Data Policy Compliance: Beyond Crime and Punishment

In my last blog post, I discussed four distinct categories of measurement that apply to data governance programs: level of policy compliance, level of data quality, impact on business performance, performance of data governance processes. The premise of that posting was that these four dimensions of measurement each told us something different about data governance programs and the policies that are a product of our data governance processes. Each of these dimensions tells us a part of the story, but all are necessary to bring the whole picture into focus.

In this posting, I’ll dive deeper into the first of those dimensions – the level of policy compliance – and explore some of the insights that can be derived from this measurement. For the general public, the word “compliance” evokes images of strict authoritarian control and subsequent punishments for stepping outside of boundaries. But in fact, compliance to data policies can be used constructively rather than punitively.

Any measure can bring to light numerous observations. An assessment of compliance levels allows us to probe for answers to three distinct questions: Is the organization not complying to a process because they choose not to? Is compliance being hindered by system or business process limitations? Has the data governance organization communicated the data policy effectively to the right audience? I addressed the first question in my September blog “Driving Data Governance Past Cultural Roadblocks,” which centered on creating a culture of accountability and incenting knowledge workers to act in accordance with the greater good of the enterprise, so I’ll only discuss the other two questions in this posting.

Data policies are created with a purpose. The set of enforceable, measurable rules that make up a policy can be intended to do more than just improve data quality given the current environment. Data policies can be used as the catalyst to drive organizational and system transformation. New regulations or corporate mandates formulated as a policy may conflict with the existing infrastructure and operations of the business. This doesn’t mean that the policy isn’t valid. Rather, it instantiates the policy as the initial requirements’ definition and begins the roadmap for change. Discussing the challenges of merging a newly acquired company into an existing infrastructure, the CIO of a software company recently said to me: “We can always get the data to look the way we want it to, but the challenge lies in getting the new organization to follow consistent business processes.” Definition of and compliance to data policies addresses both sides of that coin by establishing the quality standards for data and the process context to which that data applies. The policy acts as the change agent to alter the existing process of the acquired company to achieve harmony with the new parent enterprise.

When applying compliance measurement to a policy in which system and process limitations are not a factor, the measurements can often give an indication of the effectiveness of the data governance program’s stakeholder communications. A common cause of non-compliance is poorly communicated policies. Communication to upstream providers of data, downstream consumers of data and any other stakeholders that are involved with a set of data elements that flow through an organization is a key to data governance program success. Effective communication does not mean emailing a policy document to the corporate global email alias in the hopes that the pertinent parties will internalize it. It means getting the right information to the right people in a format that is digestible and actionable. How many emails about assigning the right GL account codes to accounts receivables or some other financial process policies do you think it will take before marketing begins ignoring all emails about policies?

This also means that policies must be structured properly, contain the reasons for the policies, articulate the benefits of compliance, ramifications for non-compliance and address a logical component of data in the context of a business process applied to a defined organizational scope.

Data policies that are well-defined and well-communicated have a much higher rate of adoption and, consequently, of achieving their intended business objective. I continue to be shocked by the number of companies that go through all of the effort to define, obtain necessary agreement to content, hold management and executive review sessions, and ultimately produce a formal policy document yet have no strategy for measuring whether or not the policy has actually been adopted by the business.

Determining whether a policy is effective has tangible, measurable value to the business. And while it does not tell the whole story, measuring the level of compliance provides a good indicator of whether or not the right policy has been implemented at the right time and communicated in a way that drives the affected parts of the organization to act in accordance with the policy to drive toward the greater good of the organization.

When implementing new policies, it is critical to measure compliance levels right out of the gate, even if the policy is intended to drive future-state system or process behavior. Initial compliance measures serve as the baseline, and ongoing measurement become proof-points for determining data governance program effectiveness. Without measuring against the full intent of the policy, for example to bring about some fundamental change in the business to improve agility, reduce cost or mitigate risk, the benefit goes unrealized. As data governance programs continue to fight the battle to prove their value, it becomes imperative to measure, assess and take action to refine the process of data governance.

In my next post, I’ll address another dimension across which to measure data governance programs – the impact that data policies have on the level of data quality.

1 reply

Trackbacks & Pingbacks

  1. […] of measurement that apply to data governance programs: level of policy compliance (addressed in “Data Policy Compliance: Beyond Crime and Punishment”), level of data quality, impact on business performance, and performance of data governance […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply