I had the pleasure of participating in a research roundtable hosted by ACCA (an IMA strategic partner) last week that will serve as the basis for a thought paper from ACCA and IMA on managing the data life cycle. Included in the roundtable were professionals with a mix of backgrounds, including technologists, CFOs, consultants and attorneys.
We began the discussion by looking at a model for the data life cycle – there are certainly many models for this cycle, or at least I have come across more than one during my professional career. Each of the models essentially cover the same types of stages: sourcing or discovery of data, extraction or gathering of data, refinement or validating of data, analysis of data, storage of data, and disposition of data. What seems to be consistently missing from these models at the front end of the cycle – or perhaps it is an assumed first stage – is the authoring or creation of data itself.
Organizations will be both creators and consumers or users of data. Companies consume their own data as well as that from external sources such as data aggregators, open data on the Internet, research and more. Their own data is within their control; external data is not – caveat emptor comes to mind.
Much attention is paid to the concept of ‘big data’ – increasingly, mountains of big data are unstructured and often non-financial in nature (e.g., sustainability information about environmental, social and governance factors), including narrative, non-numeric information. External data lacking context and structure is often more challenging to discover, validate and analyze. Open data sets are becoming more available over the Internet, but with varying degrees of quality, context, structure and integrity.
In contrast, data authored or created within the company creates opportunities for the organizations:
- To make that data easily and quickly accessible;
- To collaboratively create data with meaning and context, all the while preserving its lineage to the original source(s);
- To enhance the utility of information across the enterprise and perhaps with supply chain partners or other stakeholders; and
- To ensure the security of the information.
Advances in cloud computing have made some of these opportunities a reality, including the collaborative online authoring of information, the ability to connect data to its sources (including providing embedded audit trails and trails of evidence), and automating internal controls and monitoring mechanisms in a secure cloud environment.
Enabling technologies like XBRL help companies provide context and meaning to their digital information so that they can improve the re-usability of data or enhance processes like external compliance reporting or automating the ‘last mile of finance.’
These are just a few examples. But the bigger issue is a more strategic one.
As we continued in our discussions at the roundtable, I suggested that we talk a bit about companies developing an effective Data Governance Strategy (let’s call it DGS for ease of argument here). A DGS will help companies deal with the issues that arise when managing the data life cycle, … and many others.
In a nutshell, a DGS speaks to the company’s overall management of the availability of information, the usability or utility of that information, the integrity and quality of information, and the security of information. Data is a mission-critical asset of any company today; its ability to govern and manage this critical asset is equally important. Boards of Directors and senior management or principals/owners need to ensure that they have adequate strategies and plans in place to govern this asset and protect it. With cyber security breaches in the daily headlines, governing your data assets is now a material risk factor. According to an InformationWeek story in February 2014, almost half (44%) of companies do not have data governance plans in place, and 22% of those without one have no plans to implement one. Scary thought in today’s economy, where it appears many companies are just a series of keystrokes and poor controls away from a significant hack. Although the article goes on to say that the concepts covered by a DGS are nothing new to larger companies, it is surprising how many don't have the strategies and plans in place. Even more worrisome is the situation among SMEs – if their larger peers don't have effective DGSs in place, what level of risk or exposure do most SMEs face? Loss of data, control, customers, trust, brand credibility and reputation are just a few, not to mention the lawsuits to follow.
The InformationWeek story concludes with recommendations from the Rand 2013 Data Governance Survey as shown below – I have included some Notes as well for you to consider after each point:
- Organizations should develop a formal data governance policy or reevaluate its current plan. "This survey shows that no policy is flawless, but continually working to improve your policy can only increase the value your organization derives from its data." (Note: a DGS should not sit in a drawer and collect dust once it is created – it is a living, breathing thing that should be managed and revisited to ensure relevance.)
- Develop a "cross-functional approach" to data governance. Solicit input from everyone in your organization, from C-suite executives to IT managers, corporate counsel, and end users. Once the data policy is in place, you should instruct employees how to contribute to and benefit from the plan. (Note: The CFO is part of this process… perhaps even the driver of the process.)
- A data governance policy should comply with the organization's legal and regulatory requirements. Since different types of data have different retention period requirements, you should know what those requirements are and find ways to meet them. (Note: You may find certain requirements across jurisdictions may conflict – your legal counsel must be part of the discussion.)
- Keep an eye open for new technology. With the growth of big data, data governance should be reliable, scalable, and efficient. Consider new technologies that help you reach your data management goals. (Note: technologies are always changing and improving – be careful here. Select the technologies that best fit your organizational needs.)
#risk #TechTalk #integrity #CFTO #asset #data #strategy #dataquality #materiality #cybersecurity #cyberrisk #IT #security #informationtechnology #XBRL #datagovernance #technology #Csuite