According to Steven Adler, program director of IBM’s data governance solution, the overriding goal is to establish formal business accountability for data. The challenge is that, while the business side of the organization is supposed to own the data, IT has traditionally been considered the steward and is the group that is typically on the hot seat when issues arise regarding the sanctity of data.
The council, which actually asked IBM to organize, developed a series of 11 categories covering different aspects of data stewardship. Against those categories, the now-standard 5-level maturity model was developed to benchmark the organization’s effectiveness.
Adler described some of the categories for assessment. It starts with organizational structure and awareness, to ensure that somebody or some group is formally tasked with data stewardship, and ultimately responsible for data governance decisions.
It also examines what rules and standards the organization follows when it implements data governance mandates. And it looks at how the organization calculates risk exposure, how it uses risk analysis to understand past and predict future performance, and what security measures are in place to mitigate risk.
A key assumption is that not all data is created equal, in that some data is more sensitive than others, while other data is higher value than others. Consequently, one of the areas looks at whether the organization has an adequate mechanism for distinguishing data through criteria such as level of risk or value, and whether governance priorities for the data driven by how data is categorized.
Another metric that should look familiar to anyone with experienced with business intelligence and reporting systems is the issue of data quality. The criterion examines the measures that are taken to protect data quality.
One of the more interesting criteria is value creation. That is where you document the impact of the data on creating business value for the organization, which ultimately translates to actual revenue on the bottom line.
There are several criteria related to data value. One of that covers how data is architected. Specifically, is it architected in such a way that the value of the data can be further enhanced, and how to protect or maintain that value? Another criterion examines metadata, to ensure that mechanisms are in place so high value data is logically accessible so it can be searched or queried using business terminology.
Other criteria focus on information life cycle management, checking of the organization has a consistent process for determining how long to retain data, and based on its stage of the life cycle, where to store it. Another looks at the organization’s capabilities to support audits.
The emergence of IBM’s for-now undisclosed framework is timely given the increasing incidence of publicized data breaches. It’s all too familiar to read a headline that some laptop with sensitive customer data has either been misplaced or stolen.
And it’s one of many frameworks that have emerged in recent years covering IT governance in general (COBIT), IT service management (ITIL), software engineering (CMMi), and security. But in most cases, the frameworks are maintained by independent bodies rather than individual vendors. In many ways, IBM’s data governance maturity model could be considered a subset or logical outgrowth of COBIT.
It’s a shame that IBM is not yet publishing the framework, and hasn’t decided when or whether it will. IBM’s strategy is a bit surprising because in other areas, such as Eclipse, the company has not been hesitant to donate or open up its research to become de facto industry standards. And with initiatives like Eclipse, IBM has been able to cultivate the aura of a company that follows and helps set the agenda for industry standards.
Clearly, data governance is a topic that providers like Oracle or SAP would have a lot to say about. Keeping this within IBM’s orbit will paint the initiative more as a strategy to promote IBM consulting services.
We want to make sure that there are people with experience in this area, said Adler. We want to be able to entrust it to skilled consultants. Of course, by holding off on publishing it, that would at this point pretty much limit the pool to IBM consultants.