Jan 1 ’07

Compliance Options: Hidden Stakeholders and You

by Editor in z/Journal

A recent client experience made me think about the challenges you face as you try to serve the needs of all your own clients, internal and external.

But first, a confession. I need to describe what I see when I think of you. I picture a maze: a large building filled with offices and cubes. It’s a sea of beige, with beige walls lined with beige file cabinets, and hundreds of beige cubes arranged in an incomprehensible jumble of beige squares and aisles.

To find you, I imagine, I’d have to start near the elevators, go past the bathrooms and beige break rooms, and wander up and down a few beige corridors looking for the right cluster of cubes. I wouldn’t find it, of course. Finally, I’d poke my head into a beige conference room and ask the people inside if they could direct me to the mainframe group. They’d laugh, make a few jokes about rats and mazes, and then direct me to go past the cube with the big plant, turn left at the poster with the hang gliders, and then take a left, a right, and another right. I’d know I was almost there when I saw the collection of “Dilbert” cartoons.

That’s what I picture. I wish I could say I image a workspace with clear signs indicating the location of analysts, testers, programmers, etc., but in all my travels, I’ve never seen such a place—just seas of people who may or may not know the individuals sitting just three aisles away.

Which brings me to my story. I was at the client site, facilitating a Joint Application Development (JAD) session that brought together business and IT resources from across the company. We had two goals: to decide how to deal with some long-standing, data-related issues and to lay the groundwork for some future data governance activities.

Some of the people in the room knew each other; others had never met. The one thing everyone had in common was that their business processes and IT systems touched the data under discussion.

We were discussing a field designed to store a prediction: the date when a customer might be expected to graduate from college. This was of interest to the client’s marketing team, because they need to tie their marketing efforts to such triggers. They were at the JAD session to ask other participants to use their processes and systems to help gather better data.

Some people in the room were clearly wondering why they were there. Couldn’t this have been handled with a few phone calls to IT people, they seemed to be thinking. The only group that uses this information is marketing—let them get what they need and leave the rest of us alone! And then something happened that caught everyone’s attention.

“Do I hear from the people in this room that this field is absolutely not subject to any compliance requirements?” I asked. There were nods around the room, and then one hand was raised. It was the woman representing the finance department.

“Actually,” she said, “we use that field when we calculate projected earnings, like marketing does, but we do independent calculations. That puts it in scope of Sarbanes- Oxley change control, so you shouldn’t do anything to change how you treat that data without involving us.”

What followed was a discussion of data flows, business processes, and change control protocols that involved everyone in the room. Later, evaluations confirmed that the exchange of information—and the insights gained—were considered invaluable by the participants. We not only met marketing’s need, we also added to the knowledge levels of many departments. Participants left with a promise to gladly participate in future data governance-facilitated sessions.

And I was left with a great big “whew!” The group could have inadvertently created a compliance issue while solving a marketing issue! But we didn’t, because we made sure in advance that the right people would be in the room. All data stakeholders were involved in our decision-making process.

How does this compare to how you receive instructions? Do you always know whether the data you’re asked to model, store, or manipulate could be subject to a regulatory compliance requirement? To contractual compliance? Adherence to internal standards or policies?

If you have a formal data governance program, it may provide you with the assurance that all potential data stakeholders’ needs have been considered in the requirements you’re working from. If not, you may want to run through a checklist of your own with those who are providing you with the requirements.

Such a list is available from The Data Governance Institute (www.datagovernance.com). It’s a printable list of more than 50 potential data stakeholders for any data-related decision. You might want to check it out. Z