Introduction

The Data Control Environment refers to the state of operation in which the data assets of an organization are holistically managed throughout the organization. There are three elements of a successful data control environment.

1. The data management (DM) objectives and capabilities described within this document have been embraced and adopted throughout the organization.
2. The data lifecycle is fully supported by all stakeholders. These stakeholders ensure understanding, awareness and control of data throughout the data supply chain–from source to consumption to disposition.
3. DM is part of the organization’s data ecosystem. It is integrated and coordinated with all other control functions organization-wide.

The purpose of the data control environment is to coordinate the people, process and technology of DM into a cohesive operational model. The data control environment defines the mechanisms used to capture data requirements, unravel data flows and linked processes and determine how data is to be delivered to the data consumer. The data control environment supports the data lifecycle. It ensures that proper resources and controls are in place as data moves throughout its journey. Also, the data control environment ensures collaboration and alignment to cross-organizational control functions. Areas such as Information Security, Data Privacy and Change Management must operate in sync with DM to ensure data is properly managed across all business functions.

To the extent that the data control environment is not achieved it results in potential data risk. Data risk should be managed in alignment with the overall risk management framework of the organization. Data risk scope includes areas such as data architecture risks, metadata risks, data quality risks, data governance risks and Master Data risks.

Definition

The Data Control Environment (DCE) component is a set of capabilities that together form the fully operational data control environment. Data operations, supply-chain management, cross-control function alignment and collaborative technology architecture must operate cohesively to ensure the objectives of the DM initiative are realized across the organization.

Scope

• Work with DM Program Management Office (PMO) to design and implement sustainable business-as-usual processes and routines to enable a successful data control environment.
• Bring together the DM components as a coherent, end-to-end data ecosystem.
• Follow current DM best practices by routinely reviewing and auditing the capabilities and their processes.
• Ensure all facets of DM for business-critical data such as data lifecycle, end-to-end data lineage and data aggregations are fully operational.
• Ensure DM is aligned with other control function policies, procedures, standards, and governance.

Value Proposition

Organizations that improve their ability to reconcile requirements for data and accurately share data across the organization’s ecosystem are able to better respond to changes in business process, regulatory, and audit requirements.

Organizations that deliver data through a controlled environment respond more rapidly to market opportunities and provide innovation to customers.

Overview

The DCE is where the execution components of Business & Data Architecture, Data & Technology Architecture, Data Quality Management and Data Governance are made operational in the data supply chain by the data producer. This operationalization brings a defined set of data into control and makes it available to data consumers at a point in time, either real-time or period end.

Diagram 7.1: Data Supply Chain

One of the first functions within the DCE is the orchestration of the DM component disciplines. These disciplines must be aligned to effectively manage data across the organization. The DCE forces the alignment of all the capabilities discussed in this model into a consistent operational flow. Each capability must be properly resourced and prioritized as well as supported by business, data and technology senior management.

The successful coordination of these components is a determining factor in the success of the DM initiative. It is the responsibility of the DM organization and the senior data officer at each level of the organization to structure and coordinate the DM operating model. This properly defines data meaning, ensures data quality (DQ), and delivers data in a timely and efficient manner. Evidence of the processes must be compiled through demonstration of organizational structures, charters, policies, and senior management directives.

Data is a core factor of input into business functions and operational processes. The data lifecycle tracks the progress of data from source to storage, to maintenance, to distribution and to consumption. From this point the data may be reused, sent to the archive and finally to defensible destruction. The mechanisms used to identify, align, and validate the data as factors of input into business functions are derived by reverse engineering existing business processes into their individual data elements and by unraveling the data assembly processes used to create the required data sets.

This reverse engineering process to define data requirements needs to be managed with precision. Only precision will avoid confusion and miscommunication between what the business users truly need for their business function and what technology professionals need for technical implementation. Data requirements should be modeled, aligned with business meaning, prioritized in terms of how critical it is to the business process and verified by all stakeholders. These steps ensure that essential concepts are not lost in translation. This is particularly critical for data that is shared among multiple data consumers and for core data attributes that are used as a baseline for onward expression in operational calculations or business formulas.

For complex applications and for all data aggregation-related processes, it is essential to understand and document how the data moves from system-to-system; how the data is transformed or mapped; and how the data is aligned to business definition and standard meaning. Gaining agreement on this data lineage process is fundamental for ensuring that the results of decentralized or linked processing can be trusted to be consistent and comparable.

The final aspect of an effective DCE is the integration of DM into the data ecosystem of an organization. The data ecosystem is a concept that describes how data is managed collaboratively with all cross-organization control functions. Control functions such as information security, storage management, legal and compliance, privacy, and vendor management all have responsibilities on how data is managed. It is imperative that the policies of DM are integrated and aligned with the policies of the cross-organization control functions to ensure data is being managed consistently and holistically organization-wide.

Finally, a DCE ensures technology’s alignment with DM policies and best practices. DM capabilities such as architecture, governance, and DQ should be integrated into the organization's Software Development Lifecycle (SDLC) processes to ensure that DM considerations are being adequately addressed at the appropriate stages of the development cycle. Nothing should operate in a silo. Operating within an ecosystem recognizes interdependencies and ensures collaboration.

Core Questions

• Is the concept of a DCE understood by stakeholders?
• Are the aspects of data control like terms, definitions, relationships, integration and precedence established on a consistent basis?
• Are control processes applied across the full data lifecycle?
• Are the concepts of data control aligned across the full organizational ecosystem?

Core Artifacts

The following are the core artifacts required to execute an effective Data Control Environment capability. Items with an ‘*’ link to published best practice guidelines.

• Cross-Control Function Alignment Matrix
• Data Risk Framework
• Data Supply Chain Model
• Regulatory Alignment Matrix

First Capability

Evidence of the data control environment is the result of effectively integrating and executing the other six components defined in DCAM. Active engagement by stakeholders is required to ensure the DM capabilities are working collaboratively across the organization.

First Sub-Capability

Description

To establish the DCE the holistic execution of DM initiative is required at each operating level of the organization.

Objectives

• Charter governing bodies and make them operational.
• Design and fill leadership roles. Document that they are functioning according to prescribed mandates.
• Deliver DM initiative capabilities.

Advice

The data control environment is the result of effectively integrating and executing the other six components defined in the Data Management Capability Assessment Model (DCAM). The integrated execution of these capabilities will create an environment where the people, process, data and technology can produce an environment where the data is in control.

Questions

• Are the governance structures operational to effectively control the data?
• Are the DM leadership roles at each operating level of the organization defined and operating in harmony as designed?
• Are the DM initiative capabilities integrated and operational in alignment to the DM target operating model?
• Does the DM initiative have senior management support inclusive of the senior executive suite?

Artifacts

• Evidence of operations in alignment to the DM target operating model
• Dashboard summarizing the DM initiative program, outcomes, process and DQ metrics
• Evidence of DM support top-down – e.g., formally stated support from the executive suite to the organization

Scoring

Next Sub-Capability

Description

All stakeholders critical to the success of the DM initiative must be identified. Roles and responsibilities must be communicated. Active engagement by critical stakeholders is operational and evidenced.

Objectives

• Define and communicate the roles and responsibilities of stakeholders who will support the DM initiative.
• Ensure support and provide authority for the DM initiative through stakeholder engagement.

Advice

The DM initiative success demands the engagement of support-stakeholders. Management must support the initiative at each operating level of the organization. Also, Internal Audit must be involved throughout to ensure that the DM initiative is auditable and the policy and standards are enforced. The organization’s risk function must build an integrated risk framework for managing data risk. Senior leadership, perhaps including the board of directors must be informed, engaged and officially support the DM initiative.

Questions

• Have the support-stakeholders been informed of their roles and responsibilities in supporting the DM initiative?
• Has the required level of support-stakeholder engagement been achieved to provide sustainability of the DM initiative?

Artifacts

• Internal Audit schedules for DM initiative audits
• Integration of data risk into the risk management framework
• Senior management meeting minutes, including DM initiative strategy and performance reporting
• Board of Directors meeting minutes, including DM initiative strategy and performance reporting

Scoring

Next Sub-Capability

Description

To achieve the DCE the full set of DM capabilities must be operational and applied against a data domain. It is important to understand the differences between planned and operational initiatives. Only operating capabilities contribute to the functioning DCE.

Objectives

• Bring DM capabilities into operation and align them with the DM strategy.
• Bring DM capabilities into operation and align them with governance policy and standards.

Advice

Successful creation of a true DCE happens when all of the defined DM processes are operating in concert and all are aligned with the stated DM strategy.

Questions

• Have the DM processes been integrated into a single end-to-end operational process?
• Are the procedures, tools and routines in place for implementing the processes?
• Have innovative technologies such as AI and ML been considered as part of the integrated processes and infrastructure?
• Has the review of data ethics been included in the integrated DM processes?
• Are there standing meetings, planning sessions and regular communications validating the data control?

Artifacts

• Process documentation that shows integration of the DM processes into an end-to-end execution
• Documentation of data ethics review as part of the data controls
• Governing body minutes and directives related to data control monitoring

Scoring

Next Capability

Cross-control function collaboration includes: 1) aligning DM and other control function policy and standards; 2) establishing engagement routines; and 3) applying cross-organization controls to the data.

First Sub-Capability

Description

DM controls and best practices must be formally included in cross-organization control function policies and standards to ensure collaboration and alignment.

Objectives

• Create enterprise policy and standards which formally include cross-organization references in each.
• Ensure formal coordination of each groups’ policy and standards through control teams which are held accountable and subject to Internal Audit.

Advice

The goal here is to ensure that the policies and standards of the DM initiative are aligned with those of the other control functions. Take advantage of existing rules and integrate them into the DM policies, procedures, and standards. Other control functions should also reference the standards and processes of the DM initiative.

Questions

• Are the mechanisms in place to support cross-organization control function collaboration?
• Is there alignment between cross-control function policies, standards and processes?
• Is cross-organization control function coordination operational and being reviewed by Internal Audit?

Artifacts

• DM policies and standards
• Other control functions’ policies and standards
• Policy and standards cross-referencing mechanisms

Scoring

Next Sub-Capability

Description

In order to achieve collaboration among all the control functions that have requirements for data or DM a structure of regular interaction is required.

Objectives

• Formally coordinate cross-control functions with the DM initiative via regular engagements, meetings and routines.

Advice

Here is where the CDO becomes the Chief Diplomacy Officer. There must be an engagement strategy and plan to meet and collaborate with the other control functions. This collaboration is required of the data officer at each operating level of the organization with their respective cross-organization control function peer.

Questions

• Are the mechanisms to support regular coordination defined and operational?
• Are formal meetings across control functions taking place?

Artifacts

• Engagement plan
• List of stakeholders and evidence of bi-directional communication
• Evidence of meetings including minutes and follow-up actions

Scoring

Next Sub-Capability

Description

All new data introduced into or delivered out of the data ecosystem must be subject to cross-organization control standards to ensure organization-wide compliance.

Objectives

• Subject design review and approval to data introduced into or delivered out of the ecosystem.
• Subject cross-organization data control policy and standards to data introduced into or delivered out of the ecosystem.

Advice

The goal of cross-organization data control is to ensure that all data entering the ecosystem through any channel is subject to the same restrictions, tollgates, authorizations, and evaluations. The challenge will be to ensure that all of the cross-organization control functions understand and recognize the role and authority of the ODM.

Questions

• Have the cross-organization control functions’ policies and standards been widely communicated?
• Have the cross-organization control functions’ requirements for data or DM been inventoried and presented to the DM initiative stakeholders?
• Have the stakeholders been informed of their role and responsibility with respect to the onboarding of data into the organizational ecosystem?

Artifacts

• Evidence of cross-referenced rules from other control functions’ policy and standards that demonstrate alignment and collaboration with the DM initiative

Scoring

Next Capability

The formal process of identifying data risk must be integrated into the DM initiative. Once identified, the risks must be tracked, prioritized and mitigated. These activities should be standardized and integrated into the overall risk management framework and processes of the organization (e.g.; three lines-of-defense: operating unit, risk function and audit function).

First Sub-Capability

Description

All organizational units must be accountable for managing data risk in their unit. The organizational unit is the first-line-of-defense in the organization’s risk model.

Objectives

• Define and operationalize the processes for self-identification of data risks.
• Manage the data risk process to actively track, prioritize and mitigate data risks.
• Engage executive management in data risk management.

Advice

The organizational units are accountable for their data and thus are accountable for the risk associated with their data. The formal process of identifying data risk must be integrated into the DM initiative. Once identified, the risks must be tracked, prioritized and mitigated. These activities should be standardized and integrated into the overall risk management framework and processes of the organization.

The Chief Data Officer and in some cases the Chief Operating Officer has a role in supporting the organizational units in the data risk management process. This role may even be seen as a review point between the organizational unit and the second-line-of-defense.

Questions

• Is there a process for identifying and managing data risk?
• Are the procedures, tools and routines in place for implementing the processes?
• Does the CDO, the Office of Data Management and/or the COO provide data risk management support to the organizational units?

Artifacts

• Documentation on the process to identify and manage data risk
• Evidence of self-attestation and enterprise ODM review
• Evidence of CDO or COO data risk management support

Scoring

Next Sub-Capability

Description

The data risk function must be accountable for establishing the data risk appetite and framework for the organization. The data risk function is the second-line-of-defense in the organization’s risk model. The CDO must collaborate with the risk function to integrate data risk into the overall risk framework.

Objectives

• Establish a data risk appetite statement and standard data risk categories and metrics.
• Provide organizational guidance and oversight of the data risk management process.

Advice

Data risk must be managed organization-wide in concert with other sources of risk. Standards must be set to define data risk appetite along with risk identification, classification and measurement. Because most data has many consumers across the organization a comprehensive view of data risk is critical.

Questions

• Is there a defined data risk appetite for the organization?
• Are there standard data risk categories and metrics?
• Has the Risk function provided guidance and oversight of the data risk management process?

Artifacts

• Data Risk Appetite Statement
• Standard data risk categories and metrics
• Risk function guidance for the data risk management process

Scoring

Next Capability

Description

Internal Audit must be accountable for periodic review of the DM initiative against the defined policy and standards of the organization. Internal Audit is the third-line-of-defense in the organization’s risk model.

Objectives

• Validate that DM policy and standards and processes are auditable.
• Perform periodic audit according to organization audit policies.

Advice

Collaborating with Internal Audit is a valuable exercise to ensure the auditability of the DM initiative. It will also foster a shared understanding of the DM strategy, its objectives, processes, and data controls that will be valuable to both the data practitioner and the auditor.

Questions

• Is there a functional partnership in place with Internal Audit?
• Is Internal Audit familiar with the concepts associated with DM?
• Has Internal Audit reviewed the DM initiative and determined that it can be audited via scheduled exams?

Artifacts

• Evidence of communication with Internal Audit about the DM concepts
• Verification by Internal Audit that the DM initiative can be enforced and audited
• Internal Audit schedule for DM initiative audits
• Evidence of Internal Audit engagement and review

Scoring