Blogging all things data

How to implement a Data Governance Framework and Maturity Model

How to implement a Data Governance Framework and Maturity Model

A good data governance framework is a desirable aim for any organisation, but the path to establishing and quantifying it can be unclear. When it comes to understanding the exact progress that has been made, there are a number of different data governance maturity models made by a number of high profile data organisations such as IBM and Gartner. Aside from reference to these specific models, there are broader, principle-based roadmaps such as the Data Governance Australia Code of Practice, which can be a good guide to steering your organisation in the right direction.

Once you've identified your journey, a way to kick-start the process is setting up and properly empowering a Data Governance Executive Steering Committee. Having adequate, cross-department decision making authority, the Committee is best suited to driving the fundamental, cultural change that is needed.


What it Means to Have a Data Governance Framework

In the previous blog on Data Stewardship, we highlighted David Plotkin’s breakdown of the data management space in to the “Three Ps”, wherein Data Governance is concerned with the Policies and Processes and Data Stewardship refers to the effective implementation and maintenance of Procedures. The overall aim is to establish an organisation-wide web of responsibility and accountability. Data that exists in a void is useless. Data that accounts for the fact that it is produced and used by people is the lifeblood of a successful enterprise.

Data as a business asset

The path to effective organisational policy-driven data governance begins with recognising data as a valuable business asset and works towards building a framework that cultivates the value that it provides. It involves stepping back from the day-to-day decisions and processes in order to see the bigger picture. An important aspect of this is to ensure that this outlook transcends departments and represents a truly organisation-wide change in attitude and processes.

Useful and practical data

Proper implementation and practice of improved data standards impacts the entire enterprise-wide data lifecycle. Data is made to be useful and fit-for-purpose without going through unnecessary and time-consuming rounds of processing. A result of this is improved overall confidence in data, leading to reduced friction and fewer delays across the entire organisation. 

Consistent standards

Common standards regarding how and when data is retired or archived is a path towards less bloat and improved performance with databases. Well thought out and implemented policies about access and disclosure can help prevent much dreaded leaks and breaches that can be incredibly damaging and disruptive. 

The Role of the Executive Steering Committee

A way of anchoring this kind data governance aim within an organisation is to establish and empower an Executive Steering Committee. This Committee typically consists of a relatively small number of executives and has the information and decision-making capacity to understand and implement not only new, organisation-wide data policies but the cultural change that is required to bring them successfully into practice. 

It is important for this Committee to be truly cross-department and be able to assert decisions across different business areas. Failure to ensure that the necessary changes are applied totally and consistently would represent a failure of Data Governance.

one member of a data governance executive steering committe seated at a desk with a notepad

An additional important role of the Executive Steering Committee is to establish the possible incentives and penalties that will be implemented in order to promote and maintain the necessary change. Any significant issues raised by Data Stewards, that are not resolvable within their teams will be escalated up to the Data Steward. Possessing the necessary information about the long-term strategic direction of the company, the executives will be able to determine where the balance between business requirements and the demands of a more rigorous data regimen.

Data Governance Maturity Models

There are a number of different models that have been drafted and implemented by assorted movers and shakers within the data and analytics field. The purpose of these is to interpret the level of development an organisation is at in respect to a successful data governance framework.

It is a good idea to have a general idea of how the journey to well governed data is understood and implemented by these organisations. An Executive Steering committee that is seriously committed to fundamental change is usually well advised to choose and aim to adhere to a well-structured framework with clear objectives and ways of gauging success.

The ARMA International model is based on the Generally Accepted Recordkeeping Principles: Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention and Disposition. An organisation is graded on each of these levels on a scale of competency starting with Level 1 (Substandard) which represents a baseline, to Level 5 (Transformational) which represents a data environment in which good governance is so integrated as to be routine.

The DMM Maturity Model also lays out a number of areas in which an organisation is graded to present an overall level of Data Governance development. Its categories consist of Data Management Strategy, Data Governance, Data Quality, Data Operations, Platform and Architecture and Supporting Processes. Each of these categories is graded on a 5-point scale starting from Level 1 (Performed), ranging to Level 5 (Optimised), the goal of which is to internalise the understanding that “data is critical for survival”.

The IBM Data Governance Maturity Model measures an organisation and the progress it has made in a number of different fields: Data Management and Compliance, Value Creation, Organisational Structures and Awareness, Policy, Stewardship, Data Quality Management, Information Lifecycle Management, Information Security & Privacy, Data Architecture, Classification & Metadata as well as Audit Information, Logging & Reporting. These fields are graded, once again on a five-point scale of competency, which starts out with processes that are uncontrolled and reactive and moves to a state in which continuous self-improvement is built into the foundations of the process itself.

The Gartner EIM Maturity Model consist of six phases that a company can fall within, represent increasingly sophisticated levels of enterprise information management. From Level 0 (Unaware), which is mainly concerned with raising awareness and education, all the way to Level 5 (Effective), which changes the focus to building institutional barriers to guard against complacency. Each level has a set of very specific points that an organisation is graded against.

Finally, the Dataflux Model uses four well defined levels of progression in regards to data management: Undisciplined, Reactive, Proactive and Governed. Each of the levels of development is presented in terms of how it affects the People, Policies, Technology as well as understanding of Risk and Reward within the organisation, specifically breaking it down into an easily digestible and plottable set of points.

These different roadmaps towards the process of data maturity and a data governance framework show that there is no one-size-fits-all solution within this space. Nevertheless, there are clear convergences across all of the highly structured and proven models.

In addition to these rigid frameworks, there are a number of looser collection of principles and standards for data governance that have been released by different organisations. These promote a voluntary convergence towards more rigorous and ethical standards across all businesses.

a person typing on a laptop with multiple monitors showing a succesful data governance framework

Data Governance Australia Code of Practice

One example of such a looser data governance framework is the Data Governance Australia Code of Practice, which has the aim of creating a:

principles-based self-regulatory regime that sets leading industry standards and benchmarks for responsible and ethical data-practices

In order to be compliant with the Code, a company has to make a determined effort to commit and abide to a list of 9 Principles, in addition to any other relevant legally binding obligations. These Principles are No-harm, Honesty & Transparency, Fairness, Choice, Accuracy, Stewardship, Security, Accountability and Enforcement.

The elaboration of these principles in the Code, show that they are essentially a combination of imperatives to abide with previously existing legislation, assertions that emphasise the importance of building accountability and responsibility into systems as well as an overarching call to act in good faith when dealing with data on a variety of different levels. 

There are some points in the code that are specific enough to be useful as guiding principles. An example is the stated need to ensure mechanisms exist allowing individuals to exercise choice in the collection and use of their personal information. However, there are points that range from vague to unhelpful. An example is the need to keep up with “evolving community expectations to the collection and use of data”, which would potentially lead to reactive policies which many of the more structured approaches to data governance maturity describe as highly undesirable.  

Industry Self-Regulation and Data Governance

One of the stated aims of the Code is to establish good self-regulation within the field, pre-empting potentially disruptive, externally imposed regulation. The performative, outwardly-aimed effect of publishing a list of ethically guided principles and pledging to commit to it may be where the real value of the Code of Practice lies. It goes some way to building up a public image of a company that is committed to promoting self-regulation in the field. This is important in the context of personal data being, more than ever, seen as a valuable asset alongside the trust that is increasingly required for users and external stakeholders to commit their data to a particular company.

Regarding actual, effective organisational change, a Code of Practice may not necessarily be specific enough and a company may opt to go with one of the more rigid and easily quantifiable models. There are a number of Australian data analytics agencies that specialise in giving you the tools and information needed to build a solid data ecosystem. To learn more about this space, watch BizData’s free webinar on Practical Data Governance: