freddie Mac AirMagnet North Carolina State ABN Amro Huntington Bank University Nova Southeastern Application Security Alltel IBM CIO Office University Axentis Bucerius Law School American Express Key Bank Continuity Software Bank of America MasterCard Guardium Bank of Montreal Merrill Lynch Intellinx Bank of Tokyo/Mitsubishi Monaris Lumigent Bell Canada Novartis OpenPages BITS Financial Services Nordea Bank Organizational Policy Inst. Roundtable Cadence Design Northwestern Mutual Paisley Citigroup PNC RiskWatch City of New York, FISA Regions Financial Corp. SecNap Danske Bank TIAA-CREF Semantic Arts Deutsche Bank TeliaSonera SPS Security Discover Financial VP Securities Services Tizor Equifax Washington Mutual Valid Technologies Fannie Mae Wachovia ZANTAZ The World Bank
  5. 5. There are Six Questions every organization should ask themselves about Data Governance today § Do we have a Government? § Who is responsible for governing? § How do we share accountability across the enterprise? § How do we assess our situation? § Are benchmarks available? § How do we measure our Maturity? § What is our Strategy? § How do we get from here to there? § What does our CEO and Board want? § What is our data worth? § How much revenue is it producing? § How much does low quality data cost? § What are our vulnerabilities? § How do we calculate risk? § Which risks do we accept, mitigate, transfer? § How do we measure progress? § What do audits tell us? § How do we report results that matter? 07/31/07 5
  6. 6. 1. Do we have a Government? § Who are the leaders? § What does the DG Committee look like? § What power centers should be at the table? § How many business representatives are in the Council? § What is the charter of the group? § How are issues raised, discussed, and resolved? § How are requirements gathered? § How are policies communicated? § What are our legislative powers? § How do we govern?
  7. 7. A Government has these basic powers § To discourage behavior: § Make something expensive § Make something difficult to do § Make something illegal § To encourage behavior: § Make something cheaper § Make something easier to do § Make something legal § To record results: § Census § GDP, CPI, etc.
  8. 8. What will our organization look like to exercise these powers? Each governor represents an interest group and line of Executive business within the Leadership organization and makes policy decisions on behalf of the interests Decision Making Input and the enterprise. Data Governors This ensures clear accountability for all Policy Decisions aspects of data Requirements Definition governance within each line of business as well as across the entire organization. Data Stewards User Acceptance Testing End Users, Customers, etc.
  9. 9. 2. How do we assess our situation? § Assessment criteria § Benchmarks § Categories or Disciplines § Using existing assessments § Scope of effort § Public statements vs. internal reality
  10. 10. Elements of Effective Data Governance Outcomes Data Risk Management & Value Creation Compliance Enablers Organizational Structures & Awareness Requires Policy Stewardship Enhance Core Disciplines Data Information Information Quality Life-Cycle Security Management Management and Privacy Supports Supporting Disciplines Data Classification & Audit Information Architecture Metadata Logging & Reporting 10 10 10
  11. 11. How do DG domains come together establish DG within an organization? § An organization can start with any of the 11 domains, and is likely on the path to maturity for one or more of these domains. § By grouping the 11 domains of Data Governance, for which organizations can assess their current maturity, some insight into how to establish a road map can be gained. § An initial high level grouping of DG domains, and showing primary relationships between these groupings, may help organizations to build a road map: §Outcomes §Enablers §Core Disciplines §Supporting Disciplines
  12. 12. Examples of relationships between DG Domains: 1 & 2 Quality and Security/Privacy requirements for data need to be assessed and managed throughout the information life-cycle Disciplines Data Information Information Quality 1 Life-Cycle 2 Security Management Management and Privacy 3 Executive level endorsement and sponsorship is an enabler for stewardship of information that requires standardization across processes and functional boundaries 4 Consistency in practice can be enabled through Stewardship when there are Enterprise-level policies and standards in place for DG disciplines. Enablers 3 Organizational Structures & Awareness Policy 4 Stewardship 6:47 PM Confidential Draft - not for distribution
  13. 13. IBM Data Governance Maturity Model and Assessment IBM has developed an assessment tool and maturity model to measure DG maturity Key contributors to maturity: § Rigor § Comprehensiveness Business Transformation § Consistency • Continuous Improvement • Innovation / Leadership • Collective / Shared Efforts • Consistent & Rigorous • Significant Automation • Consistent Performance Measurement against Stated Goals • Objectivity and Trust • Advanced Tools / Usage • Measured and Managed Efforts • Understood / Shared Practices • Consistent Application • Improving Performance • Advancing Technology • Initial Process Definition • Basic Infrastructure Modeling • Project Discipline • Automation Opportunities • Lack of Processes • Stand-alone Structures • No Tracking / Management • Heroic Efforts • Ad Hoc Attempts
  14. 14. Customer Examples § Today, 10 members of the Data Governance Council are using the Maturity Model to transform their businesses § Bottoms-up process transformation § Top-down governance models § Inside-out program funding § They use the Maturity Model to defining what is in scope for Data Governance, based on a benchmark created by peers.
  15. 15. 3. What is our Strategy? § Where do you want to be in 3 years? § What is the gap between where you are today? § What milestones, specific tactics, and KPI’s? § How to get organizational support? § How to get Board support?
  16. 16. After the assessment, you need to benchmark where you are and where you want to go
  17. 17. Build a Data Governance Vision § Minimum Requirements § Milestones § Key Performance Indicators § Project Plans § Teams and structure § Enabling Technology § Desired Outcomes § Timeframe
  18. 18. Sell the Vision § To affect organizational change, everyone needs to be onboard § Getting everyone onboard can eat vast amounts of time and become process overkill § New methods of community-based consultation and eVoting are needed to get broad support for the vision § The CEO and Board are also important
  19. 19. 4. What are our data assets worth? § How do we measure data quality? § What is the data landscape? § What is the data model? § What is metadata? § How does data contribute to business results? § How can we measure the ROI of data improvement projects?
  20. 20. The Value of Data is Dependent Upon the Value of IT § Value is dependent on Price § You can’t tell the value of something if it doesn’t have a market price § IT is run like a Command Economy. § Budgets are allocated centrally § Projects are managed based on labor value and infrastructure cost allocation § ROI is impossible to derive because there are no market mechanisms to determine the price of IT.
  21. 21. In the Perfect World… § IT would buy hardware, software, and services from other vendors at cost, mark them up, and resell those products to the business. § The business would negotiate prices with IT and each division would pay new project, operational, and maintenance prices on all IT services. § IT would only have an investment budget based on business needs. § This would create an internal market for IT services similar to the real- world external market. § The Value of IT would therefore be based on the utility of IT services. § The value of data could also be measured using Utility Theory, because data management costs would be factored into IT prices.
  22. 22. What is the value of Data? § Data is worth whatever someone wants to pay for it: § $1 for the NY Times § $93 for a stolen identity § $259 for Windows Vista § $20 for a book on Amazon § $1.29 for a song on iTunes § $5 for 512m2 of land in Second Life § How do you calculate the value of enterprise data? § Buildan enterprise marketplace and let data supply and user demand set the internal price § Track data usage patterns to derive the Utility Value of Data § Record the revenue generated with use of the data and subtract the utility price paid to calculate the net earnings on data (EOD)þ
  23. 23. Content Level Agreements § Content level agreements can contain numerous data quality performance metrics with corresponding data integrity and availability level objectives. Some examples are: § DQI (Data Quality Index): Index ratio of data quality. § DAR (Data Availability Rate): Percentage of time that contracted data was available to “consumers” § DIR (Data Integrity Rate): Percentage of time that contracted data was trusted and reliable. § DER (Data Error Rate) Number of data errors.
  24. 24. 5. What are our vulnerabilities? § Security Risks § Regulatory Concerns §Different approaches in laws §Related documentation and administration §Bringing regulations and reality together § Reputation Risks §Data leakage §Protected data §“sensitive data” §Misuse of data §Loss of Data §Risk of “bad” data
  25. 25. Calculating Risks § Qualitative Analysis § Assessment § Prioritization § Weighting § Scoring § Quantitative Analysis § Causes and Trends § Incidents & Occurrences § Events § Claims § Losses § Probability Analysis
  26. 26. Level 5 Data Risk Management Maturity Optimized Find ways to leverage risk to Level 4 corporate benefit. Managed WIN! Make decisions to predict and control: Level 3 § Managed risks § Limited risks Defined § Process change Benefits Combine with § Accountability from data human behavior § Budgeting risk mgmt and “effect” data Level 2 Correlate and Implement Repeatable develop compre- Monitor/Report hensive Data Risk Adjust Assessment Risks “from” data Create context for picture “bad events” Level 1 Collect, categorize, Initial analyze all “actions of interest” “Bad Event” Driven Broaden across “Faith-Based” Fixes No predictability multiple risk entities No cause/effect Risks “to” data 07/31/07
  27. 27. Other Risks § IT Project Risk? § Defect Errors § Process Mistakes § Governance risks § Implementation Risks? § Interoperability § Deployment? § Business Continuity § Service Level Agreements § Globalization Risks?
  28. 28. Alternative Risk Transfer “Alternative Risk Transfer (often referred to as ART) is the use of techniques other than traditional insurance and reinsurance to provide risk bearing entities with coverage or protection. The field of ART grew out of a series of insurance capacity crises in the 1970s through 1990s that drove purchasers of traditional coverage to seek more robust ways to buy protection.” – Wikipedia
  29. 29. § ART agreements can contain numerous risk metrics with corresponding protection level objectives. Some examples are: § IRE (Incident Rate of Exposure): Percentage of incidents to occurrences. § AIRT (Average Incident Response Time): Average time (usually in seconds) it takes for an incident to be responded by the service desk. § CA (Coverage Amount): Amount of risk transfer from department to organization on an aggregate basis. § RA (Reserve Amount): Amount of “premium” paid by each department, based on past losses, to cover future exposures. § Security Agreement: Common agreements include percentage of network uptime, power uptime, etc.
  30. 30. 6. How do we measure progress? § Processes for capturing requirements § Processes for managing change § Processes for implementing policy § Using User Acceptance Test to measure how policy maps to requirements § Monitoring policy compliance § Link to operational risk
  31. 31. What are we measuring? § Data Quality § Value of Data and IT Services § Probability of Risk § Policy Compliance § Regulatory Filings § Governance efficiency § Revenue Contributions § Cost Savings
  32. 32. Why CLA and ART § Because they provide market mechanisms to price content and risk in an enterprise § Incentives and Disincentives to motivate behavior § Those market mechanisms provide governing power to affect change § With that change comes accountability, efficiency, and enlightenment § Without them, we are just guessing at the value of data and the cost of risk. 32
  33. 33. Data Governance Balanced Scorecard Element Current Desired KPIs Outcome Maturity Maturity •Traditional Structure •community based self- •# new ideas •78% employee Organization (2)þ governance (4)þ implemented satisfaction rate •Data Stewards only •Stewardship in every •# stewardship •125% more stewards Stewardship (2)þ discipline (3)þ communities •Ad-hoc policy •Structured policy •45% increase in reg. Policy management (1)þ management (3)þ compliance •Spreadsheet-based •Process oriented DG •Data utility index •24% reduction in Data Quality DQ program (1)þ program (4)þ •Price of data fraud •Stovepipes of data (1)þ •Federated and •Data availability index •Lower data Architecture integrated (4)þ •Data supply ratio management costs •No metadata •End-to-end metadata •Business glossary •12% reduction in Metadata management (0)þ management (4)þ •Metadata elements policy failure •Enterprise Access •Context-based •# Incidents • 98% Customer Security Control entitlements satisfaction •Faith-based Risk •Fact-based Risk • $ Capital Reserve •12% net underwriting Risk Management (1)þ Forecasting (4)þ • # Losses profit •Command Economy •Demand Economy •Efficiency of IT service •8% Net IT operating Value •Labor Theory (1)þ •Utility Theory (5)þ pricing profit •Enterprise Backup (2)þ •Policy-based backup •Retention/deletion •23 Terabytes saved ILM (3)þ ratio •Quarterly Audits (1)þ •Automated self- •# Failures reported •24% reduction in IT Audit assessments (5)þ •# audits passed project failure
  34. 34. Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send.

×