Customer data is a valuable business asset that has received less management attention, resources and business process than are applied to other value-driving parts of the organisation. Customer data can also be a significant liability. Personal, behavioural and transactional data used for marketing and marketing communications needs careful management in order to be accurate, accessible, compliant and fit for purpose.
There is a strong need to raise standards in data management to help private and public sector organisations cope with growing regulation as well as helping them integrate disparate data sources to gain an holistic view of the customer, prospect and market. Better data management also unleashes the full value of data assets while avoiding the downside risks from data security breaches, data theft or loss and improper or inaccurate use of data.
The Impact of Poor Data Governance
There are a number of issues related to data that create potentially significant risk for an organisation.
Risk of Data Theft: Do you know what time of day your sensitive information is most at risk? Between 3 and 5pm on a Friday afternoon. That is when members of staff start planning their weekend, realise they are short of cash and decide to steal personal data for sale on the black market. While such actions by front-line staff in call centres have been well publicised, it is just as common among back-room members of the IT department.
According to Forrester Research, 80 per cent of data leaks are created by staff. Current trading conditions which have led to increased redundancies have also led to an increased risk of data theft by staff. Only 12 per cent of sacked IT professionals would not abuse their access rights to take sensitive data out of a company if made redundant, compared to 88 per cent who would, according to a survey by Cyber-Ark.
New research from DQM Group supports the view that data theft is a common business practice, especially among departing employees. Most respondents in the survey among over 500 major organisations in 2010 believed employees often take customer data with them when they leave a company. Many didn’t think this could be prevented – and didn’t know that it is illegal.
•Over 76 per cent of respondents believed it is common practice for sales and marketing staff to take customer contact data with them when they leave an organisation.
•Over 80 per cent of respondents felt that staff should be able to take customer data with them to their next job.
•75 per cent of respondents in sales and marketing said that theft would drop significantly if false contacts (or “seeds”) were added to the data to catch thieves and monitor all use of the data.
Impact of Data Theft: Following a data security lapse 10 to 20 per cent of customers will be lost in any given year, according to Forrester Research. The most recent Ponemon Institute survey indicated that 74 per cent of survey respondents lost current customers as a direct result of a security breech. TK Maxx is estimated to have lost £800 million in forecast revenue as a result of its 2007 data breach.
Consumers have become aware of the issue of data privacy and the potential impact that data security breaches, losses or even just data misuse can have on them. In the DMA Data Tracker survey among 1,145 consumers, loss of trust would result from a number of causes, including a bad personal experience, media stories about lost or misused data, or even receiving unwanted marketing materials.
When consumers start to be concerned about an issue, regulation is sure to follow. New powers have been granted to the Information Commissioner to impose fines on companies in breach of the Data Protection Act of up to £500,000 for serious breaches and negligence.
With the burden of regulation increasing, organisations will undoubtedly have to apply more resources than before to the area of data governance. David Myddelton, emeritius professor of finance and accounting at Cranfield University School of Management, highlights that, “the compliance costs to a business often amounts to five times as much as the direct costs. The hassle factor can also be a serious cost to a business although it is harder to quantify.”
According to the 2008 report, “The Information Opportunity”, prepared by CapGemini, “poor utilisation of information assets equates to an annual £46 billion missed opportunity for private sector profits”. The principle barriers to realising those profit opportunities are data quality, systems, processes and data security.
Larry P. English in his book Information Quality Applied identified 122 organisations in Europe and the USA that together had wasted over $1.2 trillion due to problems created by poor quality data. He estimates that between 20 to 35 per cent of an organisation’s operating revenue is wasted in recovery from process failure and data scrap and rework.
This is the space in which data governance is being brought to bear in order to control risk and reduce the impact from data breaches.
The Benefits of Good Data Governance
If your organisation has an IT infrastucture, it has data. If it has data, it needs data governance. This suite of processes has to be enacted in day-to-day business activities every time personal information or sensitive data is being handled.
Good data governance isn’t just about reducing business risk. It often delivers substantial benefits in its own right. Instead of seeing Data Governance as an extra cost of business, it should be recognised that brand values and perceptions can be positively impacted. Not least, it should be seen as an investment in an important asset, which should have a significantly positive impact on business profits and growth.
Significant consumer trust can be built through a clear, fair and positive approach to the collection and management of their data, as will proactive data security measures and a clearly demonstrated commitment to preventing data loss.
A major insurance company successfully reduced errors in applications from 34 per cent to 4 per cent of policies by reviewing and simplifying its data error process, leading to savings in data entry costs estimated at over £1.5 million. The organisation also significantly reduced policy cancellations and cut claim overpayments by over £2 million through better data management.
What is Data Governance?
People often have a different understanding of the term data governance. To some, it’s all about privacy and regulatory compliance. To others, it’s more about security or data quality. In fact, it covers all of these key topics and much more.
Data governance encompasses the people, processes and technology required to create a consistent and proper handling of an organisation's data across the enterprise. It encompasses all aspects of data management and not just data quality, data security, and regulatory compliance.
Tony Fisher, in The Data Asset, writes: “Data governance is a methodology and philosophy for benefiting from your data. It is not a programme or a technology that will ‘fix’ a problem. It is much more than just having a strategy. Data governance is a mindset. It’s about establishing a culture where quality is achieved, maintained, valued and used to drive the business.”
Recent corporate failures and subsequent legislation has created a new management discipline known as corporate governance, which today is at the top of every board agenda - a key responsibility of every director and a driver to reduce risk. Together, governance, risk and compliance are known as GRC.
Underpinning GRC is a dependency on data. As Mike Ferguson highlights in Governance, Risk and Compliance – the Role of Data Management in Mitigating Risk, data is crucial to effectively governing and managing an organisation. Data itself must be “governed” so that it is accurate, complete, trusted and understood so it can be used to help govern the organisation, greatly reduce risk and achieve compliance.
Data governance is both corporate and individual. Every employee needs to understand and conform to stated policies and regulations. The organisation needs to be able to audit that understanding and demonstrate to regulators that it is maintaining best practice.
The goal of GRC and data governance is a shared one – to add value to the enterprise while mitigating risk. This is what attracts support and investment from the Board and makes Data Governance a sustainable activity.
For any organisation with a focus on performance improvement and a significant data resource, the objective should be to progress its data governance capability.
Understanding Your Data Governance Capability
On starting a data governance programme, a priority is to identify quickly any key risks to which the organisation is exposed, before looking at your overall capability and opportunities to grow value. An important step in highlighting where data may be at risk is to carry out a risk assessment and data audit.
Such an initial investigation or audit will “run the ruler” over the business to measure where areas of concern are to be found. Rather than leading to increased red tape in order to ensure compliance, it offers a pathway towards an enabled business that has an assured, fully compliant data asset at its heart.
As a starting point for a data governance programme, a thorough investigation will examine your existing policies around data security and compliance in relation to current legislation, such as the Data Protection Act. It should generate a gap analysis compared to external data governance standards, such as DMA DataSeal, and ISO 27001.
Once the initial risk assessment is complete and any immediate issues addressed, you can focus on really understanding your broader capability. When assessing your current data governance structure, your focus should be on three core areas:
People: Data should be central to the whole organisation. It creates challenges which affect every employee, it’s not just another problem for “IT to sort out”. In fact, leaving data to IT is highly unlikely to deliver a data asset that truly supports the demands and opportunities of the business.
Crucial to success is executive-level backing, with a properly funded team focused on delivering high quality, secure and compliant data that is fit for purpose for all business users. Senior management will need to embrace the value of data, promote a vision and positive data culture through the organisation.
Process: Data management is never a one-time programme, but very much an ongoing process. Similarly, it cannot be tackled all at once. You need to recognise that your organisation needs to make step changes to develop its data to be successful. This process must be evolutionary, taking many small, achievable, measurable steps to achieve your longer term goals.
We recommend a “lifecycle” approach to ongoing data development comprising five phases:
1.Data: investigation and discovery.
2.Rules: creating a single data model, data rules and processes.
3.Employment: working to the now universally-agreed rules.
4.Maintenance: the ongoing job of keeping the data accurate and fit for purpose.
5.Redundancy: in line with good business practice (not least the Data Protection Act), the often difficult decision to archive and store redundant data that is no longer of value to your organisation.
Technology: IT can and needs to play a significant role in developing data that is fit for purpose, in reducing risks and in growing data value over the longer term. It will bring significant benefits around standardising data and improving data quality generally, for monitoring and reconciling data, managing risk and implementing a much more secure data culture throughout your organisation. In addition, the right technology tools will enable data to be more efficiently accessed and used throughout the organisation.
Understanding Your Data Governance Maturity
A Data Governance Maturity Model is a good way of assessing where your organisation stands in its capabilities across the key dimensions outlined above. The long-term goal has to be progression towards being a Stage 5 organisation in which people, processes and technology are all optimal. Note that improving your data governance maturity level is hard and will take time. It is a long-term process that must be addressed in small, careful steps.
The model outlined here and in the diagram explains what each of the key stages represents in terms of capability.
Stage 1: Aware
Data management is undisciplined, there are issues, but little is being done about them. Typically, 40 per cent of organisations fall into this first category.
Characteristics of the Aware Stage:
•Duplicate and inconsistent data
•Unable to adapt to business changes
•Localised data management
•Technology addresses specific problems and needs
•Technology is likely to be:
•Database marketing system (often outsourced)
Stage 2: Reactive
Some issues are fixed as they arise, but the organisation can’t identify/fix the root cause. Between 30 and 40 per cent of organisations are at this stage.
Characteristics of the Reactive Stage:
•Line of business influences IT
•Little cross-functional collaboration
•High cost to maintain multiple databases and applications
•IT blamed for failure of systems
•Odd successes due to “heroes”
•Technology employed is likely to be:
•Customer Relationship Management
Stage 3: Proactive
The organisation can identify and address root causes and stop issues before they arise.
Between 10 and 15 per cent of organisations are Proactive.
Characteristics of the Proactive Stage:
•Needs committed experts (Data Stewards/Champions) who understand needs of business and have IT experience
•Business and IT groups work together
•Data is seen as a corporate asset
•Organisation likely to have a single, unified customer view
•Technology employed is likely to be:
•Customer Master Data Management
Stage 4: Managed
Data processes are mature. Issues are identified as they arise and define is focused on data development.
Less than 10 per cent of organisations have reached this stage.
Characteristics of the Managed Stage:
•Focus on improving current systems, rather than seeking a single, all-encompassing solution
•Technology employed is likely to be:
•Automated data security and compliance management technologies addressing people issues
Stage 5: Optimal
The organisation is a centre of excellent in data management. Data and data development is a core competency across people, process and technology.
Only a handful of organisations have reached the Optimal stage.
Characteristics of the Optimal Stage:
•Repeatable, automated business processes
•Business requirements drive IT projects
•Personalised customer relationships
•Optimised business operations
•Unified data governance strategy
•Comfortable adding external data without fear of corrupting internal data
•Technology employed is likely to be:
•Business process automation
•Master data management
Case Study: Data governance in action at a not-for-profit organisation
In 2008, a leading not-for-profit (NFP) organisation began a five-year transformation exercise, planning to invest in excess of £20 million in a major supporter relationship management (SRM) programme designed to create a single supporter view. Its aim is to put its supporters at the heart of its vision and deliver business benefits of over £80 million.
Two years in, the programme was stalling badly due to poor and inconsistent data held on multiple databases across the organisation and with third-party partners. Data formats, standards and rules - where available - vary widely. Access was often difficult, slow and rarely in the form required.
It was clear that, while supporter data is recognised as core to the success of NFP, it was not consistently approached as an asset. Key challenges existed including:
•a lack of single focus and vision for data
•a lack of appreciation of the implications and risks to NFP if data is not treated as an asset
•an organisational structure which does not easily enable access to data by key business user groups to support their activities.
NFP recognised that a step change in its approach to supporter data was required if all the benefits of its SRM programme are to be achieved. This was required urgently and the organisation appointed DQM Group in August 2010 to lead a focused, clearly-defined programme of work to quickly but thoroughly assess NFP’s data capability, map out the target state and define a clear roadmap to enable NFP to move from its current position to the target state.
The key objectives for the programme were to:
•thoroughly assess NFP’s existing supporter data capability
•clearly define the target state
•provide a clear roadmap to enable NFP to move efficiently from its current position to the target state.
On completion of the review, DQM Group provided a clear and detailed statement of what NFP needs to do to develop its supporter data into the valuable business asset that will make a substantial contribution to the organisation achieving its key objectives and vision.
With a tight timeframe, DQM Group worked to two stages:
•Investigation and discovery
•Planning and scheduling
Subsequent stages would be implementation of the agreed plans and roadmap, fixing issues and addressing risks. These will be managed by NFP internally.
The initial priority was to undertake a very thorough investigation of NFP’s current position with respect to people and its organisation - how data is currently managed and how it is needed to support the SRM programme and the organisation in the future.
Another priority was to get a thorough understanding of NFP’s data itself and how it is used in, and by the organisation. The key databases were audited for:
•coverage (records and fields)
•quality (record and attribute level)
In addition, it was necessary to understand how data flows around NFP, its third-party processors and supporters from data capture, to management, maintenance and distribution. Equally important were the rules (or lack of them) that were in place and whether they are being adhered to or ignored.The longer term aim will be to move to a single data structure and single set of rules that are rigorously applied.
The third aspect was to understand NFP’s current technical infrastructure for data management and support, and importantly the functionality of its new SRM system and implementation plans (not least when ideally the single data structure needs to be available). Gaps in the technology infrastructure were identified where complementary technology could be used to help automate data governance processes and help improve data quality, compliance and measurement on an ongoing basis.
NFP Data Governance Maturity Model
In addition to the face-to-face qualitative interviews, DQM Group targeted several versions of its Data Governance Maturity Model questionnaire comprising up to 200 questions to some 140 senior managers, business stakeholders, marketers and data professionals across NFP. This quantitative research was to give a precise current position on the Data Governance Maturity Model and highlight key areas which need addressing to enable NFP to improve its data capability on an ongoing basis. The outputs from this are summarised in the spider diagram below.
A new data organisation was defined with clear roles and job descriptions defined. Thirteen work streams were designed to address and fix all the key issues over a realistic 24 to 30-month time frame. Remodelling and re-scoring the organisation, with it having successfully completed these 13 work streams, would move it into the “Managed” Stage and well on the way to Optimal data governance.