Linking governance to compliance (and making auditors happier)
Moving data governance from a purely technical exercise to a higher level gives organisations greater oversight and supports compliance.
Data governance is crucial, and is embedded in most well-run enterprises. But most organisations are not yet maximising the full potential of their data management and governance measures, in that they are not yet linking data management to governance to compliance.
Data management differs from governance. Data management refers to planning, building and running capabilities. Governance relates to monitoring, evaluating and directing enablers, with value creation through assuring efficiencies using governance “place-holders” or control gates, the latter which are entrenched in system or project management life-cycles.
Governance monitors, ensures and directs data management practices not only in the execution of processes and business activities, but also needs to help achieve efficiencies; eg, in project management and system development life-cycles.
Moving to the next level
Most governance happens at a purely technical and operational level, but to elevate governance to support high-level compliance, organisations need to link rules, regulations, policies and guidelines to the actual processes and people at operational level. Compliance is set to become ever-more challenging as organisations deal with growing volumes of data across an expanded landscape of processes.
Compliance is set to become ever-more challenging as organisations deal with growing volumes of data across an expanded landscape of processes.
I advocate that governance not only be addressed at technical/operational (data management) levels, but should also be linked to compliance which carries risk and drives the organisation’s strategy. Major South African enterprises are starting to realise that linking governance to compliance could support the audit process and deliver multiple business benefits at the same time.
Recently, I highlighted how data stewards were stepping up their focus on mapping governance, risk management and compliance rules to actual processes, looking to the management of meta data to provide audit trails and evidence of compliance.
Traditionally, these audit trails have been hard to come by. Auditors – many of them with a limited technical background – had to assess reams of documents and request interviews with IT to track the linkages from legislation and guidelines to actual processes. In most cases, the processes linked to are purely technical in nature.
From a regulatory compliance point of view, traditional models do not provide direct links to a particular clause in legislation or best practice guidelines, illustrating the location and management of data, including where it resides, who uses it and how, in light of the requirements of the clause or legislation. Auditors, however, need enterprises to prove lineage and articulate governance in the context of compliance.
Establishing the linkages
While enterprises typically say they are aware they could potentially link data management to governance to compliance, most do not undertake such exercises, possibly because they don’t have a mandate to do so, because they believe the tools to enable this are complex and costly, or simply because they believe the process will be too time-consuming.
Using sound methodology, this once-off exercise can take as little as two to three hours to map a process to legislation or guidelines. In the typical organisation, with around 1 000 processes, it could take less than a year to map all of them.
The organisation then gains the ability to track the processes without having to rely on elaborate business process management tools, and capture it all in Excel, store the information on any relational database and get insights: Where are the propensities, affinities, gaps and manual processes, and more importantly, what accords are they mapped to?
Mapping data is stored with timestamps and current version indicators, so if a process changes over time, or a rule, control or validation has changed, this information will be captured, indicating when it happened and where it was initiated. At the press of a button, the organisation is then able to demonstrate the exact lineage, drill down to any process within the system, and indicate where the concentration of effort lies, and where rules, conditions and checks are done within processes.
Additionally, it can attach risk weights at process level or accord level, helping shape strategy and gauge strategy execution.
Not only does this mapping give enterprises clear linkages between policies or regulations and processes, it also gives sudden new visibility into inefficiencies, the people and divisions involved in each process and more, so helping to enhance efficiencies and supporting overall organisational strategy.
With governance and compliance mandatory, it’s high time organisations moved to support governance and compliance evidence, and make the auditing process simpler and more effective.
Mervyn Mooi is a director of Knowledge Integration Dynamics (KID) and represents the ICT services arm of the Thesele Group. His competencies and focus is within data/information management and governance.
Mooi has been in the ICT and data solutions industry for 38 years, beginning his career as an operator at the CICS bureau in Johannesburg in the early 1980s. Thereafter, he was appointed as a programmer at state-owned oil exploration and production company SOEKOR.
In 1986, Mooi joined Anglo American's head office ICT department where he remained for almost 12 years. Here he progressed to become a senior programmer, analyst, database administrator and technical support specialist. After completing his degree in informatics, he then left to join Software Futures, where he worked as a senior consultant for 18 months in the data warehousing and business intelligence arena.
Mooi joined KID in 1999 as a data warehouse and business intelligence specialist. His experience in ICT disciplines includes operations, business and systems analysis, application development, database administration, data governance/management, data architecture/modelling, software support, data warehousing and business intelligence.