The Prudential Regulation Authority (PRA) has completed reviews of the internal model approval process (IMAP) to assess the quality of data that underpins the validity and integrity of the internal governance model. This review has been performed on over
50 firms in preparation for the introduction of Solvency II2 and a final report has been issued. This report puts forward common challenges in the data ownership models. I have laid my thoughts based on my experience in overcoming similar challenges.
Most firms find it difficult to assign data ownership as defined by their data governance operating model.
- Data Ownership is often not a full time job for most data owners while it is for data stewards.
- Is data owner – a process owner, application owner or people (users’) manager?
- Data owners are often Business analysts, Process owners, Application owners, Project managers, SMEs or knowledge workers supporting processes, people and applications that leverage data in scope and have familiarity and knowledge of the data.
- There are potential benefits to have an ownership model that defines contributing and viewing data owners for data elements along the data lifecycle. This can be based on Creation or Updation or Application of data elements in context.
- The data owner though has the responsibility to ensure data quality, maintain metadata, ensure risk related to data is managed, he/she requires the inputs from the SME who has shared knowledge of that data.
- SME roles should be standardized and should be consulted by stewards and data owners whenever required. The responsibilities of governing data should still lie with the data owner.
- Knowledge of data management and governance processes, techniques, tools is required by data owners to orchestrate data governance activities. These are common challenges that need to be addressed by up-skilling the data owners which will enable them to
take up the governance activities.
- If data owners have business familiarity of the data but do not necessarily understand the flow of data along its value chain, it is a challenge for them in leveraging metadata management and data quality services.
- A culture of business ownership of data should be promoted along with every data governance service that builds awareness in enterprise. Service promotion should have significance on par with Service usage and Service improvement.
- Data owners should be well aware of the benefits of leveraging data governance services. They can then assist other stakeholders in their sphere of influence to look for value beyond their regular line of sight.
- Cascade Goals of enterprise in association with Data Governance to the data owners so that the overall assessment plan takes their performance into account.
Data is typically produced from multiple source systems upstream and used by many users downstream.
- Data can be acquired, produced by multiple source systems which are owned internally or by a third party by Dun & Bradstreet. Data is further Stored and Distributed by multiple systems while it can be Maintained, Applied by downstream systems as well. Data
ownership should be defined across the entire lifecycle of data. Ensure your data mapping process captures all the relevant details.
- The operating model should be designed in a way that would account for the right controls for every lifecycle stage of data. To state an example, every lifecycle stage of data would not necessitate having all the data quality controls. It makes sense to
have Structural and Sematic consistency assessment between data providers and data consumers. It is helpful to understand which operations across POSMAD* have significant risk and ensure that appropriate controls can be identified, implemented, monitored and
- If there is a data provider and multiple data consumers, the technical metadata associated with all the data consumers should be captured as well. This aids decision making for changes that impact various downstream processes. The Decision, Impact analysis,
Requirement analysis turnaround time reduces by significant percentage.
- Most Metadata solutions have the capability to diagrammatically represent the lineage of data elements that enables users to adopt the metadata capabilities.
Organizations did not have a consistent process to communicate upstream system and process changes and its impact to the downstream users.
- Lineage, Data Mapping, data flows and View point analysis are often not available that would assist in impact analysis and decisioning on changes.
- While performing needs analysis in requirements & design phase, make sure to generate maximum options to satisfy the business need. The critical considerations for the decision are dependent on the objectives, but will involve an understanding of the quantitative
and qualitative value and risk of each option, the turnaround time to achieve each future state and opportunity cost to the enterprise. Make sure to have the Data Governance council and data risk committee participates while generating options.
It is important that the data governance function has a broad understanding of the data flow.
- Data and information flows should be available to assist the data governance division and relevant stakeholders better understand the data in various contexts.
Some firms had informal, undocumented processes, and some were unable to quantify when errors or control failures were to be escalated for timely resolution.
- Data governance divisions define the operating models and processes that allow for consistent outcomes of data quality and metadata management and other dimensions. Often these processes are customized in a tangent by lines of business which in turn results
in in-consistent outcomes and challenges in reporting & assessment.
- The risk/value assessment, realization and certification models with specific KPIs, KRIs and thresholds should be imbibed into the Governance processes. These metrics should be owned and maintained by the Lines of Business rather than the governance division
which brings forth business ownership of governing data. These aspects in fact assist in prioritizing the issues or control failures that need to be escalated on priority.
Organizations should be able to rely on the data directory to identify provenance and responsibilities across the data flow
- Glossaries or data directories irrespective of the technology that hosts them should be an enabler to identify responsibilities across data flows.
- Data Directories (artifacts) can be created irrespective of technology and are business and technology enablers of bringing a data driven cultural change. Some techniques used to come up with Glossaries are Metadata elicitation, Data Analysis, Data and
Information flow analysis, Data view point analysis.
- There are solutions in the industry like Collibra, ASG that provide capabilities to capture the data providers, data consumers, responsibilities and related metadata. Capturing the metadata related to the business terms while constantly maintaining it for
every change through ownership and accountability would build trust and confidence in the leveraging the metadata.
Enable effective communication between upstream and downstream users.
- Data governance fosters collaboration between Business & IT, Upstream & Downstream users as well. Every change that affects the data in the downstream should be effectively informed to the downstream users. The project governance models should specifically
ensure that the project plan, business analysis plan and communication plans include these aspects.
There should be a strong process for challenging and auditing the self-assessments.
- Often the data and risk divisions rely on the self-assessments performed by the end users of data. If this is considered the 1st line of defense, there should be an oversight from the division itself to challenge and assess the controls and self-assessments.
The corporate audit is a 3rd line of defense which in fact in an independent body that performs a rigorous assessment of the controls and identifies existing gaps.
- It should be ensured that each line of defense based on it's independent capabilities as stated in the organization model should assess the controls without aligning or weighing heavily on any one line of defense. The gaps identified by each line of defense
form an integral feedback mechanism in bridging the gaps thus defining the success of the entire governance model.
*POSMAD - Plan, Obtain, Store/Share, Maintain, Apply, Delete stages in a data lifecycle. For further reading refer to http://dataassociation.net/dablog