The Six Questions
should ask about Data Governance
Steven B. Adler
IBM Data Governance Solutions
-Corporate governance is about
§ Structured controlling human self-interest to
§ Unstructured benefit the common good:
§ Metadata § Increased Revenue
§ Video, Audio, Multi-Media § Lower Costs
§ Reduced Risk
§ Print, Email, and Archived
§ Software Code § IT has become the engine for
business innovation and growth and
§ Patents, IP it must be governed to demonstrate
§ Protocols, Message contribution to the business bottom-
§ These are all digital § To govern IT effectively, the value of
Data must be assessed, Risk
assets calculated, outcomes measured and
Without Data Governance…
§ People make mistakes…
§ Those mistakes more
commonly result in losses
§ Those losses effect every
aspect of IT and business
§ But data is still an abstract
concept and governance
needs technology to be
The IBM Data Governance Council was formed in 2004
to explore enterprise challenges and develop solutions
Customers Business Partners Academia
Abbott Freddie Mac AirMagnet North Carolina State
ABN Amro Huntington Bank University
Alltel IBM CIO Office University
Axentis Bucerius Law School
American Express Key Bank Continuity Software
Bank of America MasterCard Guardium
Bank of Montreal Merrill Lynch Intellinx
Bank of Tokyo/Mitsubishi Monaris Lumigent
Bell Canada Novartis OpenPages
BITS Financial Services Nordea Bank Organizational Policy Inst.
Cadence Design Northwestern Mutual Paisley
Citigroup PNC RiskWatch
City of New York, FISA Regions Financial Corp. SecNap
Danske Bank TIAA-CREF Semantic Arts
Deutsche Bank TeliaSonera SPS Security
Discover Financial VP Securities Services Tizor
Equifax Washington Mutual Valid Technologies
Fannie Mae Wachovia ZANTAZ
The World Bank
There are Six Questions every organization should ask
themselves about Data Governance today
§ Do we have a Government?
§ Who is responsible for governing?
§ How do we share accountability across the enterprise?
§ How do we assess our situation?
§ Are benchmarks available?
§ How do we measure our Maturity?
§ What is our Strategy?
§ How do we get from here to there?
§ What does our CEO and Board want?
§ What is our data worth?
§ How much revenue is it producing?
§ How much does low quality data cost?
§ What are our vulnerabilities?
§ How do we calculate risk?
§ Which risks do we accept, mitigate, transfer?
§ How do we measure progress?
§ What do audits tell us?
§ How do we report results that matter? 07/31/07
1. Do we have a Government?
§ Who are the leaders?
§ What does the DG Committee look like?
§ What power centers should be at the table?
§ How many business representatives are in the
§ What is the charter of the group?
§ How are issues raised, discussed, and resolved?
§ How are requirements gathered?
§ How are policies communicated?
§ What are our legislative powers?
§ How do we govern?
A Government has these basic powers
§ To discourage behavior:
§ Make something expensive
§ Make something difficult to do
§ Make something illegal
§ To encourage behavior:
§ Make something cheaper
§ Make something easier to do
§ Make something legal
§ To record results:
§ GDP, CPI, etc.
What will our organization look like to exercise these
represents an interest
group and line of
Executive business within the
Leadership organization and makes
policy decisions on
behalf of the interests
Decision Making Input
and the enterprise.
Data Governors This ensures clear
accountability for all
Policy Decisions aspects of data
Requirements Definition governance within each
line of business as well
as across the entire
End Users, Customers, etc.
2. How do we assess our situation?
§ Assessment criteria
§ Categories or Disciplines
§ Using existing assessments
§ Scope of effort
§ Public statements vs. internal reality
Elements of Effective Data Governance
Data Risk Management &
Organizational Structures & Awareness
Data Information Information
Quality Life-Cycle Security
Management Management and Privacy
Data Classification & Audit Information
Architecture Metadata Logging & Reporting
How do DG domains come together
establish DG within an organization?
§ An organization can start with any of the 11 domains, and is
likely on the path to maturity for one or more of these
§ By grouping the 11 domains of Data Governance, for which
organizations can assess their current maturity, some
insight into how to establish a road map can be gained.
§ An initial high level grouping of DG domains, and showing
primary relationships between these groupings, may help
organizations to build a road map:
Examples of relationships between DG
1 & 2 Quality and Security/Privacy requirements for data need to be assessed
and managed throughout the information life-cycle
Data Information Information
Quality 1 Life-Cycle 2 Security
Management Management and Privacy
3 Executive level endorsement and sponsorship is an enabler for stewardship of
information that requires standardization across processes and functional boundaries
4 Consistency in practice can be enabled through Stewardship when there are
Enterprise-level policies and standards in place for DG disciplines.
Organizational Structures & Awareness
Policy 4 Stewardship
6:47 PM Confidential Draft - not for
IBM Data Governance Maturity Model and Assessment
IBM has developed an assessment tool and maturity model to measure DG maturity
Key contributors to maturity:
Business Transformation § Consistency
• Continuous Improvement
• Innovation / Leadership
• Collective / Shared Efforts
• Consistent & Rigorous
• Significant Automation
• Consistent Performance
• Objectivity and Trust
• Advanced Tools / Usage
• Measured and Managed Efforts
• Understood / Shared Practices
• Consistent Application
• Improving Performance
• Advancing Technology
• Initial Process Definition
• Basic Infrastructure
• Project Discipline
• Automation Opportunities
• Lack of Processes
• Stand-alone Structures
• No Tracking /
• Heroic Efforts
• Ad Hoc Attempts
§ Today, 10 members of the Data Governance
Council are using the Maturity Model to transform
§ Bottoms-up process transformation
§ Top-down governance models
§ Inside-out program funding
§ They use the Maturity Model to defining what is in
scope for Data Governance, based on a
benchmark created by peers.
3. What is our Strategy?
§ Where do you want to be in 3 years?
§ What is the gap between where you are
§ What milestones, specific tactics, and KPI’s?
§ How to get organizational support?
§ How to get Board support?
After the assessment, you need to benchmark
where you are and where you want to go
Build a Data Governance Vision
§ Minimum Requirements
§ Key Performance Indicators
§ Project Plans
§ Teams and structure
§ Enabling Technology
§ Desired Outcomes
Sell the Vision
§ To affect organizational change, everyone needs to
§ Getting everyone onboard can eat vast amounts of
time and become process overkill
§ New methods of community-based consultation and
eVoting are needed to get broad support for the
§ The CEO and Board are also important
4. What are our data assets worth?
§ How do we measure data quality?
§ What is the data landscape?
§ What is the data model?
§ What is metadata?
§ How does data contribute to business results?
§ How can we measure the ROI of data improvement
The Value of Data is Dependent Upon the Value of IT
§ Value is dependent on Price
§ You can’t tell the value of something if it doesn’t have a
§ IT is run like a Command Economy.
§ Budgets are allocated centrally
§ Projects are managed based on labor value and
infrastructure cost allocation
§ ROI is impossible to derive because there are no
market mechanisms to determine the price of IT.
In the Perfect World…
§ IT would buy hardware, software, and services from other vendors at
cost, mark them up, and resell those products to the business.
§ The business would negotiate prices with IT and each division would pay
new project, operational, and maintenance prices on all IT services.
§ IT would only have an investment budget based on business needs.
§ This would create an internal market for IT services similar to the real-
world external market.
§ The Value of IT would therefore be based on the utility of IT services.
§ The value of data could also be measured using Utility Theory, because
data management costs would be factored into IT prices.
What is the value of Data?
§ Data is worth whatever someone wants to pay for it:
§ $1 for the NY Times
§ $93 for a stolen identity
§ $259 for Windows Vista
§ $20 for a book on Amazon
§ $1.29 for a song on iTunes
§ $5 for 512m2 of land in Second Life
§ How do you calculate the value of enterprise data?
§ Buildan enterprise marketplace and let data supply and user demand
set the internal price
§ Track data usage patterns to derive the Utility Value of Data
§ Record the revenue generated with use of the data and subtract the
utility price paid to calculate the net earnings on data (EOD)þ
Content Level Agreements
§ Content level agreements can contain numerous data
quality performance metrics with corresponding data
integrity and availability level objectives. Some examples
§ DQI (Data Quality Index): Index ratio of data quality.
§ DAR (Data Availability Rate): Percentage of time that
contracted data was available to “consumers”
§ DIR (Data Integrity Rate): Percentage of time that contracted
data was trusted and reliable.
§ DER (Data Error Rate) Number of data errors.
5. What are our vulnerabilities?
§ Security Risks
§ Regulatory Concerns
§Different approaches in laws
§Related documentation and administration
§Bringing regulations and reality together
§ Reputation Risks
§Misuse of data
§Loss of Data
§Risk of “bad” data
Data Risk Management Maturity Optimized
Find ways to
leverage risk to
Level 4 corporate benefit.
Make decisions to
predict and control:
Level 3 § Managed risks
§ Limited risks
Defined § Process change Benefits
Combine with § Accountability from data
human behavior § Budgeting
and “effect” data
Level 2 Correlate and Implement
Repeatable develop compre- Monitor/Report
hensive Data Risk Adjust
Assessment Risks “from” data
Create context for
Level 1 Collect, categorize,
Initial analyze all “actions
“Bad Event” Driven Broaden across
No predictability multiple risk entities
No cause/effect Risks “to” data
§ IT Project Risk?
§ Defect Errors
§ Process Mistakes
§ Governance risks
§ Implementation Risks?
§ Business Continuity
§ Service Level Agreements
§ Globalization Risks?
Alternative Risk Transfer
“Alternative Risk Transfer (often referred to as
ART) is the use of techniques other than
traditional insurance and reinsurance to provide
risk bearing entities with coverage or protection.
The field of ART grew out of a series of insurance
capacity crises in the 1970s through 1990s that
drove purchasers of traditional coverage to seek
more robust ways to buy protection.”
§ ART agreements can contain numerous risk metrics with
corresponding protection level objectives. Some examples
§ IRE (Incident Rate of Exposure): Percentage of incidents to
§ AIRT (Average Incident Response Time): Average time
(usually in seconds) it takes for an incident to be responded
by the service desk.
§ CA (Coverage Amount): Amount of risk transfer from
department to organization on an aggregate basis.
§ RA (Reserve Amount): Amount of “premium” paid by each
department, based on past losses, to cover future exposures.
§ Security Agreement: Common agreements include
percentage of network uptime, power uptime, etc.
6. How do we measure progress?
§ Processes for capturing requirements
§ Processes for managing change
§ Processes for implementing policy
§ Using User Acceptance Test to measure how policy
maps to requirements
§ Monitoring policy compliance
§ Link to operational risk
What are we measuring?
§ Data Quality
§ Value of Data and IT Services
§ Probability of Risk
§ Policy Compliance
§ Regulatory Filings
§ Governance efficiency
§ Revenue Contributions
§ Cost Savings
Why CLA and ART
§ Because they provide market mechanisms to
price content and risk in an enterprise
§ Incentives and Disincentives to motivate behavior
§ Those market mechanisms provide governing
power to affect change
§ With that change comes accountability,
efficiency, and enlightenment
§ Without them, we are just guessing at the value
of data and the cost of risk.
Data Governance Balanced Scorecard
Element Current Desired KPIs Outcome
•Traditional Structure •community based self- •# new ideas •78% employee
Organization (2)þ governance (4)þ implemented satisfaction rate
•Data Stewards only •Stewardship in every •# stewardship •125% more stewards
Stewardship (2)þ discipline (3)þ communities
•Ad-hoc policy •Structured policy •45% increase in reg.
Policy management (1)þ management (3)þ compliance
•Spreadsheet-based •Process oriented DG •Data utility index •24% reduction in
Data Quality DQ program (1)þ program (4)þ •Price of data fraud
•Stovepipes of data (1)þ •Federated and •Data availability index •Lower data
Architecture integrated (4)þ •Data supply ratio management costs
•No metadata •End-to-end metadata •Business glossary •12% reduction in
Metadata management (0)þ management (4)þ •Metadata elements policy failure
•Enterprise Access •Context-based •# Incidents • 98% Customer
Security Control entitlements satisfaction
•Faith-based Risk •Fact-based Risk • $ Capital Reserve •12% net underwriting
Risk Management (1)þ Forecasting (4)þ • # Losses profit
•Command Economy •Demand Economy •Efficiency of IT service •8% Net IT operating
Value •Labor Theory (1)þ •Utility Theory (5)þ pricing profit
•Enterprise Backup (2)þ •Policy-based backup •Retention/deletion •23 Terabytes saved
ILM (3)þ ratio
•Quarterly Audits (1)þ •Automated self- •# Failures reported •24% reduction in IT
Audit assessments (5)þ •# audits passed project failure
Click on the questions tab on your screen, type in your
question (and name if you wish) and hit send.