Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Management Strategies - Speakers Notes


Published on

Speakers notes from my speaking at the Fijian Institute of Accountants Technical Workshop.

Fiji is a Very Nice Place.

Published in: Business, Technology
  • Be the first to comment

Data Management Strategies - Speakers Notes

  1. 1. 1 SLIDE ONE: TITLE SLIDE Good morning and welcome to this session discussing data management strategies. Today’s session is intended to introduce approaches you can take to ensuring that the data that underlies your business is fit for the purpose for which you intend it. This requires an alignment of organisational intent with technical skills and capabilities. SLIDE TWO: INTRODUCTION [No speaking points] SLIDE THREE: ABOUT THIS PRESENTATION
  2. 2. 2 Now, in order to discuss how your business can ensure that data is managed appropriately, this presentation discusses strategies to manage data, and discusses how to ensure that data is managed and controlled appropriately. This presentation also discusses some of the issues that I have seen in practice relating to sustainable management of data. This, in the end, comes back to ensuring that the business has the appropriate effort spent on data governance and management for its needs. There are standard practices that can be adopted, and it is intended today to introduce some of these to you. In discussing this presentation, I should acknowledge that some of the material presented in this discussion was supported under the Australian Research Council's Linkage Projects funding scheme (project number LP0882068). Some of this material relates to the research work that I am carrying out through a relationship with the University of Queensland and the Australian Research Council. In presenting this material, I want to communicate some very real issues that I have seen in past practice. Some of this will be a little humorous, some of it less so. You’ll see what I mean when we get to those bits! SLIDE FOUR: AGENDA In examining data quality, it is very easy to become ‘hyper-focussed’ on having good quality data. We all know that data is clearly an important business resource. In avoiding becoming ‘hyper- focussed’ on data quality, please remember that you are pursuing data quality for a utilitarian purpose.
  3. 3. 3 The data that we manage must be important to the business and its senior team, including the business owners. Data must be fit for purpose and help the business. That is the measure of good data quality. In many ways, this discussion links to my presentation tomorrow on key performance indicators – it is not possible to have key performance indicators that work well without having good-quality underlying data. In approaching the problem of data quality, be aware of the dangers of attempting to improve the quality of all your data all at once. For all but the most special of organisations this ‘big bang’ approach is doomed to fail. The business must want data quality, and the approach to your data quality must be aligned with your business strategy. It is not costless to improve data quality, and in fact it is quite the reverse. Data quality is not an end in itself. This presentation provides an approach and a toolset to advance the state of data management in your business through data governance so that the data you have is accurate and useful. This presentation explores the meaning of data governance, its impact upon the business, and how to develop a strategic program of works that builds the business’s data governance. The aim is to develop an improved data quality framework that works, which is a framework of practices and procedures that align data quality practices with the business’ strategic need for data quality. The emphasis here is on governance as a set of rules for governing data quality processes, and our strategy is the way we direct day to day activities to ensure alignment with the business. The agenda set out here takes us through a journey of what data management means for accountants, how we can recognise data governance as a strategic need, and then a program of works that we can use to develop our data management practices further.
  4. 4. 4 SLIDE FIVE: DATA MANAGEMENT AND ACCOUNTANTS SLIDE SIX: ACCOUNTING COMPLIANCE REQUIREMENTS Us accountants like our rules and regulations, and in this day and age nothing affects us quite like the computer. Yet our standards only have very little to actually say on our use of the computer. ISA315 merely asks the auditors to have ‘an understanding’ of information systems relevant to financial reporting. This is in stark contrast to the Sarbanes-Oxley approach in the United States, which requires a much more interventionist and prescribed approach to knowing where the data itself comes from. In any event, if we are going to get good data that is useful to our business, we need to focus on more than ‘just financial data’. The financial data is important, but frequently it tells us what happened, rather than, perhaps, how it happened. We can use this data for decision-making and performance monitoring, before it affects the financial bottom-line. Let us discuss some illustrative examples that highlight some of the issues we are talking about here.
  5. 5. 5 SLIDE SEVEN: TALES FROM THE DATA VAULT Blue screen of death The ‘blue screen of death’ – I’m sure you’re quite familiar with it! One former client had had the software for their management information system installed twice. When the software was updated, however, only one installation was updated – and the other wasn’t. This meant that one half of the office had computers that updated the data in one way – and the other half, didn’t. This wasn’t noticed for about a year, when the computers started to blue-screen regularly. By this time of course their data was thoroughly nonsensical and required extensive cleaning. Networking and wiring technology Well, I think this picture kind of illustrates the point rather well. There is not a lot of point investing in good data management strategies if your technology platform is a bit, well, fragile. Ask yourself, what happens if one of these wires were to get pulled out? Hmm. Every computer should have one of these Now, clearly every computer should have one of these. I’ll tell you the story of my earlier career. It was a private school that I worked at, and every three months a newsletter was sent out to the alumni. Now, the program we used
  6. 6. 6 was, shall we say, immature. It wasn’t really ready for prime time yet, although we had been using it for three years. That was probably a mistake. However, we were using it. Because it was immature, the programmer was always making changes. ‘Tailoring’ I believe it may have been called. He made one little change. A teensy change. And it sent the program that gathered addresses for the quarterly mailing for a loop so that, when it came to a postal address, it kept using that postal address for every person that followed that person (until the next postal address). I checked it. The director of business development checked it. His secretary checked it. No-one noticed. They all got mailed out. All 11,000 of them. We didn’t know until the postmaster in Chinchilla rang us the next day and said, “Hey, did youse guys really want me to put 340 copies of your newsletter into Charlie’s PO Box?”. And then the bloke in Townsville. And then... well, you get the picture. A panic button would have been very helpful on that day. Remembering when? I don’t know if you remember these things on the left here. They’re 5¼ inch floppy disks. Positively of absolutely no use now. I don’t think I’ve seen one in ten years. In my old firm, we used to store a great deal of data on Zip-disk drives. Again – you can’t really buy those now either. My old firm also used to scan its client files to Microfilm. Then Microfiche. Then Canoscan OM disks. Then the disk reader broke, and you can’t buy a new one. And – nightmare of nightmares! – we were sued! Where were our file notes to prove we were in the right? That’s right, they’d all been scanned to OM disks. On a machine that had since blown up.
  7. 7. 7 Now I can tell you, we put a lot of effort in getting that data back – and we did do it. The legal action against the firm failed, at least partly on the basis of the information contained in those file notes. Blast from the past Again, do you remember these things? A great deal of data went on those too – mind you, unlike floppy disks, THESE still work (so long as the archives with your paper in haven’t burnt to the ground or been flooded by now). Because of these issues, I can today show you more of my work from 1986 – before I moved to new-fangled computers! – than from my four year university degree and the entire decade of the 1990s (at which time, I stopped archiving off to floppy disks!). By the way, that’s a great little machine – I doubt that my notebook will be as good when it is 45 years old. Quix! Type in wez had all our injekshuns Now I don’t know how true this story is, but it’s a good one so we’ll run with that. There was a multinational company based in Europe, and its database design was built in France, so all those ‘yes/no’ data fields were coded as ‘o’ for oui and ‘n’ for non. Unfortunately the training when they rolled out to Greece was not so good, although everyone used the database. Unfortunately, in Greek, ‘o’ is for no, and ‘n’ is for yes. Again, fantastic data quality. User dues We are our own worst enemy. Possibly the biggest threat to your data – whether incompetent by malicious intent, or just by their good nature, the
  8. 8. 8 users of information systems can find ways to muck your data up that will make your toes curl. I am thinking of one agency that was spending in excess of one billion dollars on infrastructure – this required property resumptions. To record its discussions and negotiations with property-owners, the QA manager decided that a spreadsheet would be the most appropriate approach to record the negotiations and decisions made by its field agents. The system allowed the final outcomes of negotiations to be recorded, but had no real method for recording the decisions made. The information was contained inside many spreadsheets and could easily be overwritten by the end users. SLIDE EIGHT: DEFINITIONS Now, in the context of this presentation, the following definitions apply: Data Quality: measures the data’s fitness for the intended use in operations, decision making & planning Governance: is a set of accountabilities, processes, and auditable and measurable controls that ensure the business is on track to achieve its objectives Data Governance: is therefore a set of accountabilities, processes, and auditable and measurable controls to ensure the business is on track to achieve its data quality objectives Data Quality Frameworks: These frameworks provide structure to data quality activities and allow assessment of data quality Data quality is principally about fitness for purpose. This is a broad definition, but it goes to the heart of the matter. If the data is fit for the purpose for which it is intended, then data quality is generally sufficient. However, businesses frequently use data for decision-making that it absolutely does not support.
  9. 9. 9 For example, a client once had developed several information systems to manage its business functions. This client was an agency focussed upon the management of personal relationships with the government, and frequently aggregated the data from the different information systems to inform the development of government policy responses to social issues. Unfortunately, the different systems used different attributes to describe the people in care – in one system, there were three ethnicities (Indigenous, Torres Strait Islander, and ‘other’), while another system had twelve ethnicity codes. This approach made sense for each individual system, and the data was fit for the purpose initially envisaged. Problems arose, however, when the data was used to support decisions it was not originally intended for. Similarly, this client was responsible for maintaining a spreadsheet of people who were considered a ‘threat to the community’. Unfortunately, this information was derived from the three information systems, and was manually maintained. At the time of our review the master spreadsheet had not been revised for six months – data that loses accuracy, timeliness and relevance. There are several core components to the concepts of data governance. Firstly, ‘governance’ is not about the specific actions to be taken, it is about who is accountable for those actions, what processes are followed, and how these actions are measured. Secondly, the aim is to meet the business’s data quality objectives. If those objectives are not set out, or are at odds with the aims of the data quality framework, then data governance is poor. SLIDE TEN: THE REASONS WHY In order to advance data governance, it is absolutely essential that the business strategy is understood. There are very good business reasons for improving data quality frameworks through good data governance, which can be analysed in terms of ‘compliance’ frameworks (required by a standard or
  10. 10. 10 law) and ‘incentive’ frameworks (whereby it can be seen that IT governance provides a positive return to the business, even when it is not required). On this list of compliance frameworks, Control Objectives for IT (COBIT) and Sarbanes-Oxley are both audit standards. Neither has a direct ‘black and white’ legislative effect in Australia, although they are both influential for Australian businesses. COBIT is managed and developed by the Information Technology Governance Institute. The Information Systems and Audit Control Association originally developed COBIT in order to assess the controls over information technology and the information managed by it. COBIT is an audit standard for IT governance, and a very small part of that standard is devoted to data management and data quality. Financial auditors use COBIT when assessing the controls over information technology as part of a financial audit. These control objectives become important for complex audits, and where the auditor feels unable to consider information technology to be a ‘black box’ that can safely be ignored. For a financial auditor, if the controls over the accounting system are inadequate and unreliable, then there is little prospect that the auditor can place reliance upon the information produced from that accounting system. The COBIT standard may be applied to larger organisations that require complex audits. However, there is no legislative requirement that this be followed, and its application is generally left to the professional judgment of the auditor. Sarbanes-Oxley is, again, a standard that is not generally relevant for non-UScompanies, as it is US- based legislation. However, it should be noted that US legislation generally attempts to be as inclusive as it possibly can, and wholly-owned subsidiaries of US firms operating elsewhere are required to achieve SOx compliance if the parent company is subject to Sarbanes-Oxley.
  11. 11. 11 S404 of the Sarbanes-Oxley Act requires a management assessment of internal controls. In practice, the auditor must be certain of the provenance of financial data, and so controls over feeder systems through to the financial information systems are relevant. Generally, auditors have tended to be conservative in their application of S404 – so although not all systems need be tested every year, auditors err on the side of caution in these instances. Of interest is speculation that overseas companies may be captured by the operation of S404 if those companies produce information that passes information (not necessarily financial!) to the financial information systems of a US company. Sarbanes-Oxley affects Australian companies with significant business-to-business relationships with US companies (e.g. joint ventures). In Australia, the Stock Exchange has rules for listed companies, although these are not particularly onerous in this context. Principle 2 requires that the board of the business is structured to add value, whilst Principle 7 requires that the board recognise and manage risk. As for the management of risk, it is true that poor data quality can result in poor business decisions, but generally data quality seems to be the last thing on the minds of board members and the senior executive team. Until, that is, poor data quality results in a bad business decision or a crisis. There needs to be a story to motivate the senior team about data quality. My stories would include the time a school sent academic reports to the estranged father of a child. The father was the subject of a domestic violence order and was not to know where the student attended the school. Or the time the accounting firm kept inviting the managing director of a very major client to seminars and presentations, despite the fact he had died six months previously. Or Queensland Police Service, where if the information provided to their people on the streets by 000 is wrong, people die. There is also the story of the managing director of a listed company with $16 million turnover. He received an audit letter that was 32 pages in length, mostly due to poor information security and data quality, and yet refused to upgrade the accounting system from MYOB.
  12. 12. 12 Privacy legislation requirements apply to the data that we gather, and there is of course an Australian and international standard on IT Governance (AS8015-2005; ISO/IEC 38500) and AS4360:2004 is the Australian standard on Risk Management. Amongst other requirements, there is also the act to counter spam and the counter-terrorism act, the credit card companies impose their own restrictions, and if you are an accountant there is the new money-laundering act, all of which provide for harsh penalties for breaches by directors. However, there is generally no hard-and-fast requirement for data quality in Australia, and so you need to build the business case for data quality judiciously. There is the assertion by Weill & Ross (2004) that good IT governance practices provide a higher return on assets for businesses than businesses without good IT governance practices. Generally, though, you will need to build the case for the improvement of data quality on the basis of your business. Unfortunately for those of us that want to see good data, the Sarbanes-Oxley experience shows that penalties (both civil and criminal) seem to be a primary motivator in getting a focus on data quality in businesses. SLIDE ELEVEN: ACCOUNTANTS AND SPREADSHEETS Us accountants also love our spreadsheets. We love to work with them and use them all the time, and there are very good reasons for that. Spreadsheets contain a lot of the corporate information that we use to guide decision-making.
  13. 13. 13 However, spreadsheets are notoriously unreliable. There are frequent errors and problems with the formulas that we use. It’s not ‘just a spreadsheet’ if we use it to make important business decisions, and we need to know and understand where the data that we are using has come from. The spreadsheet should have internal controls and methods of validation as well – it is still a system and needs appropriate controls, checks and balances. I always use an ‘IIF’ formula to cross-reference my totals and flag exceptions, or conditional formatting is useful as well, as I am sure you know. Although it is ‘just a spreadsheet’ we should look to build into the spreadsheet its integrity. Additionally, where the spreadsheet uses data from other systems, understand where that data has come from, and ensure that you know its security, its integrity, its effectiveness and its efficiency. There are several inherent problems with a spreadsheet, though. Firstly, by its nature a spreadsheet is not exactly multi-user. We tend to make a copy of data in a spreadsheet, and then update that data rather than updating the source. Or, the spreadsheet quickly becomes out of date. A client of mine once had 28 staff working for it, from the CEO down to the janitor. That business had 84 databases of some description – none of which was particularly well-maintained, nor current! Spreadsheets do provide a very simple way of transporting data around – unfortunately this strength is also a weakness. Once data has been placed into a spreadsheet, any controls you might have created over access to it are generally ignored from then on. It becomes an unmanaged data repository – and frequently a considerable one at that. Incidentally, as accountants we are often guilty of using spreadsheets to meddle with dark forces. Forces we perhaps don’t understand. Now, you can stretch a spreadsheet’s functionality to address some of these issues. My brother-in-law – bless his little cotton-socks! – uses multi-user spreadsheets in all complex manner of ways. He has his sales managers in different sites enter the daily sales and other key bits of information into the same spreadsheet, which he then runs a macro over it to pick up
  14. 14. 14 the data that he wants. Yes you can modify a spreadsheet to do these things, with ODBC links and other automation elements. However, eventually, what you have done is strap a jet engine to a Volkswagen Beetle. It can be done, sure, but who would want to drive it? A spreadsheet is a very good tool for what it was designed for, but it is not a database. I have seen many accountants build very complex inter-related spreadsheets when, really, the tool to use should have been a proper database. Please, bear this in mind if your spreadsheets are becoming too fragile and unwieldy! SLIDE TWELVE: ALIGNING EFFORT AND NEED [No speaking points] SLIDE THIRTEEN: DO WHAT THE BUSINESS NEEDS The diagram here shows the relationship between the effort you put into managing data quality and the expected impact on the business. The red circles indicate an unsustainable mismatch of the effort put into data quality and the impact upon the business. The need to build the business case for data quality means that the alignment of data quality practices with the needs of the business is paramount. There is very little point in pursuing data quality as an end in itself if it has little benefit for the business. Focus is needed to get the most business impact from your strategic effort.
  15. 15. 15 SLIDE FOURTEEN: CORPORATE GOVERNANCE AND DATA Your average board is comprised of accountants, lawyers, and sometimes an ex-politician or two. Given the focus of directors’ duties on compliance with financial standards, and the general background of boards, it is probably no surprise that businesses are very good at managing financial assets and physical assets, and quite poor at most of the other key assets of the business. To advance data quality, we need to bring this issue to appropriate prominence. It starts with the board, which will need to ensure accountability, monitor and supervise the actions of the senior executive team, decide strategic actions, and make policy. If, at this time, the board sees no role for data quality within the business, then that needs to be changed if data governance is to be advanced. The senior executive team needs to set out the business strategy – which must include the objectives for data quality – and decide who has input into the approach. Data quality needs to be on the board’s agenda – it does not need to be the board’s agenda, but it does need to be on it. This means that we adopt governance groups and governance processes to ensure data quality stays top-of-mind.
  16. 16. 16 SLIDE FIFTEEN: GOVERNANCE GROUPS When approaching governance groups that you can use for sorting out data quality, the mechanisms you use need to be compatible with your business and the way it approaches the questions of IT management. A steering committee is unlikely to work well if the rest of the IT approach – or the rest of the business - is undertaken in an anarchistic manner. However, key governance groups and processes include: Applications board Information Steering Committee Board Risk and Audit Committee Governance Calendar Balanced Scorecard The key here is that there needs to be a way to manage data quality, and it needs to be monitored by the people that matter.
  17. 17. 17 SLIDE SIXTEEN: INTEGRATING IT PLANS INTO BUSINESS STRATEGY This process is a rational one, and essentially requires that the gap is identified between the current approach and business requirements, and then the gap is closed. Unfortunately there are common flaws that exist in the approach by business: Where there is no direction by the business, IT fills the gap as it sees fit. The approach is completely out of alignment with the business Personal or political agendas cloud the approach There is no way of closing the loop with feedback so that the current ‘flavour of the month’ continues to be monitored once it is no longer the flavour of the month. A business decision
  18. 18. 18 Data quality is a business issue. A forum and a process are needed to synthesise a whole-of-business approach. The responsibilities of the Chief Information Officer include the development of business- driven IT strategy and the monitoring of ICT service delivery. This includes the development of the data governance approach and the strategy for data quality. The CIO does have a role to input into business strategy in terms of identifying business opportunities. As a supporting business function, though, in practical terms the CIO must engage with the business functions of HR, Finance, and Marketing once they have developed their specific plans, and then identify the Business IT Strategic Plan. This will include the data quality strategy, which defines the required goals, initiatives and program of work for delivery of the strategy. This is critical to achieving data quality in the context of ensuring alignment with the business, although frequently this does not appear to be undertaken in business. SLIDE EIGHTEEN: DATA GOVERNANCE STRATEGY [No speaking points]
  19. 19. 19 SLIDE NINETEEN: IMPROVING DATA QUALITY Improving data quality is about the development of good business habits and a culture of good data, rather than a ‘big bang’ approach. It is naive to think that data quality can be improved in a ‘Great Leap Forward’ on all fronts and all at once. Critically, data quality is only tangentially related to the use of software tools. SLIDE TWENTY: PRACTICAL STRATEGIES To be sustainable, data quality must meet the cost/benefit test, and be important to the business. A data governance strategy grows organisational capability by implementing a data quality ‘floor’ for all data and focussing the most resources upon the most critical data. This creates less business risk, higher quality, and lower costs than a ‘big bang’ approach. The data quality strategy needs to be owned by the business, not ‘IT; this has implications for the approach to the development of governance groups.
  20. 20. 20 In developing the strategy, set core standards for all data to create a basic level of data quality, and then focus business resources on the development of data quality practices for absolutely critical data first. These could be termed critical data types. It is recommended that you be realistic in your approach, and do not develop over-engineered solutions for the entire organisation’s data at first. A steady and sure approach is usually best - slow- burn strategies that deliver beat fast-burning failures every time. It is recommended that you build a strategic rhythm of monthly & quarterly reviews. This approach de-emphasises the development of a strategy that sits on the shelf, and instead focuses on regular touch points of the strategy throughout the timeframe of the strategy. Quarterly deliverables should be set in the program of works for ease of monitoring, and these should be reported to and reviewed by the Steering Committee, and noted by the Board committee through the Balanced Scorecard and Governance Calendar. At all times, an active strategy is a practical strategy SLIDE TWENTY-ONE: STRATEGY FOR DELIVERING DATA GOVERNANCE Under this approach, our Business IT Strategic Plan will set out the mission, the three-year goals and, after identifying the key challenges to achieving those goals, identify a set of initiatives that will be
  21. 21. 21 successful. Unless there are significant resources available, a slow-burn strategy will be most appropriate. It is important that this strategy recognise the business’ limitations. The achievement of even a single deliverable will be a major step forward in improving the data quality framework. Recognise that the resources available are limited – if they are. If the resources cannot be made available, then work with what you have. This approach emphasises the process of developing the strategy, rather than the strategy. So, rather than spending many hours at developing a strategy that sits on the top shelf, this approach requires a constant monitoring (daily, weekly, and monthly reviews) and the development of quarterly deliverables with the strategy development team. Be conservative in your deliverables, and be wary of creating an undeliverable wish-list. This is an active strategy approach. SLIDE TWENTY-TWO: THE PROGRAM OF WORKS [No speaking points] SLIDE TWENTY-THREE: MATURITY THROUGH GROWTH Measuring the maturity of the process of managing data that satisfies the business requirement for IT of optimising the use of information and ensuring that information is available as required is: Rank Level Description 0 Non-existent Data are not recognised as corporate resources and assets. There is no assigned data ownership or individual accountability for data management. Data quality and security are poor or non-
  22. 22. 22 Rank Level Description existent. 1 Ad hoc The organisation recognises a need for effective data management. There is an ad hoc approach for specifying security requirements for data management, but no formal communications procedures are in place. No specific training on data management takes place. Responsibility for data management is not clear. Backup/restoration procedures and disposal arrangements are in place. 2 Repeatable but The awareness of the need for effective data management exists intuitive throughout the organisation. Data ownership at a high level begins to occur. Security requirements for data management are documented by key individuals. Some monitoring within IT is performed on data management key activities (e.g., backup, restoration, and disposal). Responsibilities for data management are informally assigned for key IT staff members. 3 Defined The need for data management within IT and across the process organisation is understood and accepted. Responsibility for data management is established. Data ownership is assigned to the responsible party who controls integrity and security. Data management procedures are formalised within IT, and some tools for backup/restoration and disposal of equipment are used. Some monitoring over data management is in place. Basic performance metrics are defined. Training for data management staff members is emerging. 4 Managed and The need for data management is understood, and required measurable actions are accepted within the organisation. Responsibility for data ownership and management are clearly defined, assigned and communicated within the organisation. Procedures are formalised and widely known, and knowledge is shared. Usage of current tools is emerging. Goal and performance indicators are agreed to with customers and monitored through a well-defined process. Formal training for data management staff members is in place. 5 Optimised The need for data management and the understanding of all required actions is understood and accepted within the organisation. Future needs and requirements are explored in a proactive manner. The responsibilities for data ownership and data management are clearly established, widely known across the organisation and updated on a timely basis. Procedures are formalised and widely known, and knowledge sharing is standard practice. Sophisticated tools are used with maximum automation of data management. Goal and performance indicators are agreed to with customers, linked to business objectives and consistently monitored using a well-defined process. Opportunities for improvement are constantly explored. Training for data management staff members is instituted.
  23. 23. 23 Data quality management can only work when the organisation is ready for it. A great leap forward won’t work for data management. The activities set out in the program of work, and the key performance indicators adopted as metrics to measure data quality must be tailored for your readiness. SLIDE TWENTY-FOUR: OBJECTIVES OF DATA QUALITY Process Description DS11.1 Business Requirements for Data Management DS11.2 Storage and Retention Arrangements DS11.3 Media Library Management System DS11.4 Disposal DS11.5 Backup and Restoration DS11.6 Security Requirements for Data Management These control objectives are the ones set out by COBIT, and although they are not a complete set of available objectives, this should be reflected in the data quality strategy. DS11.1 Business Requirements for Data Management - Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. DS11.2 Storage and Retention Arrangements - Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements. DS11.3 Media Library Management System - Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity. DS11.4 Disposal - Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
  24. 24. 24 DS11.5 Backup and Restoration - Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan. DS11.6 Security Requirements for Data Management - Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements. SLIDE TWENTY-FIVE: IMPROVING THE DATA QUALITY FRAMEWORK Having assessed your control objectives, the strategy will outline the need to improve the data quality framework through assessment of the gap between the required level and the necessary steps to improve these measures over time.
  25. 25. 25 SLIDE TWENTY-SIX: INVEST IN SECURITY ACCORDING TO YOUR NEEDS It is possible to have very secure data connections, and of course our friend Leo here is a good deterrent from a would-be prowler. However we do need to be sure that we don’t make our data too hard to use, and we need to be sure that it is not left insecure. Security is necessary according to our needs, and keep it appropriate. Often we invest in high-tech gadgetry or security methods when other, more mundane, approaches might make the data that little bit more secure. SLIDE TWENTY-SEVEN: DATA QUALITY POLICY FRAMEWORK [No speaking points]
  26. 26. 26 SLIDE TWENTY-EIGHT: DATA MANAGEMENT LIFECYCLE Data goes through a lifecycle – it is created, used, assessed, re-born, and, finally, it dies. The implication is that data needs to be respected over time – you cannot do this as a one-off. If your data is going to inform decision-making, then be sure to have the best data quality you can afford, for the data that matters. To ensure that your data is managed appropriately, this lifecycle identifies activities that can be carried out in order to manage the data at that particular point in its life. These points are suggested by the COBIT framework. SLIDE TWENTY-NINE: DATA QUALITY POLICY FRAMEWORK
  27. 27. 27 This diagram here sets out some of the practical things we can do to achieve data quality. These items would be added to the program of works, and delivered over time to critical data types. It is critical that you consider this strategy in the context of two streams: 1. Non-critical data types – data that is not critical to business decision-making and that, whilst we do not require it to be the highest quality, nevertheless it should be of acceptable quality. 2. Critical data types – data that is critical to the organisation and, if managed well, will give us the ability to make decisions and monitor our business well. It is likely that critical data types will be that information that is prescribed by law to be managed in a very secure manner. Alternatively, these critical data types will be used by the business for the monitoring and development of its key performance indicators.
  28. 28. 28 The data management activities you do need to be broken down to ensure a minimally acceptable standard of data quality for non-critical data, and focus resources on the development of practices that affect critical data types. Practical things that can be done to achieve data quality include: Data entry controls: Data entry requirements are clearly stated, enforced and supported by automated techniques at all levels, including database and file interfaces Data ownership: The responsibilities for data ownership and integrity requirements are clearly stated and accepted throughout the organisation Training in standards: Data accuracy and standards are clearly communicated and incorporated into the training and personnel development processes Data correction: Data entry standards and correction are enforced at the point of entry Output standards: Data input, processing and output integrity standards are formalised and enforced Data quarantine: Data are held in suspense until corrected Integrity Monitoring: Effective detection methods are used to enforce data accuracy and integrity standards – these might be automated audit tools. Reliable and meaningful data interfaces: Effective translation of data across platforms is implemented without loss of integrity or reliability to meet changing business demands. Minimal keying: There is a decreased reliance on manual data input and re-keying processes
  29. 29. 29 Data access tools: Efficient and flexible solutions promote effective use and re-use of data Archive management: Data are archived and protected and are readily available when needed for recovery. Data dictionary: A data dictionary provides a framework of data types, their semantic meaning, and works to improve the business’s understanding of its own information. Information inventory: An information inventory provides a visual reference to identified data and information types within the organisation. As part of this data management strategy, ongoing feedback and data quality metrics will be important for providing feedback for your data governance groups. Key performance indicators may include: Percent of data input errors Percent of updates reprocessed Percent of automated data integrity checks incorporated into the applications Percent of errors prevented at the point of entry Number of automated data integrity checks run independently of the applications Time interval between error occurrence, detection and correction Reduced data output problems
  30. 30. 30 Reduced time for recovery of archived data The KPI may be a simple ratio, a minimum or a maximum value, or a weighted average. These KPIs will be provided as part of the balanced scorecard to the board and its committee, and in more detail to the business steering committee. SLIDE THIRTY: CONCLUSION The major themes that I would like to recall to you today include the following points: Data quality is not an end in itself Involvement and ownership by the business is vital – if data quality is not emphasised, or is not seen as relevant to the business, then trying to force that horse to drink is going to be as frustrating as milking a herd of mice. Pursuing data management by technology alone is doomed to fail It is best to develop an active data management strategy that is aligned with the business’s needs, and to promote strong data quality habits amongst users. The force of habit is the most powerful force in the universe.
  31. 31. 31 Start focussed with the core data management activities, for only those critical data types for the business. As you build your organisational maturity up, you can expand the data that is managed well. Ladies and Gentlemen, thank you for your attention today.