data management strategies - speakers notes

1

SLIDE ONE: TITLE SLIDE

Good morning and welcome to this session discussing data management strategies. Today’s session

is intended to introduce approaches you can take to ensuring that the data that underlies your business

is fit for the purpose for which you intend it. This requires an alignment of organisational intent with

technical skills and capabilities.

SLIDE TWO: INTRODUCTION

[No speaking points]

SLIDE THREE: ABOUT THIS PRESENTATION

2

Now, in order to discuss how your business can ensure that data is managed appropriately, this

presentation discusses strategies to manage data, and discusses how to ensure that data is managed

and controlled appropriately.

This presentation also discusses some of the issues that I have seen in practice relating to sustainable

management of data. This, in the end, comes back to ensuring that the business has the appropriate

effort spent on data governance and management for its needs. There are standard practices that can

be adopted, and it is intended today to introduce some of these to you.

In discussing this presentation, I should acknowledge that some of the material presented in this

discussion was supported under the Australian Research Council's Linkage Projects funding scheme

(project number LP0882068). Some of this material relates to the research work that I am carrying

out through a relationship with the University of Queensland and the Australian Research Council.

In presenting this material, I want to communicate some very real issues that I have seen in past

practice. Some of this will be a little humorous, some of it less so. You’ll see what I mean when we

get to those bits!

SLIDE FOUR: AGENDA

In examining data quality, it is very easy to become ‘hyper-focussed’ on having good quality data.

We all know that data is clearly an important business resource. In avoiding becoming ‘hyper-

focussed’ on data quality, please remember that you are pursuing data quality for a utilitarian purpose.

3

The data that we manage must be important to the business and its senior team, including the business

owners. Data must be fit for purpose and help the business. That is the measure of good data quality.

In many ways, this discussion links to my presentation tomorrow on key performance indicators – it is

not possible to have key performance indicators that work well without having good-quality

underlying data.

In approaching the problem of data quality, be aware of the dangers of attempting to improve the

quality of all your data all at once. For all but the most special of organisations this ‘big bang’

approach is doomed to fail. The business must want data quality, and the approach to your data

quality must be aligned with your business strategy. It is not costless to improve data quality, and in

fact it is quite the reverse. Data quality is not an end in itself.

This presentation provides an approach and a toolset to advance the state of data management in your

business through data governance so that the data you have is accurate and useful. This presentation

explores the meaning of data governance, its impact upon the business, and how to develop a strategic

program of works that builds the business’s data governance. The aim is to develop an improved data

quality framework that works, which is a framework of practices and procedures that align data

quality practices with the business’ strategic need for data quality.

The emphasis here is on governance as a set of rules for governing data quality processes, and our

strategy is the way we direct day to day activities to ensure alignment with the business. The agenda

set out here takes us through a journey of what data management means for accountants, how we can

recognise data governance as a strategic need, and then a program of works that we can use to develop

our data management practices further.

4

SLIDE FIVE: DATA MANAGEMENT AND ACCOUNTANTS

SLIDE SIX: ACCOUNTING COMPLIANCE REQUIREMENTS

Us accountants like our rules and regulations, and in this day and age nothing affects us quite like the

computer. Yet our standards only have very little to actually say on our use of the computer. ISA315

merely asks the auditors to have ‘an understanding’ of information systems relevant to financial

reporting. This is in stark contrast to the Sarbanes-Oxley approach in the United States, which

requires a much more interventionist and prescribed approach to knowing where the data itself comes

from.

In any event, if we are going to get good data that is useful to our business, we need to focus on more

than ‘just financial data’. The financial data is important, but frequently it tells us what happened,

rather than, perhaps, how it happened. We can use this data for decision-making and performance

monitoring, before it affects the financial bottom-line.

Let us discuss some illustrative examples that highlight some of the issues we are talking about here.

5

SLIDE SEVEN: TALES FROM THE DATA VAULT

Blue screen of death

The ‘blue screen of death’ – I’m sure you’re quite familiar with it! One former

client had had the software for their management information system installed

twice. When the software was updated, however, only one installation was

updated – and the other wasn’t. This meant that one half of the office had

computers that updated the data in one way – and the other half, didn’t. This wasn’t noticed for about

a year, when the computers started to blue-screen regularly. By this time of course their data was

thoroughly nonsensical and required extensive cleaning.

Networking and wiring technology

Well, I think this picture kind of illustrates the point rather well. There is not

a lot of point investing in good data management strategies if your technology

platform is a bit, well, fragile. Ask yourself, what happens if one of these wires were to get pulled

out? Hmm.

Every computer should have one of these

Now, clearly every computer should have one of these. I’ll tell you the story

of my earlier career. It was a private school that I worked at, and every three

months a newsletter was sent out to the alumni. Now, the program we used

6

was, shall we say, immature. It wasn’t really ready for prime time yet, although we had been using it

for three years. That was probably a mistake. However, we were using it.

Because it was immature, the programmer was always making changes. ‘Tailoring’ I believe it may

have been called. He made one little change. A teensy change. And it sent the program that gathered

addresses for the quarterly mailing for a loop so that, when it came to a postal address, it kept using

that postal address for every person that followed that person (until the next postal address). I

checked it. The director of business development checked it. His secretary checked it. No-one

noticed. They all got mailed out. All 11,000 of them.

We didn’t know until the postmaster in Chinchilla rang us the next day and said, “Hey, did youse

guys really want me to put 340 copies of your newsletter into Charlie’s PO Box?”. And then the

bloke in Townsville. And then... well, you get the picture.

A panic button would have been very helpful on that day.

Remembering when?

I don’t know if you remember these things on the left here. They’re 5¼ inch

floppy disks. Positively of absolutely no use now. I don’t think I’ve seen one in

ten years. In my old firm, we used to store a great deal of data on Zip-disk drives.

Again – you can’t really buy those now either. My old firm also used to scan its client files to

Microfilm. Then Microfiche. Then Canoscan OM disks. Then the disk reader broke, and you can’t

buy a new one.

And – nightmare of nightmares! – we were sued! Where were our file notes to prove we were in the

right? That’s right, they’d all been scanned to OM disks. On a machine that had since blown up.

7

Now I can tell you, we put a lot of effort in getting that data back – and we did do it. The legal action

against the firm failed, at least partly on the basis of the information contained in those file notes.

Blast from the past

Again, do you remember these things? A great deal of data went on

those too – mind you, unlike floppy disks, THESE still work (so long

as the archives with your paper in haven’t burnt to the ground or been

flooded by now). Because of these issues, I can today show you more

of my work from 1986 – before I moved to new-fangled computers! – than from my four year

university degree and the entire decade of the 1990s (at which time, I stopped archiving off to floppy

disks!).

By the way, that’s a great little machine – I doubt that my notebook will be as good when it is 45

years old.

Quix! Type in wez had all our injekshuns

Now I don’t know how true this story is, but it’s a good one so we’ll run with that.

There was a multinational company based in Europe, and its database design was

built in France, so all those ‘yes/no’ data fields were coded as ‘o’ for oui and ‘n’ for

non. Unfortunately the training when they rolled out to Greece was not so good,

although everyone used the database. Unfortunately, in Greek, ‘o’ is for no, and ‘n’ is for yes. Again,

fantastic data quality.

User dues

We are our own worst enemy. Possibly the biggest threat to your data –

whether incompetent by malicious intent, or just by their good nature, the

8

users of information systems can find ways to muck your data up that will make your toes curl. I am

thinking of one agency that was spending in excess of one billion dollars on infrastructure – this

required property resumptions. To record its discussions and negotiations with property-owners, the

QA manager decided that a spreadsheet would be the most appropriate approach to record the

negotiations and decisions made by its field agents. The system allowed the final outcomes of

negotiations to be recorded, but had no real method for recording the decisions made. The

information was contained inside many spreadsheets and could easily be overwritten by the end users.

SLIDE EIGHT: DEFINITIONS

Now, in the context of this presentation, the following definitions apply:

Data Quality: measures the data’s fitness for the intended use in operations, decision making &

planning

Governance: is a set of accountabilities, processes, and auditable and measurable controls that

ensure the business is on track to achieve its objectives

Data Governance: is therefore a set of accountabilities, processes, and auditable and measurable

controls to ensure the business is on track to achieve its data quality objectives

Data Quality Frameworks: These frameworks provide structure to data quality activities and

allow assessment of data quality

Data quality is principally about fitness for purpose. This is a broad definition, but it goes to the heart

of the matter. If the data is fit for the purpose for which it is intended, then data quality is generally

sufficient. However, businesses frequently use data for decision-making that it absolutely does not

support.

For example, a client once had developed several information systems to manage its business

functions. This client was an agency focussed upon the management of personal relationships with

9

the government, and frequently aggregated the data from the different information systems to inform

the development of government policy responses to social issues. Unfortunately, the different

systems used different attributes to describe the people in care – in one system, there were three

ethnicities (Indigenous, Torres Strait Islander, and ‘other’), while another system had twelve ethnicity

codes. This approach made sense for each individual system, and the data was fit for the purpose

initially envisaged. Problems arose, however, when the data was used to support decisions it was not

originally intended for.

Similarly, this client was responsible for maintaining a spreadsheet of people who were considered a

‘threat to the community’. Unfortunately, this information was derived from the three information

systems, and was manually maintained. At the time of our review the master spreadsheet had not

been revised for six months – data that loses accuracy, timeliness and relevance.

There are several core components to the concepts of data governance.

Firstly, ‘governance’ is not about the specific actions to be taken, it is about who is accountable for

those actions, what processes are followed, and how these actions are measured.

Secondly, the aim is to meet the business’s data quality objectives. If those objectives are not set out,

or are at odds with the aims of the data quality framework, then data governance is poor.

SLIDE TEN: THE REASONS WHY

In order to advance data governance, it is absolutely essential that the business strategy is understood.

There are very good business reasons for improving data quality frameworks through good data

governance, which can be analysed in terms of ‘compliance’ frameworks (required by a standard or

law) and ‘incentive’ frameworks (whereby it can be seen that IT governance provides a positive return

to the business, even when it is not required).

10

On this list of compliance frameworks, Control Objectives for IT (COBIT) and Sarbanes-Oxley are

both audit standards. Neither has a direct ‘black and white’ legislative effect in Australia, although

they are both influential for Australian businesses.

COBIT is managed and developed by the Information Technology Governance Institute. The

Information Systems and Audit Control Association originally developed COBIT in order to assess

the controls over information technology and the information managed by it. COBIT is an audit

standard for IT governance, and a very small part of that standard is devoted to data management and

data quality. Financial auditors use COBIT when assessing the controls over information technology

as part of a financial audit. These control objectives become important for complex audits, and where

the auditor feels unable to consider information technology to be a ‘black box’ that can safely be

ignored.

For a financial auditor, if the controls over the accounting system are inadequate and unreliable, then

there is little prospect that the auditor can place reliance upon the information produced from that

accounting system.

The COBIT standard may be applied to larger organisations that require complex audits. However,

there is no legislative requirement that this be followed, and its application is generally left to the

professional judgment of the auditor.

Sarbanes-Oxley is, again, a standard that is not generally relevant for non-UScompanies, as it is US-

based legislation. However, it should be noted that US legislation generally attempts to be as

inclusive as it possibly can, and wholly-owned subsidiaries of US firms operating elsewhere are

required to achieve SOx compliance if the parent company is subject to Sarbanes-Oxley.

S404 of the Sarbanes-Oxley Act requires a management assessment of internal controls. In practice,

the auditor must be certain of the provenance of financial data, and so controls over feeder systems

11

through to the financial information systems are relevant. Generally, auditors have tended to be

conservative in their application of S404 – so although not all systems need be tested every year,

auditors err on the side of caution in these instances.

Of interest is speculation that overseas companies may be captured by the operation of S404 if those

companies produce information that passes information (not necessarily financial!) to the financial

information systems of a US company. Sarbanes-Oxley affects Australian companies with significant

business-to-business relationships with US companies (e.g. joint ventures).

In Australia, the Stock Exchange has rules for listed companies, although these are not particularly

onerous in this context. Principle 2 requires that the board of the business is structured to add value,

whilst Principle 7 requires that the board recognise and manage risk.

As for the management of risk, it is true that poor data quality can result in poor business decisions,

but generally data quality seems to be the last thing on the minds of board members and the senior

executive team. Until, that is, poor data quality results in a bad business decision or a crisis.

There needs to be a story to motivate the senior team about data quality. My stories would include the

time a school sent academic reports to the estranged father of a child. The father was the subject of a

domestic violence order and was not to know where the student attended the school. Or the time the

accounting firm kept inviting the managing director of a very major client to seminars and

presentations, despite the fact he had died six months previously. Or Queensland Police Service,

where if the information provided to their people on the streets by 000 is wrong, people die. There is

also the story of the managing director of a listed company with $16 million turnover. He received an

audit letter that was 32 pages in length, mostly due to poor information security and data quality, and

yet refused to upgrade the accounting system from MYOB.

12

Privacy legislation requirements apply to the data that we gather, and there is of course an Australian

and international standard on IT Governance (AS8015-2005; ISO/IEC 38500) and AS4360:2004 is

the Australian standard on Risk Management. Amongst other requirements, there is also the act to

counter spam and the counter-terrorism act, the credit card companies impose their own restrictions,

and if you are an accountant there is the new money-laundering act, all of which provide for harsh

penalties for breaches by directors.

However, there is generally no hard-and-fast requirement for data quality in Australia, and so you

need to build the business case for data quality judiciously. There is the assertion by Weill & Ross

(2004) that good IT governance practices provide a higher return on assets for businesses than

businesses without good IT governance practices. Generally, though, you will need to build the case

for the improvement of data quality on the basis of your business.

Unfortunately for those of us that want to see good data, the Sarbanes-Oxley experience shows that

penalties (both civil and criminal) seem to be a primary motivator in getting a focus on data quality in

businesses.

SLIDE ELEVEN: ACCOUNTANTS AND SPREADSHEETS

Us accountants also love our spreadsheets. We love to work with them and use them all the time, and

there are very good reasons for that. Spreadsheets contain a lot of the corporate information that we

use to guide decision-making.

13

However, spreadsheets are notoriously unreliable. There are frequent errors and problems with the

formulas that we use. It’s not ‘just a spreadsheet’ if we use it to make important business decisions,

and we need to know and understand where the data that we are using has come from.

The spreadsheet should have internal controls and methods of validation as well – it is still a system

and needs appropriate controls, checks and balances. I always use an ‘IIF’ formula to cross-reference

my totals and flag exceptions, or conditional formatting is useful as well, as I am sure you know.

Although it is ‘just a spreadsheet’ we should look to build into the spreadsheet its integrity.

Additionally, where the spreadsheet uses data from other systems, understand where that data has

come from, and ensure that you know its security, its integrity, its effectiveness and its efficiency.

There are several inherent problems with a spreadsheet, though. Firstly, by its nature a spreadsheet is

not exactly multi-user. We tend to make a copy of data in a spreadsheet, and then update that data

rather than updating the source. Or, the spreadsheet quickly becomes out of date.

A client of mine once had 28 staff working for it, from the CEO down to the janitor. That business

had 84 databases of some description – none of which was particularly well-maintained, nor current!

Spreadsheets do provide a very simple way of transporting data around – unfortunately this strength is

also a weakness. Once data has been placed into a spreadsheet, any controls you might have created

over access to it are generally ignored from then on. It becomes an unmanaged data repository – and

frequently a considerable one at that.

Incidentally, as accountants we are often guilty of using spreadsheets to meddle with dark forces.

Forces we perhaps don’t understand. Now, you can stretch a spreadsheet’s functionality to address

some of these issues. My brother-in-law – bless his little cotton-socks! – uses multi-user spreadsheets

in all complex manner of ways. He has his sales managers in different sites enter the daily sales and

other key bits of information into the same spreadsheet, which he then runs a macro over it to pick up

14

the data that he wants. Yes you can modify a spreadsheet to do these things, with ODBC links and

other automation elements. However, eventually, what you have done is strap a jet engine to a

Volkswagen Beetle. It can be done, sure, but who would want to drive it?

A spreadsheet is a very good tool for what it was designed for, but it is not a database. I have seen

many accountants build very complex inter-related spreadsheets when, really, the tool to use should

have been a proper database. Please, bear this in mind if your spreadsheets are becoming too fragile

and unwieldy!

SLIDE TWELVE: ALIGNING EFFORT AND NEED


SLIDE THIRTEEN: DO WHAT THE BUSINESS NEEDS

The diagram here shows the relationship between the effort you put into

managing data quality and the expected impact on the business. The red circles indicate an

unsustainable mismatch of the effort put into data quality and the impact upon the business.

The need to build the business case for data quality means that the alignment of data quality practices

with the needs of the business is paramount. There is very little point in pursuing data quality as an

end in itself if it has little benefit for the business. Focus is needed to get the most business impact

from your strategic effort.

15

SLIDE FOURTEEN: CORPORATE GOVERNANCE AND DATA

Your average board is comprised of accountants, lawyers, and sometimes an ex-politician or two.

Given the focus of directors’ duties on compliance with financial standards, and the general

background of boards, it is probably no surprise that businesses are very good at managing financial

assets and physical assets, and quite poor at most of the other key assets of the business.

To advance data quality, we need to bring this issue to appropriate prominence. It starts with the

board, which will need to ensure accountability, monitor and supervise the actions of the senior

executive team, decide strategic actions, and make policy. If, at this time, the board sees no role for

data quality within the business, then that needs to be changed if data governance is to be advanced.

The senior executive team needs to set out the business strategy – which must include the objectives

for data quality – and decide who has input into the approach.

Data quality needs to be on the board’s agenda – it does not need to be the board’s agenda, but it does

need to be on it. This means that we adopt governance groups and governance processes to ensure

data quality stays top-of-mind.

16

SLIDE FIFTEEN: GOVERNANCE GROUPS

When approaching governance groups that you can use for sorting out data quality, the mechanisms

you use need to be compatible with your business and the way it approaches the questions of IT

management. A steering committee is unlikely to work well if the rest of the IT approach – or the rest

of the business - is undertaken in an anarchistic manner.

However, key governance groups and processes include:

Applications board

Information Steering Committee

Board Risk and Audit Committee

Governance Calendar

Balanced Scorecard

The key here is that there needs to be a way to manage data quality, and it needs to be monitored by

the people that matter.

17

SLIDE SIXTEEN: INTEGRATING IT PLANS INTO BUSINESS

STRATEGY

This process is a rational one, and essentially requires that the gap is identified between the current

approach and business requirements, and then the gap is closed. Unfortunately there are common

flaws that exist in the approach by business:

Where there is no direction by the business, IT fills the gap as it sees fit.

The approach is completely out of alignment with the business

Personal or political agendas cloud the approach

There is no way of closing the loop with feedback so that the current ‘flavour of the month’

continues to be monitored once it is no longer the flavour of the month.

A business decision

Data quality is a business issue. A forum and a process are needed to synthesise a whole-of-business

approach. The responsibilities of the Chief Information Officer include the development of business-

18

driven IT strategy and the monitoring of ICT service delivery. This includes the development of the

data governance approach and the strategy for data quality.

The CIO does have a role to input into business strategy in terms of identifying business

opportunities. As a supporting business function, though, in practical terms the CIO must engage

with the business functions of HR, Finance, and Marketing once they have developed their specific

plans, and then identify the Business IT Strategic Plan. This will include the data quality strategy,

which defines the required goals, initiatives and program of work for delivery of the strategy.

This is critical to achieving data quality in the context of ensuring alignment with the business,

although frequently this does not appear to be undertaken in business.

SLIDE EIGHTEEN: DATA GOVERNANCE STRATEGY


SLIDE NINETEEN: IMPROVING DATA QUALITY

19

Improving data quality is about the development of good business habits and a culture of good data,

rather than a ‘big bang’ approach. It is naive to think that data quality can be improved in a ‘Great

Leap Forward’ on all fronts and all at once. Critically, data quality is only tangentially related to the

use of software tools.

SLIDE TWENTY: PRACTICAL STRATEGIES

To be sustainable, data quality must meet the cost/benefit test, and be important to the business. A

data governance strategy grows organisational capability by implementing a data quality ‘floor’ for all

data and focussing the most resources upon the most critical data.

This creates less business risk, higher quality, and lower costs than a ‘big bang’ approach. The data

quality strategy needs to be owned by the business, not ‘IT; this has implications for the approach to

the development of governance groups.

In developing the strategy, set core standards for all data to create a basic level of data quality, and

then focus business resources on the development of data quality practices for absolutely critical data

first. These could be termed critical data types.

It is recommended that you be realistic in your approach, and do not develop over-engineered

solutions for the entire organisation’s data at first. A steady and sure approach is usually best - slow-

burn strategies that deliver beat fast-burning failures every time.

20

It is recommended that you build a strategic rhythm of monthly & quarterly reviews. This approach

de-emphasises the development of a strategy that sits on the shelf, and instead focuses on regular

touch points of the strategy throughout the timeframe of the strategy.

Quarterly deliverables should be set in the program of works for ease of monitoring, and these should

be reported to and reviewed by the Steering Committee, and noted by the Board committee through

the Balanced Scorecard and Governance Calendar. At all times, an active strategy is a practical

strategy

SLIDE TWENTY-ONE: STRATEGY FOR DELIVERING DATA

GOVERNANCE

Under this approach, our Business IT Strategic Plan will set out the mission, the three-year goals and,

after identifying the key challenges to achieving those goals, identify a set of initiatives that will be

successful. Unless there are significant resources available, a slow-burn strategy will be most

appropriate.

It is important that this strategy recognise the business’ limitations. The achievement of even a single

deliverable will be a major step forward in improving the data quality framework. Recognise that the

resources available are limited – if they are. If the resources cannot be made available, then work

with what you have.

21

This approach emphasises the process of developing the strategy, rather than the strategy. So, rather

than spending many hours at developing a strategy that sits on the top shelf, this approach requires a

constant monitoring (daily, weekly, and monthly reviews) and the development of quarterly

deliverables with the strategy development team. Be conservative in your deliverables, and be wary

of creating an undeliverable wish-list.

This is an active strategy approach.

SLIDE TWENTY-TWO: THE PROGRAM OF WORKS


SLIDE TWENTY-THREE: MATURITY THROUGH GROWTH

Measuring the maturity of the process of managing data that satisfies the business requirement for IT

of optimising the use of information and ensuring that information is available as required is:

Rank Level Description

0 Non-existent Data are not recognised as corporate resources and assets. There is no assigned data ownership or individual accountability for data management. Data quality and security are poor or non-existent.

1 Ad hoc The organisation recognises a need for effective data management. There is an ad hoc approach for specifying security requirements for data management, but no formal communications procedures are in place. No specific training on data management takes place.

Responsibility for data management is not clear. Backup/restoration procedures and disposal arrangements are in place.

2 Repeatable but intuitive

The awareness of the need for effective data management exists throughout the organisation. Data ownership at a high level begins to occur. Security requirements for data management are documented by key individuals. Some monitoring within IT is performed on data management key activities (e.g., backup,

22

Rank Level Description

restoration, and disposal). Responsibilities for data management are informally assigned for key IT staff members.

3 Defined process

The need for data management within IT and across the organisation is understood and accepted. Responsibility for data management is established. Data ownership is assigned to the responsible party who controls integrity and security. Data management procedures are formalised within IT, and some tools for backup/restoration and disposal of equipment are used. Some monitoring over data management is in place. Basic performance metrics are defined. Training for data management staff members is emerging.

4 Managed and measurable

The need for data management is understood, and required actions are accepted within the organisation. Responsibility for data ownership and management are clearly defined, assigned and communicated within the organisation. Procedures are formalised and widely known, and knowledge is shared. Usage of current tools is emerging. Goal and performance indicators are agreed to with customers and monitored through a well-defined process. Formal training for data management staff members is in place.

5 Optimised The need for data management and the understanding of all required actions is understood and accepted within the organisation.

Future needs and requirements are explored in a proactive manner. The responsibilities for data ownership and data management are clearly established, widely known across the organisation and updated on a timely basis. Procedures are formalised and widely known, and knowledge sharing is standard practice. Sophisticated tools are used with maximum automation of data management. Goal and performance indicators are agreed to with customers, linked to business objectives and consistently monitored using a well-defined process. Opportunities for improvement are constantly explored. Training for data management staff members is instituted.

Data quality management can only work when the organisation is ready for it. A great leap forward

won’t work for data management. The activities set out in the program of work, and the key

performance indicators adopted as metrics to measure data quality must be tailored for your readiness.

SLIDE TWENTY-FOUR: OBJECTIVES OF DATA QUALITY

Process Description

DS11.1 Business Requirements for Data Management

DS11.2 Storage and Retention Arrangements

23

DS11.3 Media Library Management System

DS11.4 Disposal

DS11.5 Backup and Restoration

DS11.6 Security Requirements for Data Management

These control objectives are the ones set out by COBIT, and although they are not a complete set of

available objectives, this should be reflected in the data quality strategy.

DS11.1 Business Requirements for Data Management - Verify that all data expected for

processing are received and processed completely, accurately and in a timely manner, and all

output is delivered in accordance with business requirements. Support restart and reprocessing

needs.

DS11.2 Storage and Retention Arrangements - Define and implement procedures for effective and

efficient data storage, retention and archiving to meet business objectives, the organisation’s

security policy and regulatory requirements.

DS11.3 Media Library Management System - Define and implement procedures to maintain an

inventory of stored and archived media to ensure their usability and integrity.

DS11.4 Disposal - Define and implement procedures to ensure that business requirements for

protection of sensitive data and software are met when data and hardware are disposed or

transferred.

DS11.5 Backup and Restoration - Define and implement procedures for backup and restoration of

systems, applications, data and documentation in line with business requirements and the

continuity plan.

DS11.6 Security Requirements for Data Management - Define and implement policies and

procedures to identify and apply security requirements applicable to the receipt, processing,

storage and output of data to meet business objectives, the organisation’s security policy and

regulatory requirements.

24

SLIDE TWENTY-FIVE: IMPROVING THE DATA QUALITY

FRAMEWORK

Having assessed your control objectives, the strategy will outline the need to improve the data quality

framework through assessment of the gap between the required level and the necessary steps to

improve these measures over time.

SLIDE TWENTY-SIX: INVEST IN SECURITY ACCORDING TO YOUR

NEEDS

It is possible to have very secure data connections, and of course our friend Leo here is a good

deterrent from a would-be prowler. However we do need to be sure that we don’t make our data too

hard to use, and we need to be sure that it is not left insecure. Security is necessary according to our

25

needs, and keep it appropriate. Often we invest in high-tech gadgetry or security methods when other,

more mundane, approaches might make the data that little bit more secure.

SLIDE TWENTY-SEVEN: DATA QUALITY POLICY FRAMEWORK


SLIDE TWENTY-EIGHT: DATA MANAGEMENT LIFECYCLE

Data goes through a lifecycle – it is created, used, assessed, re-born, and, finally, it dies. The

implication is that data needs to be respected over time – you cannot do this as a one-off. If your data

is going to inform decision-making, then be sure to have the best data quality you can afford, for the

data that matters.

To ensure that your data is managed appropriately, this lifecycle identifies activities that can be

carried out in order to manage the data at that particular point in its life. These points are suggested

by the COBIT framework.

26

SLIDE TWENTY-NINE: DATA QUALITY POLICY FRAMEWORK

This diagram here sets out some of the practical things we can do to achieve data quality. These items

would be added to the program of works, and delivered over time to critical data types. It is critical

that you consider this strategy in the context of two streams:

1. Non-critical data types – data that is not critical to business decision-making and that, whilst

we do not require it to be the highest quality, nevertheless it should be of acceptable quality.

27

2. Critical data types – data that is critical to the organisation and, if managed well, will give us

the ability to make decisions and monitor our business well.

It is likely that critical data types will be that information that is prescribed by law to be managed in a

very secure manner. Alternatively, these critical data types will be used by the business for the

monitoring and development of its key performance indicators.

The data management activities you do need to be broken down to ensure a minimally acceptable

standard of data quality for non-critical data, and focus resources on the development of practices that

affect critical data types.

Practical things that can be done to achieve data quality include:

Data entry controls: Data entry requirements are clearly stated, enforced and supported by

automated techniques at all levels, including database and file interfaces

Data ownership: The responsibilities for data ownership and integrity requirements are clearly

stated and accepted throughout the organisation

Training in standards: Data accuracy and standards are clearly communicated and incorporated

into the training and personnel development processes

Data correction: Data entry standards and correction are enforced at the point of entry

Output standards: Data input, processing and output integrity standards are formalised and

enforced

Data quarantine: Data are held in suspense until corrected

Integrity Monitoring: Effective detection methods are used to enforce data accuracy and integrity

standards – these might be automated audit tools.

Reliable and meaningful data interfaces: Effective translation of data across platforms is

implemented without loss of integrity or reliability to meet changing business demands.

Minimal keying: There is a decreased reliance on manual data input and re-keying processes

28

Data access tools: Efficient and flexible solutions promote effective use and re-use of data

Archive management: Data are archived and protected and are readily available when needed for

recovery.

Data dictionary: A data dictionary provides a framework of data types, their semantic meaning,

and works to improve the business’s understanding of its own information.

Information inventory: An information inventory provides a visual reference to identified data

and information types within the organisation.

As part of this data management strategy, ongoing feedback and data quality metrics will be important

for providing feedback for your data governance groups. Key performance indicators may include:

Percent of data input errors

Percent of updates reprocessed

Percent of automated data integrity checks incorporated into the applications

Percent of errors prevented at the point of entry

Number of automated data integrity checks run independently of the applications

Time interval between error occurrence, detection and correction

Reduced data output problems

Reduced time for recovery of archived data

The KPI may be a simple ratio, a minimum or a maximum value, or a weighted average. These KPIs

will be provided as part of the balanced scorecard to the board and its committee, and in more detail

to the business steering committee.

29

SLIDE THIRTY: CONCLUSION

The major themes that I would like to recall to you today include the following points:

Data quality is not an end in itself

Involvement and ownership by the business is vital – if data quality is not emphasised, or is not

seen as relevant to the business, then trying to force that horse to drink is going to be as frustrating

as milking a herd of mice.

Pursuing data management by technology alone is doomed to fail

It is best to develop an active data management strategy that is aligned with the business’s needs,

and to promote strong data quality habits amongst users. The force of habit is the most powerful

force in the universe.

Start focussed with the core data management activities, for only those critical data types for the

business. As you build your organisational maturity up, you can expand the data that is managed

well.

Ladies and Gentlemen, thank you for your attention today.