It’s not the data management – it’s you

When poor quality data, duplicated effort and siloed information impacts operational efficiencies, organisations might feel inclined to point a finger at data management. But it’s not data management that’s broken, it’s enterprise strategy.

By Mervyn Mooi, director at Knowledge Integration Dynamics (KID)

Recently, international thought leaders speculated that data management might be ‘broken’ due to the growth in siloes of data and a lack of data standardisation. They pointed out that data siloes were still in place, much like they were back in the 1980s, and that the dream of standardised, centralised data providing a single view was as elusive as ever.

aaeaaqaaaaaaaaayaaaajgjimdq4ndu0lwi1ytmtndq2yi05yjdmltqyntlmmtkxnzrmmg

(Image not owned by KID)

In South Africa, we also see frustrated enterprise staff increasingly struggling to gain control of growing volumes of siloed, duplicated and non-standardised data. This is despite the fact that most organisations believe they have data management policies and solutions in place.

The truth of the matter is – data management is not what’s at fault. The problem lies in enterprise-wide data management strategies, or the lack thereof.

Data Management per se is never really broken.  Data management refers to a set of rules, policies, standards and governance for data throughout its life-cycles. While most organisations have these in place, they do not always have uniform data management standards in place throughout the organisation. Various operating units may have their own legacy models which they believe best meet their needs. In mergers and acquisitions, new companies may come aboard, each bringing with them their own tried and trusted data management policies. Each operating unit may be under pressure to deliver business results in a hurry, so they continue doing things in any way that has always worked for them.

The end result is that there is no standardised model for data management across the enterprise. Efforts are duplicated, productivity suffers and opportunities are lost.

In many cases, where questions are raised around the effectiveness of data management, one will find that it is not being applied at all. Unfortunately, many companies are not yet mature in terms of data management and will continue to experience issues, anomalies and politics in the absence of enterprise wide data management. But this will start to change in future.

In businesses across the world, but particularly in Africa, narrower profit margins and weaker currencies are forcing management to look at back end processes for improved efficiencies and cost cutting. Implementing more effective data management strategies is an excellent place for them to start.

Locally, some companies are now striving to develop enterprise-wide strategies to improve data quality and bring about more effective data management. Large enterprises are hiring teams and setting up competency centres to clean the data at enterprise level and move towards effective master data management for a single view of customer that is used in common way across various divisions.

Enterprise wide data management standards are not difficult to implement technology-wise. The difficult part is addressing the company politics that stands in the way and driving the change management needed to overcome people’s resistance to new ways of doing things. You may even find a resistance to improved data management efficiencies simply because manual processes and inefficient data management keeps more people in jobs – at least for the time being.

But there is no question that an enterprise wide standards for data management must be introduced to overcome siloes of data, siloes of competency, duplication of effort and sub-par efficiency. Local large enterprises, particularly banks and other financial services enterprises, are starting to follow the lead of international enterprises in moving to address this area of operational inefficiency. Typically, they find that the most effective way to overcome the data silo challenge is to slowly adapt their existing ways of working to align with new standards in a piecemeal fashion that adheres to the grand vision.

The success of enterprise wide data management strategies also rests a great deal on management: you need a strong mandate from enterprise level executives to secure the buy-in and compliance needed to achieve efficiencies and enable common practices. In the past, the C-suite business executives were not particularly strong in driving data management and standards – they were typically focused on business results, and nobody looked at operating costs as long as the service was delivered. However, now business is focusing more on operating and capital costs and discovering that data management efficiencies will translate into better revenues.

With enterprise wide standards for data management in place, the later consumption and application of that data becomes is highly dependent on the users’ requirements, intent and discipline to maintain the data standards.  Data items can be redefined, renamed or segmented in line with divisional needs and processes. But as long as the data is not manipulated out of context or in an unprotected manner, and as long as governance is not overlooked, the overall data quality and standards will not suffer.

Companies still fail to protect data

Despite their having comprehensive information security and data protection policies in place, most South African businesses are still wide open to data theft and misuse, says KID.

By Mervyn Mooi, Director at the Knowledge Integration Dynamics Group

Numerous pieces of legislation, including the Protection of Personal Information (POPI) Act, and governance guidelines like King III, are very clear about how and why company information, and the information companies hold on partners and customers, should be protected. The penalties and risks involved in not protecting data are well known too. Why then, is data held within South African companies still inadequately protected?

In our experience, South African organisations have around 80% of the necessary policies and procedures in place to protect data. But the physical implementation of those policies and procedures is only at around 30%. Local organisations are not alone – a recent IDC study has found that two-thirds of enterprises internationally are failing to meet best practice standards for data control.

dreamstime_m_24243852-454x340

(Image not owned by KID)

The risks of data loss or misuse are present at every stage of data management – from gathering and transmission through to destruction of data. Governance and control are needed at every stage. A company might have its enterprise information systems secured, but if physical copies of data – like printed documents or memory sticks – are left lying around an office, or redundant PCs are sent for recycling without effective reformatting of the hard drives, sensitive data is still at risk. Many overlook the fact that confidential information can easily be stolen in physical form.

Many companies fail to manage information sharing by employees, partners and other businesses. For example, employees may unwittingly share sensitive data on social media: what may seem like a simple tweet about drafting merger documents with the other party might violate governance codes. Information shared with competitors in exploratory merger talks might be misused by the same competitors later.

We find that even larger enterprises with policies in place around moving data to memory sticks and mobile devices don’t clearly define what confidential information is, so employees tweet, post or otherwise share information without realizing they are compromising the company’s data protection policies. For example, an insurance firm might call a client and ask for the names of acquaintances who might also be interested in their product, but under the POPI Act, this is illegal. There are myriad ways in which sensitive information can be accessed and misused, with potentially devastating outcomes for the company that allows this to happen. In a significant breach, someone may lose their job, or there may be penalties or a court case as a result.

Most organisations are aware of the risks and may have invested heavily in drafting policies and procedures to mitigate them. But the best-laid governance policies cannot succeed without effective implementation. Physical implementation begins with analysing data risk: discovering, identifying, and classifying it, as well as analysing its risk based on value, location, protection, and proliferation.  Once the type and level of risk have been identified, data stewards need to take tactical and strategic steps to ensure data is safe.

These steps within the data lifecycle need to include:

  • Standards-based data definition and creation to also ensure that security and privacy rules are implemented from the out-set.
  • Strict provisioning of data security measures such as data masking, encryption/decryption and privacy controls to prevent unauthorised access to and disclosure of sensitive, private, and confidential information.
  • The organisation also needs to securely provision test and development data by automating data masking, data sub-setting and test data-generation capabilities.
  • Attention must also be given to data privacy and accountability by defining access based on privacy policies and laws – for instance,  who view personal, financial, health, or confidential data, and when.
  • Finally, archiving must be addressed: the organisation must ensure that it securely retires legacy applications, manages data growth, improves application performance, and maintains compliance with structured archiving.

 

Policies and awareness are not enough to address the vulnerabilities in data protection. The necessary guidelines, tools and education exist, but to succeed, governance has to move off paper and into action. It is important for companies to understand that policies and awareness programmes are not enough to ensure good governance. The impact of employee education is temporary – it must be refreshed regularly, and it must be enforced with systems and processes that entrench security within the database, at file level, server level, network level and in the cloud. This can be a huge task, but it is a necessary one when architecting for the future.

In context of the above, a big question to ponder is: Has your organisation mapped the rules, conditions, controls and standards (RCSSs) as translated from accords, legislation, regulation and policies, to your actual business / technical processes and data domains?

 

How to use BI to clear a path through the GRC minefield

Good BI cuts risk and produces value

By Gavin Morrison, MD of Cubic Blue, a Knowledge Integration Dynamics company


Governance, risk and compliance standards and practices were established to safeguard against excessive risk-taking by financial services organisations with depositors’ funds, yet in the financial crisis of 2007-2008 they failed to live up to expectations.

That ushered in round two, a new and additional set of governance, risk and compliance standards. Now you’re expected to live up to them yet they are far more stringent than before and place a nearly onerous burden on your IT systems. Executives, who may know very little about IT, are subject to severe penalties if the terms of good governance, risk and compliance policies, standards and practices are not met. So how can you be sure your organisation is top of the pops?

Data Minefields are best avoided
Even slow moving minefields are best avoided.

Image Credit: Christopher Michel

A swarm of jargon will barrage you as you investigate possible solutions from the now ubiquitous big data, to metadata, warehousing, mapping, re-engineering, data architecture, governance, framework, and more.

Essentially, though, what you need to do is know who deals with your data, when, how, why, where it goes, who sees it, what they do with it, and check that against policies of what’s acceptable and what’s not.

The SNAFU

The problem today is enterprise systems are experiencing a revolution of sorts. Data is collected, managed, stored, retrieved and deleted almost anywhere across the digital landscape. It is no longer confined to your basement in IT systems over which you have complete control. It is also collected very quickly, in some instances, must be used very quickly, and destroyed with equal speed.

It makes the environment difficult to control because there can be many systems in many different places working rapidly with many different people.

In large businesses your problem gets worse. Many people interact with the data but they may not all perfectly understand the corporate strategy nor the implications of governance, risk and compliance. They may also not know who is accountable and responsible or who to turn to for help.

You need an IT private investigator

What you need is a technology sleuth, an IT private investigator or PI, to snoop through the systems and find out what’s happening, who’s doing what, where, with what data and when.

  1. You need to manage the network and the applications it serves to your users so that you can see who is accessing what and when.
  2. Then you need to automate the compliance controls through policies that direct people as to what they can and cannot do.
  3. Automated systems protect the data and information from erroneous use as well as unscrupulous activities by those inside and outside your organisation.
  4. Embedding compliance and control activities in business processes ensures adherence throughout your organisation.
  5. Effective monitoring closes the loop.

It is absolutely crucial to know that technology alone will not take care of the governance, risk and compliance needs of your business. There must be effective strategy coupled to potent execution. It needs to be proactive and systemic. And that requires upfront planning, particularly in light of the broadened scope of IT systems and data to the web and the cloud.

Determine the killer risks

Your organisation will face greater risks in specific parts, services, customer segments, markets and products. Those are where you expend your greatest effort and exact most stringent control and reporting. They also form the ground zero starting point where you can iteratively roll out your governance, risk and compliance programme that mitigates your greatest exposure.

3 ways BI helps you

Business intelligence or BI will help you:

  1. Document and test controls
  2. Find the risk categories and monitor them
  3. Develop and communicate policies for training and change

Those steps relate to business activities such as checking to ensure budgets are approved, vendors are approved, contracts are qualified, reporting is accurate, whether or not service providers are achieving service level agreements, check absenteeism rates, average ages of employees, frequency of performance reviews and many more.

Effective risk management employs business intelligence to map governance, risk and compliance activities and systems to value, aligns the behaviour of your organisation’s people to creating value, builds a profile of performance versus controls, and monitors, predicts and reduces risk by improving performance.