These days, you really can’t be involved in compliance efforts without also rubbing elbows with people whose mission is to formalize governance—governance of data, technology, processes, controls or SOA, MDM, and any other acronyms that mean big budgets.
Sometimes the elbow-rubbing can be a competitive sport. After all, you may all be competing for the same budgets, resources, and nuggets of executive attention. Since this column is dedicated to helping you who must comply to understand your compliance options, I thought it would be a good idea to take a quick look at the essence of compliance, management, and governance.
Compliance: Compliance can be considered an end-state you must achieve. For example: Your data will be secure. Access management controls will be in place, and they will be auditable. All data will conform to the specified naming conventions. You shall enforce segregation of duties for the following tasks.
Compliance comes into play when someone, somewhere creates a set of rules. Your entire organization becomes subject to those rules, which means everyone in the organization must comply. Some of you translate higher-level rules into more specific activities and controls. In doing so, you may or may not have some freedom to interpret them or to choose between compliance options.
Management: Management can be considered the system of how you get things done (including compliance). It’s usually defined as the supervising or directing of an organization—planning, organizing, directing, and controlling operations to achieve specific goals. Managers collaborate and cooperate with each other, of course. But for the most part, if you make a list of “management decisions,” you’ll be able to trace each decision back to a single box on the corporate organizational chart, with the inhabitant of that box empowered to make a decision that will trickle down through the corporate hierarchy to all those affected by it.
Governance: Governance can be considered the system by which you decide how to perform management activities. It’s often defined as the decision-making process that prioritizes investments, allocates resources, and measures results to ensure goals are met.
Even if it’s not labeled as such, governance is constantly taking place all around you in your organization: at the highest levels, where a board of directors gives direction to your executives; at strategic levels, where groups of executives meet to establish the rules of engagement for making tough decisions with boundary-spanning impacts; and at a tactical level, where councils define and enforce standards.
As someone who may define and enforce compliance options, you need to be able to work with governance bodies. Let’s take a look at a typical governance landscape, using data governance as an example. What are the components of a data governance program?
The components of the DGI Data Governance Framework are shown below:
Rules and Rules of Engagement