Linking governance to compliance (and making auditors happier)

Data governance is crucial, and is embedded in most well-run enterprises. But most organisations are not yet maximising the full potential of their data management and governance measures, in that they are not yet linking data management to governance to compliance.

Data management differs from governance. Data management refers to planning, building and running capabilities. Governance relates to monitoring, evaluating and directing enablers, with value creation through assuring efficiencies using governance “place-holders” or control gates, the latter which are entrenched in system or project management life-cycles.

Governance monitors, ensures and directs data management practices not only in the execution of processes and business activities, but also needs to help achieve efficiencies; eg, in project management and system development life-cycles.

Most governance happens at a purely technical and operational level, but to elevate governance to support high-level compliance, organisations need to link rules, regulations, policies and guidelines to the actual processes and people at operational level. Compliance is set to become ever-more challenging as organisations deal with growing volumes of data across an expanded landscape of processes.

Compliance is set to become ever-more challenging as organisations deal with growing volumes of data across an expanded landscape of processes.

I advocate that governance not only be addressed at technical/operational (data management) levels, but should also be linked to compliance which carries risk and drives the organisation’s strategy. Major South African enterprises are starting to realise that linking governance to compliance could support the audit process and deliver multiple business benefits at the same time.

Recently, I highlighted how data stewards were stepping up their focus on mapping governance, risk management and compliance rules to actual processes, looking to the management of meta data to provide audit trails and evidence of compliance.

Traditionally, these audit trails have been hard to come by. Auditors – many of them with a limited technical background – had to assess reams of documents and request interviews with IT to track the linkages from legislation and guidelines to actual processes. In most cases, the processes linked to are purely technical in nature.

From a regulatory compliance point of view, traditional models do not provide direct links to a particular clause in legislation or best practice guidelines, illustrating the location and management of data, including where it resides, who uses it and how, in light of the requirements of the clause or legislation. Auditors, however, need enterprises to prove lineage and articulate governance in the context of compliance.

While enterprises typically say they are aware they could potentially link data management to governance to compliance, most do not undertake such exercises, possibly because they don’t have a mandate to do so, because they believe the tools to enable this are complex and costly, or simply because they believe the process will be too time-consuming.

Using sound methodology, this once-off exercise can take as little as two to three hours to map a process to legislation or guidelines. In the typical organisation, with around 1 000 processes, it could take less than a year to map all of them.

The organisation then gains the ability to track the processes without having to rely on elaborate business process management tools, and capture it all in Excel, store the information on any relational database and get insights: Where are the propensities, affinities, gaps and manual processes, and more importantly, what accords are they mapped to?

Mapping data is stored with timestamps and current version indicators, so if a process changes over time, or a rule, control or validation has changed, this information will be captured, indicating when it happened and where it was initiated. At the press of a button, the organisation is then able to demonstrate the exact lineage, drill down to any process within the system, and indicate where the concentration of effort lies, and where rules, conditions and checks are done within processes.

Additionally, it can attach risk weights at process level or accord level, helping shape strategy and gauge strategy execution.

Not only does this mapping give enterprises clear linkages between policies or regulations and processes, it also gives sudden new visibility into inefficiencies, the people and divisions involved in each process and more, so helping to enhance efficiencies and supporting overall organisational strategy.

With governance and compliance mandatory, it’s high time organisations moved to support governance and compliance evidence, and make the auditing process simpler and more effective.