I BET YOU YOUR DATA MANAGEMENT APPROACH IS FRAGMENTED

From our experience, there are two outcome areas that Chief Data Officers (CDO) are typically appointed into solving.  

The first one is using data for offensive plays, that is using compete more effectively. CDO’s who attack this angle typical comes from analytics backgrounds. This is also the area where there’s a large amount of overlap with the organisation’s other CDO…the Chief Digital Officer.

The other angle is the defensive or compliance-driven CDO agenda. From the earliest days, CDO’s here have been appointed to solve issues in regulatory or business performance reporting issues by aligning processes and systems that result in the flow of data from the organisation’s front office to back office.  

This aspect of the CDO responsibility originated from the discipline of Information Management (IM) which arose in the late 1980’s. The information or data management agenda is predominantly concerned with providing policies, process and systems guidance to ensure data is managed and controlled so that it can be used effectively in organisational decision making.

(We discuss the 2 different maturities of analytical vs data management competencies in our article – Data-Driven, But First We Must Tackle The Enterprise Data Quality Challenge)

Some people like to think that data becomes information which then becomes knowledge. @Cognitivo we tend to use the term data and information more interchangeably after all information is also data and lets not confuse the ‘data person’ with the ‘database person’.

According to Dataversity, Data Management is a comprehensive collection of practices, concepts, procedures, processes, and a wide range of accompanying systems that allow for an organization to gain control of its data resources. Data Management as an overall practice is involved with the entire lifecycle of a given data asset from its original creation point to its final retirement, how it progresses and changes throughout its lifetime through the internal (and external) data streams of an enterprise. Some say data management is a subset of information management, but who cares.

@Cognitivo, we’ve done a lot of work in data management over the past few years, particularly in local government, but also within the financial services and the start-up (Fintech) community.

Walking into any organisation, the one thing we’ve found that all companies have in common is that, various aspects of the data management competency are claimed by different people with very little connectivity between them. In other words, fragmented ownership of a poorly defined area of responsibility.

When it comes to Data, there’s definitely a case of too many chiefs, (This is understandable, because who doesn’t want to be a chief.)  

• A chief data officer has been assigned because Data is now a thing. It’s the new oil.
• Information security is owned by the Chief Information Security Officer (CISO) under the Chief Information Officer (CIO).  
• With the onset of the European Union’s General Data Protection Regulation privacy officer has rose to prominence and we’ve seen many Chief Privacy Officers (CPO) be appointed under the Chief Risk Officer.
• And Records Management, those guys are sitting in the basement library and are attached to the Enterprise Content Management (ECM) team scanning documents into Documentum or FileNet.

These are robust industry-standard disciplines

In most cases, the topics we have mentioned above are mature and standardised across industries.  

• Information security has ISO 27001
• Privacy has numerous statutory obligations as well as ISO27701 (The extension to 27001 covering privacy information management)
• Records Management has ISO 15849-2 and VERS 2 3 (Victorian Electronic Records Standard), which have implications in the presentation of records as evidence in legal circumstances.
• Data / information management however is a bit looser, perhaps the most well-known standard is the DAMA’s Data Management Book of Knowledge (DMBOK).
  
  Beyond this only recently has there been some degree of regulatory guidance around data. In 2012, the Basel Supervisory Committee and Bank of International Settlement’s (BIS) published BCBS 239 which outlined Principles for effective risk data aggregation and risk reporting.
  
  BCBS 239 is only applicable for Globally Systemically Important Banks (G-SIBs), a club which no Australian Banks are members.  
  
  The standard did recommend domestic regulators apply the standard to Domestic Systematically Important Banks and as a result, in 2013 the Australian Banking Regulatory (APRA) published CPG 235, however being a guideline, the standard is non-mandatory.

So things are fragmented and what do we recommend?

We (@Cognitivo) have developed a unified approach to data management that incorporates all the above topics into a single Risk Management Framework aligned to ISO 31000 the Risk Management standard. (We see Data Risk being a sub-set of operational Risk).

To illustrate the importance of aligning the above topics, consider GDPR’s the right to be forgotten, it is a privacy as well a retention and disposal obligation. In most organisations we’ve seen, records management capabilities (e,g. retention/disposal schedules) are only applied within unstructured data systems (i.e. document management systems) and not structured or transactional databases (e.g. CRM’s, ERP’s, core systems). Most organisations today do not dispose of data and it would be almost impossible to erase a single person’s records on request within the vast pool of back-up tapes.

In our approach we think about

• Data Use and Quality – how does the organisation want to use, who should the data be shared with and what level of assurance do they need over the quality of that data.
• What data needs to be explicitly restricted from certain parties for reasons of privacy and confidentiality
• How long we should retain certain data to, dispose of data we don’t need to either meet certain obligations or reduce storage costs.
• What our information security / access controls environment should be in enforcing the above business and policy objectives.

We employ a single contextual classification method which can catalogue data to meet all privacy, records management, data use/quality and information security obligations. This method is a fine-grain data classification method that defined:

• Who the user of data is (by role)
• The purpose of access (using a business classification scheme inherited from Records Management)
• What data is to be accessed (through a business conceptual data model)
• What policy obligations within the obligations register must apply.  

Cognitivo’s approach to data classification leverages existing organisational assets.
To illustrate:  

• The Information Security Office will have a roles based model defined to support existing roles-based-authentication-controls (RBAC)
• The Records Management Office will already have a business classification scheme, which is somewhat resembles a business functional framework. We have worked with many industry as well as organisation specific functional models to develop or validate business classification schemes.
• Data warehousing teams will have a business conceptual model, or if not our approach is to use all documented business processes to undertake a data model definition exercise, calling out all entities and attributes crucial to business processes.
• The Risk Compliance office will have an obligations register, if not we undertake an obligations scan
• We then store all of the information gathered (what data, who can access based on where they sit in the organisation, rules that apply) within ISO’s information assets register (IAR).

This is how it all fits together.

In the early days of information management, consultants have been running around telling clients (and I have been one of them) to catalogue critical or key data elements (CDE’s / KDE’s) and assign owners. In our view, this is completely inadequate. To demonstrate for a local government organisation, a person’s name may be private, unless they put forward a public complaint, their names are no longer private. Obligations and therefore privacy and access controls need to be contextual and fine-grain. We are starting to see this in the emergence of attribute-based-authentication-controls (ABAC).

If you think about the emerging technology paradigm of serverless / function-as-a-service, micro-services, API driven architectures, a fine-grain data management approach would a pre-requisite. CIO’s and CISO’s need to stop simply managing applications as containers. As an organisation, in order to compete on intelligence we need to drill down to the content held within these applications.

Get in touch with our team if you want to find out more about Cognitivo’s unified data management approach

‍