The handling of customer data is one of the thorniest business issues of the 21st century. If companies aren't struggling to determine which versions of their customer records are accurate and up to date, they're scrambling to do damage control in the wake of security breaches that expose sensitive information to prying eyes.
And while there are countless software products designed to aid in tackling those issues, it may be the emerging business practice known as data governance that holds the most potential for companies to get a handle on their fast-growing pools of information.
Data governance is an idea that's gaining momentum among IT and security executives who are proclaiming that enough is enough. And with good reason: Companies estimate they're losing 6% of sales because of poor management of customer data, according to a recent survey conducted by data broker Experian's QAS division for data quality management.
At its most basic, data governance is a programmatic approach to managing information across an organization. It involves a formal set of business processes and policies designed to ensure that data is handled in a prescribed fashion, with any human intervention handled by trained data stewards. It's the opposite of what most companies have been doing until now, a more application-specific approach that only meets project-specific needs.
"You usually start data governance because there's a big problem," says Robert Garigue, VP of information integrity at Bell Canada. "If you don't have the right controls, you're going to have a business disaster when it spills out into the public." Just ask any of the dozens of companies that have been bitten by publicly disclosed customer data breaches over the past year. No wonder Garigue refers to customer data as potentially "toxic content."
Garigue, who left his post as chief information security officer at Bank of Montreal to join Bell Canada earlier this year, is one of a handful of IT execs at the forefront of the data governance push. He got into this effort in 2004, when he entered into an ongoing dialogue with Bank of Montreal's chief privacy officer, senior VP of corporate resources, and others about the need to take a hard look at data management and security. The problem came to light, he says, when the company deduced that poor data was making it difficult to undertake application integration projects. Customer information was stored in 10 to 15 apps--each with its own distinct, often conflicting, data sets. There was no way to know which system had the most authoritative customer record, so integration efforts stalled.
Power In Numbers
All this led Garigue to become one of the early participants in a data governance council IBM formed in 2004. Chaired by Steve Adler, IBM's program director for data governance solutions, the council consists of about 50 IT and security execs from IBM customers. They gather quarterly to discuss data management challenges and share best practices. Garigue continues to participate in the council on behalf of Bell Canada, where he's spending his first months pushing the debate about data governance throughout the company.
Based on conversations with his peers, Garigue says IT execs have a growing awareness that the information management software they've been using is only as effective as the processes, policies, and people they support. "A lot of organizations are realizing they need to do something, but they're not exactly sure what that is," he says. "Technology is going to be an element of the solution, but you have to have a governance program around it."
As companies grapple with their first efforts at data governance, help from vendors is limited. Most of the big software vendors haven't established clear strategies for customer data governance and have focused instead on developing master data management tools designed for all types of corporate information, AMR Research analyst Rob Bois says.
Oracle may be headed in the right direction thanks to its acquisition of Siebel Systems, but it hasn't established a time line for converging its Customer Data Hub with Siebel's Universal Customer Master product, both of which could act as clearinghouses for definitive customer records.
IBM, meanwhile, is marketing a set of data governance tools as part of its information integration suite, with modules for managing data quality and identity resolution. But many companies are taking a best-of-breed approach rather than wait for the big vendors to solidify their customer data strategies, Bois says.
One useful tool, Data Foundations' OneData, combines business process workflow, change management functionality, and a business rules engine in a way that's fine-tuned for managing customer data. Companies' preferred data models can be imported into OneData, saving businesses from having to adopt new data models and allowing customized implementations in just a couple of days.
But most data governance advocates stress that technology isn't what's holding up progress. Perhaps the biggest obstacle to creating an effective program is getting people to reconsider the notion of data ownership, IBM's Adler says. One of the central characteristics of data governance is the elimination of stovepiped data silos in favor of a more centralized approach in which data stewards make sure records are clean and accurate. That means some data "owners" have to relinquish their fiefdoms--and it's hard to get people to "give up their little turf and work together for a common good," Adler says.
That's why so many businesses continue to function at a level of data management maturity that Aaron Zornes, chief research officer at the Customer Data Integration Institute, describes as "anarchy." Data is coming from multiple sources, getting entered into multiple systems, with no overarching controls to ensure that any one record represents the truth.
Data governance efforts are lagging even in the financial services sector, which not only has the most customer information of any industry but also must contend with the most stringent regulations dictating how that data is managed. In a white paper Zornes is preparing for IBM, he notes that fewer than 30% of financial services companies have centralized their data ownership along a governance model. Worse, two-thirds of those companies haven't documented the related policies and procedures, and three-fourths have no way to evaluate how well it's working.
The goal is to get companies to reach a "federalist" level of maturity in which business and IT work closely together, using service-oriented architectures to create shared data services, and ensuring that data is entered in a consistent manner and managed as a centralized asset, Zornes says. To get there, companies must make a number of cultural and process changes, he says. They have to set up oversight committees to develop policies and procedures that make up the foundation of a governance program. They need to become much more diligent about controlling who has rights to access and make changes to information. Data and metadata must be actively shared across the organization. And in addition to getting data owners to embrace the concept of stewardship--in which they apply their expertise to usher information through a governance program--they have to start adding the position of certified data steward, a job that Zornes expects will become more common in IT departments and business units over the next few years.
Perhaps most important, they have to undertake massive data inventory efforts to identify all their data assets, their value, and the level of risk they present. "If you don't know the value of something, as well as the risks and the costs, how can you manage it?" Zornes asks.
Customer data, however, presents a challenge on that front, says Adler, because ascribing its value is more difficult than computing the worth of other data types, such as patents and software code. "Customer information doesn't have built-in value determinators," he says. "Companies have to evaluate it themselves."
As companies begin to get their arms around this massive challenge, they may find they're able to reduce the number of embarrassing incidents of data exposure. But an even greater motivation is inherent in the bottom-line impact, because bad customer data hits companies where they hurt most: on the bottom line. "What happens if your customer information is 50% wrong?" asks Bell Canada's Garigue. "You're throwing away 50% of your money."