SLIDE ONE: TITLE SLIDE
Good morning and welcome to this session discussing data management strategies. Today’s session
is intended to introduce approaches you can take to ensuring that the data that underlies your business
is fit for the purpose for which you intend it. This requires an alignment of organisational intent with
technical skills and capabilities.
SLIDE TWO: INTRODUCTION
[No speaking points]
SLIDE THREE: ABOUT THIS PRESENTATION
Now, in order to discuss how your business can ensure that data is managed appropriately, this
presentation discusses strategies to manage data, and discusses how to ensure that data is managed
and controlled appropriately.
This presentation also discusses some of the issues that I have seen in practice relating to sustainable
management of data. This, in the end, comes back to ensuring that the business has the appropriate
effort spent on data governance and management for its needs. There are standard practices that can
be adopted, and it is intended today to introduce some of these to you.
In discussing this presentation, I should acknowledge that some of the material presented in this
discussion was supported under the Australian Research Council's Linkage Projects funding scheme
(project number LP0882068). Some of this material relates to the research work that I am carrying
out through a relationship with the University of Queensland and the Australian Research Council.
In presenting this material, I want to communicate some very real issues that I have seen in past
practice. Some of this will be a little humorous, some of it less so. You’ll see what I mean when we
get to those bits!
SLIDE FOUR: AGENDA
In examining data quality, it is very easy to become ‘hyper-focussed’ on having good quality data.
We all know that data is clearly an important business resource. In avoiding becoming ‘hyper-
focussed’ on data quality, please remember that you are pursuing data quality for a utilitarian purpose.
The data that we manage must be important to the business and its senior team, including the business
owners. Data must be fit for purpose and help the business. That is the measure of good data quality.
In many ways, this discussion links to my presentation tomorrow on key performance indicators – it is
not possible to have key performance indicators that work well without having good-quality
In approaching the problem of data quality, be aware of the dangers of attempting to improve the
quality of all your data all at once. For all but the most special of organisations this ‘big bang’
approach is doomed to fail. The business must want data quality, and the approach to your data
quality must be aligned with your business strategy. It is not costless to improve data quality, and in
fact it is quite the reverse. Data quality is not an end in itself.
This presentation provides an approach and a toolset to advance the state of data management in your
business through data governance so that the data you have is accurate and useful. This presentation
explores the meaning of data governance, its impact upon the business, and how to develop a strategic
program of works that builds the business’s data governance. The aim is to develop an improved data
quality framework that works, which is a framework of practices and procedures that align data
quality practices with the business’ strategic need for data quality.
The emphasis here is on governance as a set of rules for governing data quality processes, and our
strategy is the way we direct day to day activities to ensure alignment with the business. The agenda
set out here takes us through a journey of what data management means for accountants, how we can
recognise data governance as a strategic need, and then a program of works that we can use to develop
our data management practices further.
SLIDE FIVE: DATA MANAGEMENT AND ACCOUNTANTS
SLIDE SIX: ACCOUNTING COMPLIANCE REQUIREMENTS
Us accountants like our rules and regulations, and in this day and age nothing affects us quite like the
computer. Yet our standards only have very little to actually say on our use of the computer. ISA315
merely asks the auditors to have ‘an understanding’ of information systems relevant to financial
reporting. This is in stark contrast to the Sarbanes-Oxley approach in the United States, which
requires a much more interventionist and prescribed approach to knowing where the data itself comes
In any event, if we are going to get good data that is useful to our business, we need to focus on more
than ‘just financial data’. The financial data is important, but frequently it tells us what happened,
rather than, perhaps, how it happened. We can use this data for decision-making and performance
monitoring, before it affects the financial bottom-line.
Let us discuss some illustrative examples that highlight some of the issues we are talking about here.
SLIDE SEVEN: TALES FROM THE DATA VAULT
Blue screen of death
The ‘blue screen of death’ – I’m sure you’re quite familiar with it! One former
client had had the software for their management information system installed
twice. When the software was updated, however, only one installation was
updated – and the other wasn’t. This meant that one half of the office had
computers that updated the data in one way – and the other half, didn’t. This wasn’t noticed for about
a year, when the computers started to blue-screen regularly. By this time of course their data was
thoroughly nonsensical and required extensive cleaning.
Networking and wiring technology
Well, I think this picture kind of illustrates the point rather well. There is not
a lot of point investing in good data management strategies if your technology
platform is a bit, well, fragile. Ask yourself, what happens if one of these wires were to get pulled
Every computer should have one of these
Now, clearly every computer should have one of these. I’ll tell you the story
of my earlier career. It was a private school that I worked at, and every three
months a newsletter was sent out to the alumni. Now, the program we used
was, shall we say, immature. It wasn’t really ready for prime time yet, although we had been using it
for three years. That was probably a mistake. However, we were using it.
Because it was immature, the programmer was always making changes. ‘Tailoring’ I believe it may
have been called. He made one little change. A teensy change. And it sent the program that gathered
addresses for the quarterly mailing for a loop so that, when it came to a postal address, it kept using
that postal address for every person that followed that person (until the next postal address). I
checked it. The director of business development checked it. His secretary checked it. No-one
noticed. They all got mailed out. All 11,000 of them.
We didn’t know until the postmaster in Chinchilla rang us the next day and said, “Hey, did youse
guys really want me to put 340 copies of your newsletter into Charlie’s PO Box?”. And then the
bloke in Townsville. And then... well, you get the picture.
A panic button would have been very helpful on that day.
I don’t know if you remember these things on the left here. They’re 5¼ inch
floppy disks. Positively of absolutely no use now. I don’t think I’ve seen one in
ten years. In my old firm, we used to store a great deal of data on Zip-disk drives.
Again – you can’t really buy those now either. My old firm also used to scan its client files to
Microfilm. Then Microfiche. Then Canoscan OM disks. Then the disk reader broke, and you can’t
buy a new one.
And – nightmare of nightmares! – we were sued! Where were our file notes to prove we were in the
right? That’s right, they’d all been scanned to OM disks. On a machine that had since blown up.
Now I can tell you, we put a lot of effort in getting that data back – and we did do it. The legal action
against the firm failed, at least partly on the basis of the information contained in those file notes.
Blast from the past
Again, do you remember these things? A great deal of data went on
those too – mind you, unlike floppy disks, THESE still work (so long
as the archives with your paper in haven’t burnt to the ground or been
flooded by now). Because of these issues, I can today show you more
of my work from 1986 – before I moved to new-fangled computers! – than from my four year
university degree and the entire decade of the 1990s (at which time, I stopped archiving off to floppy
By the way, that’s a great little machine – I doubt that my notebook will be as good when it is 45
Quix! Type in wez had all our injekshuns
Now I don’t know how true this story is, but it’s a good one so we’ll run with that.
There was a multinational company based in Europe, and its database design was
built in France, so all those ‘yes/no’ data fields were coded as ‘o’ for oui and ‘n’ for
non. Unfortunately the training when they rolled out to Greece was not so good,
although everyone used the database. Unfortunately, in Greek, ‘o’ is for no, and ‘n’ is for yes. Again,
fantastic data quality.
We are our own worst enemy. Possibly the biggest threat to your data –
whether incompetent by malicious intent, or just by their good nature, the
users of information systems can find ways to muck your data up that will make your toes curl. I am
thinking of one agency that was spending in excess of one billion dollars on infrastructure – this
required property resumptions. To record its discussions and negotiations with property-owners, the
QA manager decided that a spreadsheet would be the most appropriate approach to record the
negotiations and decisions made by its field agents. The system allowed the final outcomes of
negotiations to be recorded, but had no real method for recording the decisions made. The
information was contained inside many spreadsheets and could easily be overwritten by the end users.
SLIDE EIGHT: DEFINITIONS
Now, in the context of this presentation, the following definitions apply:
Data Quality: measures the data’s fitness for the intended use in operations, decision making &
Governance: is a set of accountabilities, processes, and auditable and measurable controls that
ensure the business is on track to achieve its objectives
Data Governance: is therefore a set of accountabilities, processes, and auditable and measurable
controls to ensure the business is on track to achieve its data quality objectives
Data Quality Frameworks: These frameworks provide structure to data quality activities and allow
assessment of data quality
Data quality is principally about fitness for purpose. This is a broad definition, but it goes to the heart
of the matter. If the data is fit for the purpose for which it is intended, then data quality is generally
sufficient. However, businesses frequently use data for decision-making that it absolutely does not
For example, a client once had developed several information systems to manage its business
functions. This client was an agency focussed upon the management of personal relationships with
the government, and frequently aggregated the data from the different information systems to inform
the development of government policy responses to social issues. Unfortunately, the different
systems used different attributes to describe the people in care – in one system, there were three
ethnicities (Indigenous, Torres Strait Islander, and ‘other’), while another system had twelve ethnicity
codes. This approach made sense for each individual system, and the data was fit for the purpose
initially envisaged. Problems arose, however, when the data was used to support decisions it was not
originally intended for.
Similarly, this client was responsible for maintaining a spreadsheet of people who were considered a
‘threat to the community’. Unfortunately, this information was derived from the three information
systems, and was manually maintained. At the time of our review the master spreadsheet had not
been revised for six months – data that loses accuracy, timeliness and relevance.
There are several core components to the concepts of data governance.
Firstly, ‘governance’ is not about the specific actions to be taken, it is about who is accountable for
those actions, what processes are followed, and how these actions are measured.
Secondly, the aim is to meet the business’s data quality objectives. If those objectives are not set out,
or are at odds with the aims of the data quality framework, then data governance is poor.
SLIDE TEN: THE REASONS WHY
In order to advance data governance, it is absolutely essential that the business strategy is understood.
There are very good business reasons for improving data quality frameworks through good data
governance, which can be analysed in terms of ‘compliance’ frameworks (required by a standard or
law) and ‘incentive’ frameworks (whereby it can be seen that IT governance provides a positive return
to the business, even when it is not required).
On this list of compliance frameworks, Control Objectives for IT (COBIT) and Sarbanes-Oxley are
both audit standards. Neither has a direct ‘black and white’ legislative effect in Australia, although
they are both influential for Australian businesses.
COBIT is managed and developed by the Information Technology Governance Institute. The
Information Systems and Audit Control Association originally developed COBIT in order to assess
the controls over information technology and the information managed by it. COBIT is an audit
standard for IT governance, and a very small part of that standard is devoted to data management and
data quality. Financial auditors use COBIT when assessing the controls over information technology
as part of a financial audit. These control objectives become important for complex audits, and where
the auditor feels unable to consider information technology to be a ‘black box’ that can safely be
For a financial auditor, if the controls over the accounting system are inadequate and unreliable, then
there is little prospect that the auditor can place reliance upon the information produced from that
The COBIT standard may be applied to larger organisations that require complex audits. However,
there is no legislative requirement that this be followed, and its application is generally left to the
professional judgment of the auditor.
Sarbanes-Oxley is, again, a standard that is not generally relevant for non-UScompanies, as it is US-
based legislation. However, it should be noted that US legislation generally attempts to be as
inclusive as it possibly can, and wholly-owned subsidiaries of US firms operating elsewhere are
required to achieve SOx compliance if the parent company is subject to Sarbanes-Oxley.
S404 of the Sarbanes-Oxley Act requires a management assessment of internal controls. In practice,
the auditor must be certain of the provenance of financial data, and so controls over feeder systems
through to the financial information systems are relevant. Generally, auditors have tended to be
conservative in their application of S404 – so although not all systems need be tested every year,
auditors err on the side of caution in these instances.
Of interest is speculation that overseas companies may be captured by the operation of S404 if those
companies produce information that passes information (not necessarily financial!) to the financial
information systems of a US company. Sarbanes-Oxley affects Australian companies with significant
business-to-business relationships with US companies (e.g. joint ventures).
In Australia, the Stock Exchange has rules for listed companies, although these are not particularly
onerous in this context. Principle 2 requires that the board of the business is structured to add value,
whilst Principle 7 requires that the board recognise and manage risk.
As for the management of risk, it is true that poor data quality can result in poor business decisions,
but generally data quality seems to be the last thing on the minds of board members and the senior
executive team. Until, that is, poor data quality results in a bad business decision or a crisis.
There needs to be a story to motivate the senior team about data quality. My stories would include the
time a school sent academic reports to the estranged father of a child. The father was the subject of a
domestic violence order and was not to know where the student attended the school. Or the time the
accounting firm kept inviting the managing director of a very major client to seminars and
presentations, despite the fact he had died six months previously. Or Queensland Police Service,
where if the information provided to their people on the streets by 000 is wrong, people die. There is
also the story of the managing director of a listed company with $16 million turnover. He received an
audit letter that was 32 pages in length, mostly due to poor information security and data quality, and
yet refused to upgrade the accounting system from MYOB.
Privacy legislation requirements apply to the data that we gather, and there is of course an Australian
and international standard on IT Governance (AS8015-2005; ISO/IEC 38500) and AS4360:2004 is
the Australian standard on Risk Management. Amongst other requirements, there is also the act to
counter spam and the counter-terrorism act, the credit card companies impose their own restrictions,
and if you are an accountant there is the new money-laundering act, all of which provide for harsh
penalties for breaches by directors.
However, there is generally no hard-and-fast requirement for data quality in Australia, and so you
need to build the business case for data quality judiciously. There is the assertion by Weill & Ross
(2004) that good IT governance practices provide a higher return on assets for businesses than
businesses without good IT governance practices. Generally, though, you will need to build the case
for the improvement of data quality on the basis of your business.
Unfortunately for those of us that want to see good data, the Sarbanes-Oxley experience shows that
penalties (both civil and criminal) seem to be a primary motivator in getting a focus on data quality in
SLIDE ELEVEN: ACCOUNTANTS AND SPREADSHEETS
Us accountants also love our spreadsheets. We love to work with them and use them all the time, and
there are very good reasons for that. Spreadsheets contain a lot of the corporate information that we
use to guide decision-making.
However, spreadsheets are notoriously unreliable. There are frequent errors and problems with the
formulas that we use. It’s not ‘just a spreadsheet’ if we use it to make important business decisions,
and we need to know and understand where the data that we are using has come from.
The spreadsheet should have internal controls and methods of validation as well – it is still a system
and needs appropriate controls, checks and balances. I always use an ‘IIF’ formula to cross-reference
my totals and flag exceptions, or conditional formatting is useful as well, as I am sure you know.
Although it is ‘just a spreadsheet’ we should look to build into the spreadsheet its integrity.
Additionally, where the spreadsheet uses data from other systems, understand where that data has
come from, and ensure that you know its security, its integrity, its effectiveness and its efficiency.
There are several inherent problems with a spreadsheet, though. Firstly, by its nature a spreadsheet is
not exactly multi-user. We tend to make a copy of data in a spreadsheet, and then update that data
rather than updating the source. Or, the spreadsheet quickly becomes out of date.
A client of mine once had 28 staff working for it, from the CEO down to the janitor. That business
had 84 databases of some description – none of which was particularly well-maintained, nor current!
Spreadsheets do provide a very simple way of transporting data around – unfortunately this strength is
also a weakness. Once data has been placed into a spreadsheet, any controls you might have created
over access to it are generally ignored from then on. It becomes an unmanaged data repository – and
frequently a considerable one at that.
Incidentally, as accountants we are often guilty of using spreadsheets to meddle with dark forces.
Forces we perhaps don’t understand. Now, you can stretch a spreadsheet’s functionality to address
some of these issues. My brother-in-law – bless his little cotton-socks! – uses multi-user spreadsheets
in all complex manner of ways. He has his sales managers in different sites enter the daily sales and
other key bits of information into the same spreadsheet, which he then runs a macro over it to pick up
the data that he wants. Yes you can modify a spreadsheet to do these things, with ODBC links and
other automation elements. However, eventually, what you have done is strap a jet engine to a
Volkswagen Beetle. It can be done, sure, but who would want to drive it?
A spreadsheet is a very good tool for what it was designed for, but it is not a database. I have seen
many accountants build very complex inter-related spreadsheets when, really, the tool to use should
have been a proper database. Please, bear this in mind if your spreadsheets are becoming too fragile
SLIDE TWELVE: ALIGNING EFFORT AND NEED
[No speaking points]
SLIDE THIRTEEN: DO WHAT THE BUSINESS NEEDS
The diagram here shows the relationship between the effort you put into
managing data quality and the expected impact on the business. The red circles indicate an
unsustainable mismatch of the effort put into data quality and the impact upon the business.
The need to build the business case for data quality means that the alignment of data quality practices
with the needs of the business is paramount. There is very little point in pursuing data quality as an
end in itself if it has little benefit for the business. Focus is needed to get the most business impact
from your strategic effort.
SLIDE FOURTEEN: CORPORATE GOVERNANCE AND DATA
Your average board is comprised of accountants, lawyers, and sometimes an ex-politician or two.
Given the focus of directors’ duties on compliance with financial standards, and the general
background of boards, it is probably no surprise that businesses are very good at managing financial
assets and physical assets, and quite poor at most of the other key assets of the business.
To advance data quality, we need to bring this issue to appropriate prominence. It starts with the
board, which will need to ensure accountability, monitor and supervise the actions of the senior
executive team, decide strategic actions, and make policy. If, at this time, the board sees no role for
data quality within the business, then that needs to be changed if data governance is to be advanced.
The senior executive team needs to set out the business strategy – which must include the objectives
for data quality – and decide who has input into the approach.
Data quality needs to be on the board’s agenda – it does not need to be the board’s agenda, but it does
need to be on it. This means that we adopt governance groups and governance processes to ensure
data quality stays top-of-mind.
SLIDE FIFTEEN: GOVERNANCE GROUPS
When approaching governance groups that you can use for sorting out data quality, the mechanisms
you use need to be compatible with your business and the way it approaches the questions of IT
management. A steering committee is unlikely to work well if the rest of the IT approach – or the rest
of the business - is undertaken in an anarchistic manner.
However, key governance groups and processes include:
Information Steering Committee
Board Risk and Audit Committee
The key here is that there needs to be a way to manage data quality, and it needs to be monitored by
the people that matter.
SLIDE SIXTEEN: INTEGRATING IT PLANS INTO BUSINESS
This process is a rational one, and essentially requires that the gap is identified between the current
approach and business requirements, and then the gap is closed. Unfortunately there are common
flaws that exist in the approach by business:
Where there is no direction by the business, IT fills the gap as it sees fit.
The approach is completely out of alignment with the business
Personal or political agendas cloud the approach
There is no way of closing the loop with feedback so that the current ‘flavour of the month’ continues
to be monitored once it is no longer the flavour of the month.
A business decision
Data quality is a business issue. A forum and a process are needed to synthesise a whole-of-business
approach. The responsibilities of the Chief Information Officer include the development of business-
driven IT strategy and the monitoring of ICT service delivery. This includes the development of the
data governance approach and the strategy for data quality.
The CIO does have a role to input into business strategy in terms of identifying business
opportunities. As a supporting business function, though, in practical terms the CIO must engage
with the business functions of HR, Finance, and Marketing once they have developed their specific
plans, and then identify the Business IT Strategic Plan. This will include the data quality strategy,
which defines the required goals, initiatives and program of work for delivery of the strategy.
This is critical to achieving data quality in the context of ensuring alignment with the business,
although frequently this does not appear to be undertaken in business.
SLIDE EIGHTEEN: DATA GOVERNANCE STRATEGY
[No speaking points]
SLIDE NINETEEN: IMPROVING DATA QUALITY
Improving data quality is about the development of good business habits and a culture of good data,
rather than a ‘big bang’ approach. It is naive to think that data quality can be improved in a ‘Great
Leap Forward’ on all fronts and all at once. Critically, data quality is only tangentially related to the
use of software tools.
SLIDE TWENTY: PRACTICAL STRATEGIES
To be sustainable, data quality must meet the cost/benefit test, and be important to the business. A
data governance strategy grows organisational capability by implementing a data quality ‘floor’ for all
data and focussing the most resources upon the most critical data.
This creates less business risk, higher quality, and lower costs than a ‘big bang’ approach. The data
quality strategy needs to be owned by the business, not ‘IT; this has implications for the approach to
the development of governance groups.
In developing the strategy, set core standards for all data to create a basic level of data quality, and
then focus business resources on the development of data quality practices for absolutely critical data
first. These could be termed critical data types.
It is recommended that you be realistic in your approach, and do not develop over-engineered
solutions for the entire organisation’s data at first. A steady and sure approach is usually best - slow-
burn strategies that deliver beat fast-burning failures every time.
It is recommended that you build a strategic rhythm of monthly & quarterly reviews. This approach
de-emphasises the development of a strategy that sits on the shelf, and instead focuses on regular
touch points of the strategy throughout the timeframe of the strategy.
Quarterly deliverables should be set in the program of works for ease of monitoring, and these should
be reported to and reviewed by the Steering Committee, and noted by the Board committee through
the Balanced Scorecard and Governance Calendar. At all times, an active strategy is a practical
SLIDE TWENTY-ONE: STRATEGY FOR DELIVERING DATA
Under this approach, our Business IT Strategic Plan will set out the mission, the three-year goals and,
after identifying the key challenges to achieving those goals, identify a set of initiatives that will be
successful. Unless there are significant resources available, a slow-burn strategy will be most
It is important that this strategy recognise the business’ limitations. The achievement of even a single
deliverable will be a major step forward in improving the data quality framework. Recognise that the
resources available are limited – if they are. If the resources cannot be made available, then work
with what you have.
This approach emphasises the process of developing the strategy, rather than the strategy. So, rather
than spending many hours at developing a strategy that sits on the top shelf, this approach requires a
constant monitoring (daily, weekly, and monthly reviews) and the development of quarterly
deliverables with the strategy development team. Be conservative in your deliverables, and be wary
of creating an undeliverable wish-list.
This is an active strategy approach.
SLIDE TWENTY-TWO: THE PROGRAM OF WORKS
[No speaking points]
SLIDE TWENTY-THREE: MATURITY THROUGH GROWTH
Measuring the maturity of the process of managing data that satisfies the business requirement for IT
of optimising the use of information and ensuring that information is available as required is:
Rank Level Description
0 Non-existent Data are not recognised as corporate resources and assets. There
is no assigned data ownership or individual accountability for
data management. Data quality and security are poor or non-
Rank Level Description
1 Ad hoc The organisation recognises a need for effective data
management. There is an ad hoc approach for specifying security
requirements for data management, but no formal
communications procedures are in place. No specific training on
data management takes place.
Responsibility for data management is not clear.
Backup/restoration procedures and disposal arrangements are in
2 Repeatable but The awareness of the need for effective data management exists
intuitive throughout the organisation. Data ownership at a high level
begins to occur. Security requirements for data management are
documented by key individuals. Some monitoring within IT is
performed on data management key activities (e.g., backup,
restoration, and disposal). Responsibilities for data management
are informally assigned for key IT staff members.
3 Defined The need for data management within IT and across the
process organisation is understood and accepted. Responsibility for data
management is established. Data ownership is assigned to the
responsible party who controls integrity and security. Data
management procedures are formalised within IT, and some tools
for backup/restoration and disposal of equipment are used. Some
monitoring over data management is in place. Basic performance
metrics are defined. Training for data management staff members
4 Managed and The need for data management is understood, and required
measurable actions are accepted within the organisation. Responsibility for
data ownership and management are clearly defined, assigned
and communicated within the organisation. Procedures are
formalised and widely known, and knowledge is shared. Usage of
current tools is emerging. Goal and performance indicators are
agreed to with customers and monitored through a well-defined
process. Formal training for data management staff members is in
5 Optimised The need for data management and the understanding of all
required actions is understood and accepted within the
Future needs and requirements are explored in a proactive
manner. The responsibilities for data ownership and data
management are clearly established, widely known across the
organisation and updated on a timely basis. Procedures are
formalised and widely known, and knowledge sharing is standard
practice. Sophisticated tools are used with maximum automation
of data management. Goal and performance indicators are agreed
to with customers, linked to business objectives and consistently
monitored using a well-defined process. Opportunities for
improvement are constantly explored. Training for data
management staff members is instituted.
Data quality management can only work when the organisation is ready for it. A great leap forward
won’t work for data management. The activities set out in the program of work, and the key
performance indicators adopted as metrics to measure data quality must be tailored for your readiness.
SLIDE TWENTY-FOUR: OBJECTIVES OF DATA QUALITY
DS11.1 Business Requirements for Data Management
DS11.2 Storage and Retention Arrangements
DS11.3 Media Library Management System
DS11.5 Backup and Restoration
DS11.6 Security Requirements for Data Management
These control objectives are the ones set out by COBIT, and although they are not a complete set of
available objectives, this should be reflected in the data quality strategy.
DS11.1 Business Requirements for Data Management - Verify that all data expected for processing
are received and processed completely, accurately and in a timely manner, and all output is delivered
in accordance with business requirements. Support restart and reprocessing needs.
DS11.2 Storage and Retention Arrangements - Define and implement procedures for effective and
efficient data storage, retention and archiving to meet business objectives, the organisation’s security
policy and regulatory requirements.
DS11.3 Media Library Management System - Define and implement procedures to maintain an
inventory of stored and archived media to ensure their usability and integrity.
DS11.4 Disposal - Define and implement procedures to ensure that business requirements for
protection of sensitive data and software are met when data and hardware are disposed or transferred.
DS11.5 Backup and Restoration - Define and implement procedures for backup and restoration of
systems, applications, data and documentation in line with business requirements and the continuity
DS11.6 Security Requirements for Data Management - Define and implement policies and procedures
to identify and apply security requirements applicable to the receipt, processing, storage and output of
data to meet business objectives, the organisation’s security policy and regulatory requirements.
SLIDE TWENTY-FIVE: IMPROVING THE DATA QUALITY
Having assessed your control objectives, the strategy will outline the need to improve the data quality
framework through assessment of the gap between the required level and the necessary steps to
improve these measures over time.
SLIDE TWENTY-SIX: INVEST IN SECURITY ACCORDING TO YOUR
It is possible to have very secure data connections, and of course our friend Leo here is a good
deterrent from a would-be prowler. However we do need to be sure that we don’t make our data too
hard to use, and we need to be sure that it is not left insecure. Security is necessary according to our
needs, and keep it appropriate. Often we invest in high-tech gadgetry or security methods when other,
more mundane, approaches might make the data that little bit more secure.
SLIDE TWENTY-SEVEN: DATA QUALITY POLICY FRAMEWORK
[No speaking points]
SLIDE TWENTY-EIGHT: DATA MANAGEMENT LIFECYCLE
Data goes through a lifecycle – it is created, used, assessed, re-born, and, finally, it dies. The
implication is that data needs to be respected over time – you cannot do this as a one-off. If your data
is going to inform decision-making, then be sure to have the best data quality you can afford, for the
data that matters.
To ensure that your data is managed appropriately, this lifecycle identifies activities that can be
carried out in order to manage the data at that particular point in its life. These points are suggested
by the COBIT framework.
SLIDE TWENTY-NINE: DATA QUALITY POLICY FRAMEWORK
This diagram here sets out some of the practical things we can do to achieve data quality. These items
would be added to the program of works, and delivered over time to critical data types. It is critical
that you consider this strategy in the context of two streams:
1. Non-critical data types – data that is not critical to business decision-making and that, whilst
we do not require it to be the highest quality, nevertheless it should be of acceptable quality.
2. Critical data types – data that is critical to the organisation and, if managed well, will give us
the ability to make decisions and monitor our business well.
It is likely that critical data types will be that information that is prescribed by law to be managed in a
very secure manner. Alternatively, these critical data types will be used by the business for the
monitoring and development of its key performance indicators.
The data management activities you do need to be broken down to ensure a minimally acceptable
standard of data quality for non-critical data, and focus resources on the development of practices that
affect critical data types.
Practical things that can be done to achieve data quality include:
Data entry controls: Data entry requirements are clearly stated, enforced and supported by automated
techniques at all levels, including database and file interfaces
Data ownership: The responsibilities for data ownership and integrity requirements are clearly stated
and accepted throughout the organisation
Training in standards: Data accuracy and standards are clearly communicated and incorporated into
the training and personnel development processes
Data correction: Data entry standards and correction are enforced at the point of entry
Output standards: Data input, processing and output integrity standards are formalised and enforced
Data quarantine: Data are held in suspense until corrected
Integrity Monitoring: Effective detection methods are used to enforce data accuracy and integrity
standards – these might be automated audit tools.
Reliable and meaningful data interfaces: Effective translation of data across platforms is
implemented without loss of integrity or reliability to meet changing business demands.
Minimal keying: There is a decreased reliance on manual data input and re-keying processes
Data access tools: Efficient and flexible solutions promote effective use and re-use of data
Archive management: Data are archived and protected and are readily available when needed for
Data dictionary: A data dictionary provides a framework of data types, their semantic meaning, and
works to improve the business’s understanding of its own information.
Information inventory: An information inventory provides a visual reference to identified data and
information types within the organisation.
As part of this data management strategy, ongoing feedback and data quality metrics will be important
for providing feedback for your data governance groups. Key performance indicators may include:
Percent of data input errors
Percent of updates reprocessed
Percent of automated data integrity checks incorporated into the applications
Percent of errors prevented at the point of entry
Number of automated data integrity checks run independently of the applications
Time interval between error occurrence, detection and correction
Reduced data output problems
Reduced time for recovery of archived data
The KPI may be a simple ratio, a minimum or a maximum value, or a weighted average. These KPIs
will be provided as part of the balanced scorecard to the board and its committee, and in more detail
to the business steering committee.
SLIDE THIRTY: CONCLUSION
The major themes that I would like to recall to you today include the following points:
Data quality is not an end in itself
Involvement and ownership by the business is vital – if data quality is not emphasised, or is not seen
as relevant to the business, then trying to force that horse to drink is going to be as frustrating as
milking a herd of mice.
Pursuing data management by technology alone is doomed to fail
It is best to develop an active data management strategy that is aligned with the business’s needs, and
to promote strong data quality habits amongst users. The force of habit is the most powerful force in
Start focussed with the core data management activities, for only those critical data types for the
business. As you build your organisational maturity up, you can expand the data that is managed
Ladies and Gentlemen, thank you for your attention today.