Data Governance: A Guide for Managing Enterprise Risk
Article

Data Governance: A Guide for Managing Enterprise Risk

by Mirena Taskova
August 03, 2023

Data governance lies at the heart of enterprise risk management. Access to consistent, accurate data enables informed decisions that drive your organization’s growth and success; protecting the integrity and correct use of data is critical for security, usability and regulatory compliance.

This article aims to help you understand the basics of data governance and learn how to structure a strong data governance program and set priorities for more effective risk management.

What Is Data Governance?

Every organization has rules around using, organizing, securing, testing, monitoring and disseminating data. These policies and internal standards comprise the organization’s data governance program and control every aspect of data management.

Data governance is a comprehensive term covering many different aspects of the way team members relate to the organization’s data. It includes sweeping security policies as well as small details that are nonetheless important for ensuring the consistency and usability of data.

Enterprise-level organizations typically have a formal data governance program that includes designated data stewards and comprehensive written policies. These policies are clearly communicated to employees and leaders throughout the business and are included in onboarding of new hires.

Data governance programs take into consideration compliance with applicable regulatory requirements, such as EU and U.S. federal and state-based privacy legislation (e.g., CPRA, GDPR, HIPAA). Frameworks, such as NIST PF (privacy), NIST CSF (cybersecurity), AI RMF (AI Risk Management Framework) may also support the data governance program.

In addition, a strong data governance policy increases operational efficiency by ensuring that employees have access to information that’s accurate, timely and consistent across the organization. Properly implemented data governance also leads to improved data, facilitates better business decisions and allows maximum benefit from advanced data analytics techniques to evaluate and improve business performance.

Data Governance Strategy

Your data governance strategy makes it clear where your data originates, where it's stored, what safety and security protocols are in place to protect data, how data is processed and shared, and which users can access certain types of data. Organizations often go wrong by not having a strategy that is well-planned and detailed. Implementing an effective data governance strategy that is well documented and consistently applied will help you achieve better quality data, improve organizational effectiveness and contribute to regulatory compliance.

Your data governance strategy should create consistency and efficiency by providing structure for the many details in data governance, aligning policies in different parts of your organization. To achieve this, your strategy must address all of the following areas:

Your strategy should clearly describe processes and rules that apply to each of the areas listed above, along with defining specific responsibilities and the individuals responsible for meeting them. It should also offer guidance on how to measure success and compliance with the policies.

Design your data governance strategy by methodically evaluating the basics of data and associated governance needs for each area, thinking in terms of people, processes and technology as you work through four distinct steps:

  1. Identify the type of data you have
  2. Assess AI, security & privacy risks, among others
  3. Identify your critical systems
  4. Identify key data handlers

These steps are the core pillars that allow you to create foundational processes for governing data throughout your organization, including data considerations related to vendors and third-party relationships. When complete, your data governance strategy should define policies tailored for each type of data that follow it throughout the data lifecycle.

The same evaluation process can help you assess the completeness of your current data governance program and how well it’s working.

Questions to Help You Think Through the 4 Pillars of Data Governance

People: Who uses and owns the data? Which teams are responsible for systems that process the data (typically the IT team)? Who implements the data governance program?

Processes: Where are the touchpoints for each type of data? What policies control how data is used, stored and accessed from when it enters the organization until it is purged or deleted?

Technology: Which tools can help you accelerate your data governance program? What are the internal tools you’re already using to collect, process, manage and secure data?

Data Governance Tools

Tracking and coordinating data across your organization is one of the most challenging and valuable aspects of data governance. Using appropriate tools can make this job easier, but that doesn’t necessarily mean easy. Data governance must be a high priority as you select systems and platforms to achieve various business objectives.

Most businesses rely on many different data governance tools — everything from customer relationship management, fintech and corporate performance management solutions to SOX reporting and various industry-specific business intelligence tools. Additional vendor management tools, as well as privacy and cybersecurity tools and protocols the company has in place typically overlay the data management capabilities that accompany your various business solutions.

The limiting factor is more often the architecture of the program rather than a particular tool. You can avoid many data governance difficulties by paying close attention to the interoperability of various tools under consideration, especially those that help automate business processes.

Data Governance Best Practices

Your organization’s data governance needs are similar to many other businesses in some respects; other needs are unique to your industry and your particular organization. For example, healthcare providers, insurers and others that handle health-related information must implement policies to comply with HIPAA.

To enable the approach to data governance that’s right for your organization, it’s imperative to conduct a thorough assessment of your current security, privacy and AI practices. You’ll also need to refer to established frameworks that address these concerns, including NIST CSF (security), NIST PF (privacy) and AI RMF (AI). Some organizations may want or need to adopt strategies that ensure compliance with frameworks such as HITRUST or seek certifications to verify a rigorous security posture.

It's also important to understand that like choosing business technology, your data governance strategy is not a “one and done” process. Rather, it’s an evolving approach to risk management that must be consistently refined and adapted in response to a shifting threat landscape and changes within your organization — again, including people, processes and technology.

New legal requirements are emerging as well, especially in regard to privacy. So, it’s important to monitor proposed laws and regulatory frameworks in your location and your industry. And with multiple legal frameworks in play, your data governance program must comply with all applicable legislation and include enough flexibility to allow changes as new standards and rules appear.

Given the vast scope of data governance across a large enterprise, it’s easy to view understanding and managing your total data flow as an overwhelming challenge. Instead, focus on identifying the critical systems and then turn to relevant teams in each area to support your efforts.

When you’re designing and implementing your data governance program, keep these additional tips and best practices in mind to make your program easier to manage and more effective:

  • Allocate the right team of experts
  • Ensure proper collaboration between teams, paying special attention to see that the privacy and security teams work hand in hand
  • Clarify the roles and responsibilities for everyone on your team
  • Consider the entire data life cycle
  • Incorporate a continuous monitoring plan and regularly assess your privacy and cybersecurity posture
  • Establish clear definitions to help maintain a uniform approach within the organization
  • Place special focus on AI-related matters and other new products and services

Data Governance Roles

A data governance team includes the following members:

Data administrator – Responsible for managing the data governance program and helps resolve any data-related issues

Data steward – Helps connect the IT team with the rest of the business, including the leadership team, and helps facilitate user access to the appropriate data

Data custodian – Handles data storage, security and user access as well as data quality issues

Data user – Analyzes data to uncover valuable insights and apply learnings to make informed decisions or revise a business strategy

The members of your data governance team will perform best when they collaborate and share the insights, obstacles and solutions they encounter in their distinct roles.

Data Governance Examples

The following list illustrates the breadth and variety of data governance considerations but is by no means inclusive:

  • Naming conventions (e.g., documents, events, individuals, email addresses)
  • Protocols for entering and expressing data (e.g., formats, measurement units)
  • Data storage tools and technology platforms
  • Limits on access to sensitive data
  • Data security policies (e.g., required password changes, two-factor verification)
  • Data collection standards and methods
  • Data sampling methods
  • Testing cadences
  • Data verification tools and techniques
  • Anonymization and removal of personal data
  • Privacy notices and options for consumer data privacy requests
  • Data sharing rules
  • AI policies
  • Non-disclosure agreements and other contracts

Vendor Risk Management

Businesses often struggle with data governance risks related to vendor and third-party relationships. These relationships demand close attention and monitoring to ensure they do not create excess risk and they comply with your organization’s overall data governance program.

The following process can help you identify and mitigate this kind of data risk:

  • Assess the business engagement and evaluate the processing activities
  • Assess the role of the third parties (controller/processor)
  • Verify the internal processes
  • Review onboarding/privacy/security/AI questionnaires for accuracy
  • Assess integration and data sharing
  • Assess the impact resulting from the onboarding of the third party
  • Request and assess certifications (e.g., ISO, NIST, SOC)

Scrutinize vendor onboarding questionnaires closely and follow up for more detail or clarification, if necessary, as accurate onboarding questionnaires are essential for efficient vendor management.

Proper collaboration between your security and privacy teams plays an important role in managing third-party-related risks as well. Following individual review of the questionnaires by both teams, it’s often helpful to perform a second joint review to ensure clarity, compliance and coordination.


Do You Have the Right Data Governance Program in Place?

Data governance is a complex challenge that impacts your organization’s risk matrix as well as its profitability and competitive edge. But you don’t have to face this challenge alone. Turn to the data governance experts at Armanino for guidance and support in this ever-more critical aspect of success in a digital world.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Author
Mirena Taskova - Risk Assurance & Advisory - San Jose CA | Armanino
Managing Director, Head of Privacy
Resources
Related News and Insights
Unlocking Patient-Centric Care: Harnessing CRM, Data Analytics & AI
Webinar
Learn how the right CRM can transform patient experiences.

September 28, 2023 | 10:00 AM - 10:30 AM PT
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Article
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023
Top SaaS Compliance Frameworks to Know and Why They Add Value
Article
Strengthen your SaaS compliance and leverage key data privacy and cybersecurity compliance frameworks to drive growth.

April 20, 2023