Data governance is not a one-off fix - it is an evergreen project which needs to become embedded in the business culture. As a result, it often loses traction after year one unless its advocates continue to push. David Reed hears some lessons on how to achieve a sustainable solution.
You have a proposition to make to the board. From now on, the entire business needs to be lit up 24/7. Every function has to run with the lights on full-time with no exceptions. Only by doing this can the enterprise realise its goals and true value, while at the same time avoid being penalised by regulators.
The reaction is easy to predict, ranging from calculations of how low the wattage of the bulbs could be while still reaching the minimum standard through to outright defiance and a willingness to bear the brunt of any sanction. After all, that is precisely what many organisations routinely decide in the face of their obligations, as scandals in the financial services sector have exposed.
So now consider that, instead of light bulbs, what you are proposing is data governance. The principles are the same - every function must adopt a compliant way of working which has to be kept going not just now, but forever. Data governance is an evergreen process which only exists as long as it is running, rather than being an end state that can be achieved and then banked.
Little wonder, then, that organisations tend to resist the proposals of their data governance teams and rapidly lose their appetite when being force-fed compliance. “It is a problem,” agrees Jim Roberts, consulting business partner with Pairview and author of the e-book, “Managing customer data to improve marketing ROI”. “The whole issue with data governance is that people don’t understand what it does for them, they believe it is a separate entity,” he says.
Roberts draws a parallel with Health and Safety regulations - there to protect workers and ensure they can carry out their activities effectively and without risk, but routinely pilloried as an interference (or worse) in getting on with the job. “If you adopt it as a separate department, it is not part of every employee’s job, it is just a tick in a box,” he says. “What you need to create is data awareness - getting people to see that it is in their interest. Without access to good data, you can’t deliver value.”
He argues that the solution to this natural resistance is to base the argument around value, rather than rules. When a data governance practitioner talks about customers or sales, even as data points, most business functions become very interested and engaged. Whatever the goal is for each process, there are always constraints. Once the budget has been set, for example, it is a matter of deriving the maximum return, rather than complaining about its restrictions.
Another parallel can be drawn with rules that guide us in everyday life. “It is like the speed limits on roads. They are not there to slow you down - they are there to make the road safer. If you talk about fines, it just annoys people. What you need to talk about is reducing accidents and fatalities,” says Roberts.
A focus on the way data governance increases the usability and value of data can help to drive the process. Data quality or permission rates are very clear proof points that the processes are working (or not) and helping to support business-critical processes (or not). How much easier to draw a connection between having an opt-in, for example, with positive revenues than getting bogged down in why a particular wording may not be fully compliant.
To get buy-in to this approach, a process of listening to those business functions to hear what their needs and challenges are will prove helpful. It is a common dimension of engagement that people feel it more if they have a sense of being consulted, rather than just dictated to.
For data governance, that has to be a constant process as the needs and obligations continue to evolve. “When we started, we set out a series of milestones for where we were and where we wanted to get to. We described it as a journey - we are never going to reach a perfect state,” says Marie Heracleous, head of data for BBC TV Licensing at Capita, which created the data governance framework for the viewing rights tax organisation.
“You need to set expectations that it is not a one-hit-wonder,” she warns. “Just because you have employee forums, meetings, data governance council members, it is important to say these are different stages in the journey - the organisation will never be at the most mature level.”
She also warns about allowing data governance to become an exercise in box-ticking, where each new policy or procedure is seen as something to be listed, rather than lived. “At the BBC, they are aiming for level three maturity where data governance becomes pro-active. Of course, that can be affected by external factors, like new laws, so you have to remain flexible,” says Heracleous.
Sometimes, those external factors are a help, rather than a hindrance, by getting concerns about data and its governance higher up the agenda and to the front of managers’ minds. Each time there is a major data security breach or loss, for example, an appropriate reaction is to check whether it could happen within your own organisation. Over-confidence that everything is properly controlled should be avoided in case complacency becomes carelessness.
Heracleous also argues that value-based arguments are helpful, but also sees another path to sustaining investment and support. “You have the revenue case, but there are also arguments about cost-avoidance,” she says.
The content and outputs from data governance programmes also need to be interesting. A well-wrought policy may feel satisfying for the practitioner and legal team, but if it just sits on the shelf unread, it is not effective. Everybody in the data governance space agrees on the importance - and difficulty - of ensuring internal communications are an ongoing part of the programme.
“It is all about turning it into something that business people can relate to. If they can’t, you are just seen as dull people talking about compliance and handing out 50-page documents,” says Heracleous. That does mean a data governance function needs to include people who are capable of internal marketing, just as much as it needs data practitioners who can handle the detailed work. “You need a blend of skills - and it is more challenging as you move up the scale. Many practitioners are not good leaders,” she says.
Real-life examples are a powerful way to make data governance relevant to frontline staff. Just as pen portraits make a customer segmentation understandable, so examples help employees to understand that data loss can cause a customer distress and problems, rather than just focusing on the problems it might cause the business with a regulator.
Simon Rogers, security and privacy consultant with IBM, agrees that, “it is not just about two people in an office writing policies. What you have to be wary of is looking at yourselves as different. Too often, the people promoted to make this happen are chosen because they are good compliance officers, not because they are the right person to run the function.”
That is an important distinction and one that could impact on the sustainability of data governance. It will always be important to get the underlying policies right and in line with the legal obligations. Without being passionate about ensuring those policies are not only adopted, but also delivered by the frontline, any project will tend to run out of steam.
“Data governance owns the advice and awareness. Delivering compliance can only be done by the people implementing systems,” he says. The notion of Privacy by Design, for example, is one that has to be acknowledged and accepted by the IT department to ensure any new solution is compliant, for example, just as much as it has to be by marketing in the data it demands from customers.
That said, the fear factor will always be a component of the data governance business case and part of what maintains the momentum of a programme. “Risk ownership is key, having a chain of governance and responsibility,” argues Roberts.
“It is not just the legal dimension. It is about doing what is appropriate to the business that may even exceed the legislation,” says Rogers, echoing the Direct Marketing Association’s recent calls with the launch of its Code of Practice for attaining a higher level than just compliance. “You have to make that happen in the business context and in the way you interact with your customer base. That is not an easy sell.”
Data governance professionals tend to focus on the process, which does mean they have a durability and willingness to return over and again to the same set of problems. That is not true of most managers in other functions, who are looking for outcomes. It is this mis-match that presents the challenge to getting the compliance culture to come alive, rather than just being viewed as a one-time project.
The good news is that through constant internal marketing and accessible explanations, that objective can be realised. The bad news is that it requires constant work. As Heracleous warns: “Data governance has no right or wrong answers. If you do it well, nobody notices. Only if it goes wrong do people start noticing it.”