Intelligent Enterprise

The subprime lending crisis offer fresh evidence that we're in the bear-skins-and-stone-knives era of understanding risk and making good decisions based on data. That's one of the key points I heard yesterday at an IBM Data Governance Council meeting in New York. As sophisticated as predictive models and enforcing business rules may seem, the technology is limited by a lack of best practices and standards and by the sheer scale and complexity of enterprises and financial markets. A first step toward avoiding such calamities, say Council members, is an integrated, overarching data governance program that addresses data security, data privacy and data quality so that risks can be better understood and outcomes anticipated.

"When the subprime loan scandal broke, a lot of people said, 'how could they not have known that they were sitting on billions of dollars of bad debt?'" says IBM's Steve Adler, who founded the 50-member Data Governance Council back in 2004. "The problem is that nobody really knows how to look at assets and liabilities and how decisions affect individual performance, the performance of divisions and the performance of companies. That level of institutional awareness about risk-based decision making does not exist."

Institutional awareness does exist in areas such as manufacturing today, thanks to quality control disciplines such as Six Sigma and Total Quality Management, says Adler, "but we don't have that kind of automated view when it comes to information management."

Before I attended yesterday's session, I thought data governance initiatives were preoccupied with data privacy risks, but "it's not just the classic security paradigm," says Adler. "It's also the question, 'what does data tell us about our exposures and how do we ensure that our data is of sufficient quality that we can trust it?'"
As daunting as the question may sound, regulations such as Sarbanes-Oxley and Basel II have forced most large financial institutions to introduce data governance structures, and many organizations are getting arms around the issues by pulling together previously separate initiatives around data security, data privacy and data quality.

"Unless you bring these disciplines together, you end up solving the problems multiple times and tripping over each other," says Richard Livesley, program director, information management at BMO Financial Group, parent of BMO Bank of Montreal and a member of the Data Governance Council. "Even though [data privacy, security and quality] are addressed by three separate groups within our organization, we've been very successful at running as one single entity in terms of our face to the business. We're offering the same training, working under the same policies and, as much as possible, sharing the same [data] classification standards."

Cleveland-based KeyBank is another Council member making progress toward top-down coordination. "We have combined the areas of information security, privacy, continuity and recovery, and physical security into one organization under the chief security officer," says Ed Keck, vice president and lead corporate security strategist. "We have also established a dotted-line relationship with our data architecture/data governance group , which is part of the IT organization, so we're very tightly coupled and it's very easy for us to work together."

Livesley and Keck both acknowledge that even the most advanced firms have a long way to go to reach the highest levels of a Data Governance Maturity Model developed by the Council, but they add that just having that model in place has been a major step in the right direction.

"The challenges of putting all these pieces together in a large organization just can't be solved in two or three years," says Livesley. "Just knowing where you are and having a roadmap for where you're going is a success."

E-MAIL | FOLLOW US