 Hello and welcome. My name is Shannon Kemp and I am the Executive Editor of DataDiversity. We would like to thank you for joining the current 2014 installment of the Monthly DataDiversity Webinar Series, Real World Data Governance with Bob Siner. Today, Bob will be discussing governance risk and compliance. Just a couple of things to get us started. Do a large number of people that attend these sessions. You will be muted during the webinar. For questions, we will be collecting them by the Q&A in the bottom right-hand corner of your screen. Or if you would like to tweet, we encourage you to share our highlights or questions via Twitter using hashtag RWDG, Real World Data Governance. As always, we will send a follow-up email within two business days containing links to the slides, the recording of this session, and additional information requested throughout the webinar. Then we will let me introduce to you our speaker for today, Bob Siner. Bob is the President and Principal of KIK Consulting and Educational Services and the Publisher of the Data Administration newsletter, TDAN.com. Bob has been a recipient of the Damon Professional Award for significant and demonstrable contributions to the data management industry. Bob specializes in non-invasive data governance, data stewardship, and metadata management solutions. And with that, I will give the floor to Bob to get today's webinar started. Hello and welcome. Thank you very much, Shannon. Thank you, everybody. Good morning, good afternoon, good evening, wherever you are. Again, I'm always happy that you're here with me to attend the webinar. The continuation of a series, as Shannon mentioned, this webinar will be focusing on governance, risk, and compliance. And it's not, it shouldn't be something new to you that we see these three terms being discussed together. In fact, when Shannon and I were working about a year ago putting together a list of webinars for 2014, we came up with this subject. We thought that this subject would be very important to most people that are working in the data industry, whether their focus is on governance or on risk or on compliance. And what I found is very quickly after those conversations and setting up this as a topic, these three terms are used together all the time. In fact, there's a common acronym of GRC for organizations that talk about governance, risk, and compliance together. And I'm going to share with you some information that's going on in the industry, some information that I've seen relevant to some of the organizations that I've been working with. And we'll talk a little bit about how we bring those three items together. And for me, it's interesting that the term governance comes first because to me, governance is the way to get to the end of having risk or managing risk in an organization, managing compliance within the organization. So rather than calling it risk governance and compliance or any other order, governance first. I mean, it seems to be the theme from everything that I'm reading, everything with the clients that are focusing on these areas, they wanted to put that first to recognize that they need to have accountability. They need to make certain that risk is being managed and that compliance is being managed. Government is not making things optional to us when it comes to compliance. When it comes to managing risk, not only data risk, but other risk within the organization, people need to be held accountable. And really, if you know how I define data governance, it shouldn't be a surprise to you that governance, risk, and compliance seem to go together. So, peanut butter and jelly, I guess, so to speak. So, before I start, I want to talk about the upcoming webinars in the series for the balance of the year. Next month, on November 20th, right before the Thanksgiving holiday, we will be talking about selecting the right data governance approach. We'll talk about invasive data governance. We'll talk about invasive data governance, command and control, all sorts of different types of governance and the different ways that organizations are approaching putting programs into place. And in December, we will be talking about big data governance. Big data seems to continue to be all the rage, even though we, a lot of people at least agree that it's not very clearly defined. We're going to talk about big data in terms of governance and is such a thing as big data governance, what it is and why it's necessary within those organizations. So, those are the upcoming webinars in the months of November and December. Real quickly, before I get started, I also want to let you know that the book that I've been talking about for several years is finally available through Amazon, through Barnes & Nobles, through Techniques Publishing as well. It's called On Invasive Data Governance, The Path of Least Resistance and Greater Success. So, please, if you get a chance, take a look at that and hopefully it will open your eyes to some alternative approaches to putting data governance into place. Also, I wanted to highlight that the KIK Consulting website has been updated by MindFu and it went live in June. So, it's a big change from what it looked like before. And last but not least, I want to talk about the Data Governance Winter Conference, which is a data-virginity event and a DevTech International event. And that will be taking place in Fort Lauderdale in December, the 8th through the 12th of December. And I'll be giving a couple of presentations at that event. And I hope to see you there. So, let's talk about why we're all here today and what we're here to talk about in this specific webinar. I want to share with you the abstract that we put out there online. Hopefully that's what attracted you to this session. The target of Media Data Governance programs is to first and foremost nail their regulatory and compliance requirements. It may not be that. That may not be the fact with all organizations, but a lot of organizations are recognizing that they need to make certain that they follow the regulations that are imposed upon them, that they are compliant to the rules that they've defined inside their organization and the ones that are coming outside of the organization. And those organizations already have risk management as a practice in their organizations. It may be under that name. It may be under some other names, but there are typically parts of the organization that have the responsibility for doing risk management as a practice. And part of risk management is to apply accountability for managing that risk within the organization. So again, the similarities between risk management and data governance abound. Even for organizations that do not consider risk management the same thing as data governance, you'll see by what we're going to talk about here that there are a lot of similarities between the two practices. And in fact, not only governance and risk, but governance, risk, and compliance. As I said before, you're seeing acronym GRC more often within organizations. And the question is how well are organizations governing their data? How well are they managing risk? And how well are they being compliant again to those rules and regulations that are being thrown at them? We'll talk a little bit about, well, where should this be? Should this be three separate functions? Should it be a single function? Should one part of the organization focus on all three? And what are some of the downfalls to not having these efforts within the organization work in conjunction with each other? So we'll talk about how compliance is not optional, nothing about regulatory and compliance mentioned as optional. Therefore, governance is not optional. It's kind of interesting when I talk to a lot of organizations, they talk about having to be very clear in what they expect to get out of governance in their organization. And the thing is that since the rules and the sense of risk management and compliance are not optional, we need to hold people accountable for what they do with the data, not only people at the operational level but people at the tactical and strategic levels as well. And governance is not optional. In fact, I had a client recently post on the top of the internal, actually the chief financial officer from our organization posted the very top of their internal governance website that governance is not optional. So when we come to you and we tell you that you're a data steward because you have a relationship to the data and you need to be held accountable for that relationship, whether it's somebody who defines data or produces or uses data, the fact that senior management is now starting to look at this and say, you know, governance isn't optional either. You can't opt out of being a data steward. You're basically a data steward because you have a relationship to the data. And by the way, governance is going to help you to help hold those people formally accountable for the management of that data. So this is what we're going to cover in the session today. I'm going to talk about risk management versus data governance and we're going to compare the two. We're going to talk about risk management as the face of data governance since in a lot of organizations, when they're asking why are they putting governance in place or what is governance being put in place to manage, oftentimes it puts the risk within the organization. So oftentimes organizations, when they're at, what is the purpose of governance? It is to manage risk. It is to manage compliance. It is to improve the quality and the value of the data as well. But first and foremost, they want to manage the risk and they want to manage compliance around the data in their organization. We'll talk about measuring success of governance in terms of risk management. We'll talk about using risk and compliance to explain what governance is and what data governance or information governance is in particular. And we're going to use this not optional thing that I've talked about here as kind of being the crutch that we can lean on. And if organizations say, well, we don't want to apply any resources or we want to limit the application of resources to the governance in the organization, the question becomes, well, how are they going to manage the risk of the data? How are they going to comply to regulatory rules if in fact you don't have any formal means of putting governance in place in the organization? So we're going to talk about those subjects. What I usually like to do when I'm starting my webinars is begin with some definitions. So you may have seen these definitions before. If they're new to you, then that's great as well. But the other thing is that I've kind of highlighted and I've even made larger the letters associated or the words associated within these definitions that are really all what we're talking about here with governance, risk, and compliance. So when I talk about data governance as being the execution and enforcement of authority over the measure of data and data-related resources, the word authority is the key term here. It's we need to make certain that people know who has what responsibilities around the data, what decisions are being made associated with the data, how does the right to be able to tell you that you will govern the data a particular way, what the rules are and how we're going to execute and enforce on those rules. So the word authority isn't just thrown in there. Oftentimes when organizations look at that definition, they cringe a little bit. They say that governance is about the execution and enforcement of authority. They think it's worded too strongly. And the truth is at the end of the day, if you go to your senior management and you ask them what we really need governance to do in our organization, what they need to do is they need to execute and enforce authority. We can do it through a bunch of different ways. We can do it by hitting people over the head with a stick and telling them what to do. We can do it by formalizing accountability because there's already accountability that exists within the organization. So the definition that I use for data stewardship is the data stewardship is the formalization of accountability. How are we going to govern data? We're going to do it through the formalization of accountability. And when it comes again to real management and it comes to compliance, the bottom line is that we need to hold people accountable in their daily job. No matter what their relationship to the data is, if they define that we want people to understand that they should take a look and see what data already exists before we go and define another version of the data. If they produce data that they have an impact on the organization, how they enter the data, how they produce data, and certainly if they're a user of the data, we need to hold people formally accountable for how they use the data in the organization. Now we can't expect to hold them accountable if we can't share with them the rules that are associated with, again, governing that data. So part of the equation is going to be the metadata, the information about the rules, about risk management, about compliance that we need to share with individuals in the organization to help them to understand that they do have a relationship to the data and that we're going to hold them formally accountable and that we're going to execute and enforce authority to make certain that they're formally accountable even though these are the definitions that I use. A lot of organizations will look at these definitions and they'll say they're worded too strongly. So what I wanted to do is, again, share with you some of the definitions that some of my clients have adopted. I've taken the two definitions, the definition of data governance and the definition of data stewardship, and they brought them together. So in one organization, they said they were going to formalize behavior around the definition of production and usage of data to manage risk and improve quality and usability of selected data. If you notice here, they said they were going to manage risk first and then improve quality and usability of selected data. I'm not sure that there's an implied order of events there, but to me, they're stating that they want to manage risk first. That becomes kind of the highlight. That becomes what's most important to the governance program in the organization. Another organization says formalize and guide behavior. Again, it all comes back to enforcing that authority, holding people formally accountable for how they define, produce, and use data within the organization. But one other definition that I wanted to share with you is the non-invasive data governance definition that I've used fairly often. And it's the practice of applying that formal accountability and behavior that I just spoke about to non-invasive roles and we apply governance to existing processes where we can. Really, the point of my sharing this definition with you is the last bullet is the fifth bullet is the fifth bullet under the practice of. And that is that a lot of organizations, again, put data governance in place to assure regulatory compliance, security, privacy, protection, and quality of the data. A little bit later in the webinar, what I'm going to do is run through a couple of real quick case studies. I don't know if you'd call them case studies, but talk about several different types of organizations and why they put governance in place and what they've put governance in place to focus on. Oftentimes, you'll see that it comes down to following the rules that are associated with the data, managing the risk associated with data, and certainly complying to any of the regulatory controls that are being imposed upon us. Non-invasive describes how governance is applied, and again, the goal is to be transparent, supportive, and collaborative in our approach. So, again, I've talked a lot about non-invasive data governance. That's the name of the book that I mentioned earlier. The idea is that we need to manage risk and we need to comply to the internal and the external rules. How you go about doing that is really up to you in your organization, and as I mentioned before, in next month's webinar, I'm going to talk about different approaches to data governance. Certainly, I'm going to emphasize that we want to try to stay as non-invasive as we can, but recognizing at some point, as one of my clients put it one time, is at some point, you're going to need to stick, meaning that at some point, you're going to need to enforce that authority, and it may not feel as non-invasive as you'd like, but all going into a taking an approach to be non-invasive in the first place oftentimes becomes much more accepted within organizations. So, after Shannon and I had been brainstormed and come up with a list of different topics for this year's series for real-world data governance, we talked about risk and compliance, and I said going out and taking a look at what were people talking about when it came to governance, risk, and compliance. And here's something that I found on the Internet. This is a nifty little graphic here that kind of puts it all into perspective. And what I saw here is that governance, risk, management, and compliance is being labeled as GRC for a lot of organizations and a lot of papers and a lot of things that you're going to read. If you see the acronym GRC, it oftentimes stands for governance, risk, and compliance. And oftentimes that's the umbrella term that covers organizations' approach to alter these levels of discipline across these three areas of the organization. So this graphic kind of sums it up pretty well so that ultimately the goal is business optimization and how are we going to do that? We're going to do that through increased visibility, efficiency, accountability, and collaboration. And what are we going to make more visible and what are we going to make more efficient and how are we going to hold people accountable? We're going to hold it for the governance of the data, the risk associated with the data, the compliance associated with the data as well. And what I like about this diagram is you can kind of visualize the circular database looking thing in the middle of it as kind of spinning round and round. And it's there, and it's being supported by management. And we've attended my webinars in talking about data governance best practices, risk management support sponsorship and understanding of governance and risk management and compliance tend to be the most important best practice for organizations. How are we going to do that? We're going to do it through specific functions like IT and finance and audit and security and legal. We're going to put functions in place within our organizations to make sure that risk management is being handled, that compliance is being handled. And the truth is that the governance aspect of it is trying to build it into what we do on an everyday basis. So the idea is that people in the organization that almost anybody in the organization can be considered a steward, especially if they have a specific relationship to the data, we want them to understand what the rules are. We want them to understand how we're going to execute and enforce authority over that data that they define, produce and use. And we also want to help them to understand that they are going to be held formally accountable for what they're doing moving forward. So again, I thought this was an interesting graphic. The one thing that really stood out to me was the whole idea of accountability. So I can understand visibility and efficiency and collaboration when it comes to how organizations want to optimize. But it was interesting to me that they included the way of accountability in here. Because again, that really tends to be everything of which governance is all about or actually the stewardship aspect of governance is really all about, again, the formalizing of accountability around the management of the data to ultimately govern towards things like risk management and compliance. So I grabbed this graphic from Yahoo Graphics online. I thought it's kind of set in a nutshell of where governance, risk and compliance fit into the overall picture of business optimization and the things that need to be there to support that as well. So GRC, and when you see the term GRC used in this presentation, you know what it means. GRC is a discipline that aims to synchronize information and activity across all three of these disciplines, governance, risk management and compliance, in order to create the effectiveness and efficiency, as we saw. That was some of the things that were highlighted in the graphic on the previous page. But it's really more effective information, sharing and reporting to avoid wasteful overlaps. The truth is there are similarities between governance and risk management. There's a lot of similarities and they also allow opportunity risk management and compliance. In a lot of organizations, they tend to set up different parts of the organization to effectively manage these three things. So GRC typically encompasses activities such as corporate governance, which may be managed by one part of the organization, enterprise risk management, and that may be data risk and it may be non-data risk, but also corporate compliance. In a lot of organizations, there are different people in the organization that have the responsibility for these three different things. And the question is, should there be three different parts of the organization? Do they all fall under one umbrella? And that's something that I'll talk about here quickly as well. Organizations oftentimes reach a size or they're already in a size where they need to coordinate the control of governance, risk management, and compliance. In fact, a friend of mine thinks it's important in terms of the three-legged stool. And if you think of governance and risk management and compliance as being the three legs of a three-legged stool, they really all depend on each other. And in fact, if they're all being done individually or separately in different parts of the organization, oftentimes that causes problems. In fact, that makes it so that we can't, we cannot report these GRC results to our senior management. Just like when senior management asks a question of any data that we have within our organization, how many customers do we have? What are the students that are at most at risk? What are all the touch points for X, Y, and Z in the organization? The problem is that there's not coordinated efforts around the data. Governance certainly imposes some consistency across the organization just in the way that we should look at GRC together as well. So particularly in the future, all three of these may fall under the same part of the organization. The last bullet on this page says that each of the three GRC disciplines touch and impact the same technologies, the same people, the same processes, the same data of the organization. Yet, even if we have a relationship between each of those items, it's being done independently of each other. And I think what you'll see in the future is a movement toward GRC potentially becoming a separate part of the organization that manages all three of these things. I don't know if that's actually going to be the case, but I think that if we look down the road a little bit, if organizations start to embrace these three disciplines, there's going to be a need for them to fall under the same part of the organization. Under the chief operating officer, since at least most of those are data related. So when your governance, risk management, and compliance are managed independently from each other, organizations typically have substantial duplication of tasks. So you talk about organizations that have different people in the organization that are identified as stewards. Well, the same stewards exist no matter whether it's governance, it's risk management, it's compliance, information security, anything that is a discipline associated with the data. Those people in the organization that have the responsibility to be held formally accountable for that are the same people. They're using the same technologies. They're following the same processes. Ultimately, at some point in time I see the three of those being brought together. So overlapping and duplicate GRC activities negatively impact organizations when it comes to operational costs, confusion about responsibilities, and the ability to be able to report GRC metrics to our management in our organization. Internal services might be audited and assessed by multiple groups on an annual basis, and if they're being audited and assessed independently of each other, it's certainly creating enormous cost and you're getting disconnected results in the process of audit and assessing each of these different disciplines. So again, in the future what I'm seeing is that at some point in time these three disciplines are going to come together. So the disconnected GRC approach will also manifest itself in the inability of the organization to provide the results that we need. The reports of how successful you are, who are executives. Again, you're using different data from different parts of the organization, managing by different groups. It's like a badly planned transportation system. That's a great analogy that I saw. That every individual route will operate and the group will not have the qualities that allow them to work effectively together. Again, another reason why you may be seeing that the three of these disciplines will be coming together in the future. Maybe not in the distant future, in fact. So due to changes, a lot of changes that are taking place within organizations from a technology perspective or increases in data storage, whether it's big data or very large databases or unstructured data growing through the roof. There's a lot of globalization that we've got different regulations and risks based on locations at different parts of the world that we take care of. Increased regulations, rules are not optional. There's penalties. We're seeing that the number of GRC-related requirements are becoming unmanageable when being done independently. So again, another reason why you may see the bringing together of GRC in most organizations. And I'd be curious whether or not these parts of your organization are all together, are working on these three disciplines together. I'd be curious to hear that from you. Because again, from what I've seen in organizations, a lot of times they're being done independently. And from the stuff that I just shared with you in the previous slides, the fact is that that becomes cumbersome to an organization. That becomes expensive. That becomes a great cost to the organization where they could streamline those and they could bring those together and it's all separate. So this question becomes, is governance really the umbrella under which risk and compliance reside? Or is risk management the umbrella? Or is compliance the umbrella? It takes me back to the same question. Are these all three equal lengths of the three-legged stool? Or are some more important than others? It takes me back to some debates that we've had in years gone by. Is business intelligence part of knowledge management? Or is knowledge management part of business intelligence? And again, there's different answers depending on who you ask. But I'm sure that it really matters that governance needs to be the umbrella under which risk and compliance reside. The idea is that they're really all three need to work in conjunction. Excuse me with each other. Governance happens to be the means to get to the end of managing risk associated with your data and managing compliance associated with your data. So from my travels, what I've seen within organizations is that there's three different types of GRC, of governance, risk management, and compliance that are taking place in organizations. And so oftentimes, you'll find governance and risk management and compliance around financial data, around the answers of the organization. You'll find it under IT. You'll find it under legal. The question is, does your organization have all three of these? Or are all three of these together under one part of the organization? Are there different types of GRC coordinated with each other? What are the differences? Let's just spend a quick moment here talking about the different types of GRC. There's financial GRC which is related to the activities intended to ensure correct operation of financial processes. And most organizations have some level of financial GRC taking place. In fact, that's where most organizations tend to start. I'm going to spend a few minutes talking about financial data in a minute and talk about how important governance and risk management and compliance is to the financial data, but is it really any different from any other data in your organization? Maybe it's just that there's more rules and regulations associated with the data. IT GRC, so again, IT, governance, risk management, and compliance, relates to the activities intended to ensure that IT organizations support the current and future needs of the business in compliance with all the mandates that are being imposed upon them. A lot of organizations have this. They have some levels of formal IT governance or even informal IT governance, but there is some level of governance taking place in the IT area to make certain that the actions and the activities of the IT organization are there to support the needs of the organization when it comes to all their information and data-based related mandates. So some organizations have this. Most organizations tend to have the financial GRC. The last one is the legal GRC. And the legal GRC focuses on tying together all three components via all three components, that being of governance, risk management, and compliance being an organization's legal departments. And in those organizations that have chief compliance officers that oftentimes sit at the top of the charge when it comes to legal GRC. So there's certainly one type of GRC that we're talking about here. There's the financial, there's the IT, and there's the legal GRC. And the question that I pose to you is, do you have any of those? Do you have people that are responsible for those? Are they the same people? Are there duplications of effort? Are there overlaps? Do we need to take a look at that and somehow bring the three of them together under one part of the organization? And as I said before, I think you're going to see that in the future. In my research on the Internet around GRC, very quickly I came up with this one organization, DatabaseAnswers.org put together this quick hit data model for governance, risk management, and compliance. And what I wanted to do is highlight the three important aspects of this. The first one being that governance tends to focus on the roles and responsibilities, the formalizing of the process, the identification, the communications with the people to let them know what their role is, what rules they need to follow as well. Then there's risk management piece of it which included something that was kind of new to me, which were chief risk indicators, and I'm going to talk about those in a second as well, but then there's also compliance. And what I thought was really interesting about this diagram is that so much of it tended to focus on what was all the way to the right of the diagram, which is documents or the documentation that spells out governance and who does what with the data and who has what accountability. Spells out what the risks are associated with the data and the actions of the organization are taking to mitigate those risks. The compliance rules. A lot of organizations, again, will expect that the individuals, even down to the operational level, are compliant to the rules. But how much of an effort is there to get those rules into those people's hands so that they know the rules, to give them refreshers on the rules, to help them again to comply to regulatory controls in the organization. When the rules take place in an organization or when people do things in the organization that they shouldn't with the data, oftentimes that's because they don't know the rules associated with it. So we as data people within our organization need to do a better job of documenting the rules associated with the risks associated with the data and completing the rules associated with compliance around the data and documenting the roles and responsibilities associated with management and compliance. They all fall on the category of metadata. And metadata becomes a very important aspect of doing any of those three disciplines or all of those three disciplines. The information that I'm giving at the Data Governance Winter Conference in Fort Lauderdale in December talks about the relationship between the metadata and governance. In fact, you really can't do governance without metadata, information about the data, information about the people that are associated with the data. I stated in that presentation that metadata is basically a byproduct of putting governance in place because we're identifying who does what with the data. We need to document that information. I've shared it before in a common data matrix and I'm going to share a version of that here in a future slide in this deck. Again, the metadata becomes very critical to managing risk, managing compliance in an organization. There was a term that was on the previous slide talked about a key risk indicator. Sometimes you'll hear about key performance indicators, but I want to give you a definition that I took from a key risk indicator. A key risk indicator is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization's risk and have a profoundly negative impact on the organization. If you do some research on KRIs, you'll get a list of those on the Internet, but the question really becomes is how many of those are truly associated with the data. What we really need to do is identify key data risk indicators as part of our governance initiative and have to communicate those key data risk indicators out to all the people that define, produce, and use data as part of their job. In addition to most of the organizations that I deal with, almost everybody defines, produces or uses data as part of their job. We need to know who they are and we need to share with them these things that we may call a key risk indicator. The key risk indicator is a metric for measuring the likelihood that a combined probability of a data event and its consequences will exceed the organization's data risk appetite and so on and so forth and have a profoundly negative impact on the organization. If you use the term KPI and you use the term KRI, there will be something else that's in there as well, a key data risk indicator. So all organizations we keep hearing every day of different organizations that are in the news associated with data breaches whether that's somebody who hacked their system or somebody who got access to credit card numbers and customer information. Just in the recent months we've seen targeting Kmart and Home Depot and even Dunkin' Donuts. Believe it or Dunkin' Donuts that was also on the list where their customer information was being stolen or people got access to their customer data when they weren't supposed to get access to the data. So the questions become, are organizations becoming more blasé about data risks? Are organizations becoming more diligent? We're hearing more and more about these data breaches in the news but the more we hear about them you think that organizations would be focusing more and more on them. We're building these 10-foot walls around their data but the problem is that if we build a 10-foot wall around our data somebody somewhere out there is going to develop a 12-foot ladder to get over that wall. Same thing may hold true for our governance risk and compliance issues as well. We may build all of this into our culture or organization but somewhere maybe trying to build a ladder and the fact is that rules keep changing and rules keep it coming expanded and the meanings of the rules continue to change. If we don't have governance built into the data activities for individuals and the communications of the rules associated with the data built into the processes then the fact is that we're going to see more and more of these data breaches. We're going to be seeing more and more of these risk factors in the organization. We're going to see more and more compliance rules being broken. We need to make certain that communication becomes a key part of our governance initiative moving forward. I'll run out of time really quickly here so I just want to go through a couple slides here really quickly. Six questions to ask about our risky data. Do we need to govern our risky data more than we need to govern other data? The fact is really no. We need to govern all data the same way. We need to have rules, but should we focus initially on that data that's going to put us at risk first? We're finding that a lot of organizations are doing that. They're focusing on their financial data which is sometimes more heavily regulated than other data or at least they see it, it's more heavily regulated. So question again, is financial data different from any data in your organization? Certainly because it's a different subject matter because of where it comes from. We need to manage our financial data the same way that we manage any data in our organization. Our financial data more heavily regulated, well maybe yes, maybe no. There's a lot of different rules that are being imposed upon us. I did a presentation for the Federal Reserve for recently and I took a list off their website of all of the different rules that are at least a subset of the rules that the Board of Governors of the Federal Reserve System and those two pages that you see on this slide here, that's going to be a piece. There's not more rules than that. So if we think that we can manage the risk associated with data with the governance through the governance and we can manage compliance then we need to make certain that we take these rules out from under the covers and put them in the hands of the people that they're going to be impacting every single day in the organization. So we need to document. We need to create that metadata that was in the data model that we spoke about earlier. And I wonder if there are more people who handle financial data, well I guess that all depends on the type of organization that you're in. Oftentimes more attention is paid to financial data and again in some organizations they'll say no, it's just data. We need to have the same level of governance not only for financial data that you're in. So we need to emphasize on financial data first. Well, if you attend the finance data governance conference last week a lot of those individuals will say that they really need to focus, buckle down on their financial data first before they start jumping into the other types of data in the organization. Is it an asset? Well no, the financial data is an asset to the organization the same way all the other data is an asset to the organization. So if you attend the financial data any differently I would say that if you put a single program in place around governance, risk, and compliance or you at least have them all working in conjunction with each other that we don't really need to govern financial data any differently. We may need to govern patient or personal health information or personally identifiable information. So really the answer to the question is should we do it differently? I don't really think there's an answer that is important to you and how it's being used within the organization. We shared this diagram in many of the webinars that I've done just because people have legalized it as a picture worth a thousand words. Well, the truth is that those four principles down the middle of this diagram become a lot of the core principles that organizations follow when they're putting governance in place and it should be a surprise that they must be managed to follow internal and external rules that are a big part of that. So again, we need to focus our governance on making certain that we know the rules, that we document the rules, that we communicate the rules, that we enforce the rules that people within the organization and people who know those rules already, that's what senior management tells us. Why don't they know the rules if they don't know the rules? Because the fact is that oftentimes governance is not made a priority within an organization. So if we take those four core principles down the middle as being the most important principle around governance, certainly data should be managed to follow internal and external rules and regulations becomes a piece of that. So risk management and data governance, the same thing. Risk management, the definition in FreeDictionary.com is it's techniques used to minimize and prevent accidental loss to a business. Modification is assessment and prioritization of risks by coordinating an economical application of resources to minimize, monitor, and control the probability of the impact of unfortunate events. If you have a chance, take a look at the book that I mentioned here, the failure of risk management. Why it's broken and how to fix it. A lot of what is implied in that book is that we need to execute and enforce authority over that data. We need to formalize accountability and bring those two together in order to make governance work within our organization. So we certainly come from a whole bunch of different areas. There's uncertainty in the financial markets. There's threats from failure of projects. There's legal liabilities. There's credit risks. All of these may be considered to be compliance issues. But there's also accidents and natural causes and disasters and deliberate attacks. A lot of the things that we read about and we hear about in the news are impacting organizations. When it comes to putting governance in place, we really want a lot of organizations are focusing first on the compliance aspect of it and making certain, again, that the rules are documented and the rules are communicated and they are enforced by the people of the organization that define, produce, and use data as part of their job. So is compliance or is risk management and governance the same thing? Again, the way I view it is that governance is, again, the execution and enforcement of authority over that data and over the rules that we have associated with the data, I would say they're not the same thing but they're connected at the hip. There are two of the three legs of the three-legged stool. Again, the three legs would be risk management, governance, and compliance. Full one out and the stool is going to fall over. That's the whole analogy of the three-legged stool. So the definition I use is of governance with the execution and enforcement of authority, stewardship, the formalization of accountability. Risk management is where a lot of organizations start to formalize this level of governance. The formalization starts to formalize accountability is when it comes to compliance rules, when it comes to risk management rules within the organization. They're very closely related but they are not the same thing. Governance becomes an end to get to the means of compliance and managing risk associated with data in the organization. What I want to do here is spend a few minutes talking about a couple of case studies or a couple of organizations that I've had the pleasure of working with recently. One is the Department of Health and Welfare within a state. Their sole emphasis of their governance program was on protecting sensitive data. They had a two-year long project that they are in the throws right now where they want to document the rules and create a rules repository that they can then direct people to so they can understand all of the rules, all of the risks associated with protecting sensitive data. In another organization in Pennsylvania in fact, it was an investment management company. Their sole focus of their initiative was on information security and making sure that the data was secured within the organization. At Lawrence University I worked with had a data classification policy prior to my getting there. They had rules associated with highly confidential data, confidential data sensitive and public data. Their focus was on risk management around data classification and how they were going to enforce data classification rules. A couple other medical school at a university was protecting sensitive data, personal identifiable and personal health information, a health insurance company that I'm working with right now. Their focus is on data sharing, extraction and vocabulary. What I want to do is I want to share with you a slide that's a work in progress from that organization and you'll see that these guidelines and these rules associated with the data become a main topic of the processes associated with governance. At the end of the day what they're trying to do is executing and enforce authority over the protection of that sensitive organization. Now another diagram may be a little bit difficult to read because some of the writing on it is pretty small and I apologize for that. But if you'll see this is a process that an organization is putting in place for people who are going to request data, people that are going to request reports, the emphasis of their governance initiative is on data sharing, data extraction and in building and improving vocabulary around the data. And if you follow through the process you can see that a request are now being forced to complete a request form with the information that they need to document about the requests that are taking place up to the far end of this diagram. You'll see that there's a metadata platform of where we're going to move this information about the request, about the rules and the guidelines, about the reports and the data themselves that are being created. They're all going to be stored off into a metadata platform. But the point that I wanted to make with this slide that I wanted to show you was this aspect that I circled and read here. And this is that once a request has gone through the formal request process and is given to the manager of data management or whatever you want to call that person within your organization there's a decision point to be made. We can take that information that was requested for a report or in a data set and balance it up against the rules that are associated with that data. Is this personal health information? Is this personally identifiable information? Is this Barbain's Oxley information? We need to make certain data that can and cannot be shared, that people in the organization through their request they can't just ask for data or ask for a report that needs to understand the rules associated with the data that is associated with that report. And so they built this into the process that we need to bounce these requests up against these rules and guidelines. And so the interesting thing that they're doing is that if a rule or guideline has not been set to that, the rule or guideline needs to be set before that data request can be completed and before that report request can be completed. If that rule or guideline already exists then we can go back to the manager of data management who can then assign the request to a resource who can then create the outcome of the request. But again, the rules and guidelines become such a critical piece of the overall picture for requesting data, for sharing data, for extracting data. And again, the idea is that we want to make sure that we're recording those rules and we're commuting them effectively to people within the organization. So compliance, regulatory compliance, adherence to standards, regulations, other requirements, we need to make certain that those rules are captured. Are compliance and governance the same thing? Again, I would say no. I would say that governance is a means towards that end. Without governance, how can we make certain that people know that they have a relationship to the data, that they need to comply with certain aspects, certain rules associated with the data. So governance is really a means to the end of having compliant data. And at the end of the day, at some organizations, it's all executing and enforcing risk management and compliance rules across the organization, kind of taking my definition and making it more to address the topics that we're talking about today. So risk management and compliance can become the face of data governance in your organization. They can become the reason why we need to do data governance in the first place. So it's something that we're doing already. That's something that we should emphasize. If we are, because in most organizations, I tell them that you're already governing data but you're oftentimes doing it very inefficiently, very ineffectively, very informally as well. And so what we need to do is put some formalization around those accountabilities. So risk management and compliance might be the reason why we do governance in the first place, but since we're already doing it, maybe some of those rules, some of those roles, R-O-L-E-F, are already defined. If people understand that they're going to be held formally accountable, governance is the way that we're going to get there. We're going to help to communicate the rules. We're going to be able to formalize existing accountabilities by putting this information into the hands of the people that define and produce and use data as part of their daily job. So there's a lot of optional there for when we must have a governance plan to address all three of these. Risk and compliance, they need to have a plan that brings those three together. So how can we make risk and compliance the face of governance? Well, one of the things that we can do is we can inventory who does what with data across the organization. And we can formalize how we document and make those rules available to those people that we've just inventoried across the organization. Now oftentimes, you'll see me talk about something that I call a common data matrix, a tool that we can use to catalog who does what with data across the organization. I'm sharing with you a version of the common data matrix that I've shared so often. And it's very simply stated, this is a two-dimensional spreadsheet that references the type of data that we have in our organization. Let me see if I can draw a little bit on here as well. So the type of no, that was the wrong icon, depressed. So on the left-hand side of the matrix, we've got the different types of data that are important to our organization. We've got those types broken into domains, maybe even into subdomains. And then we've identified if you move over to the right in the diagram, you'll notice that we list the systems that that type of data resides in. And who in IT has the knowledge and the responsibility for that data? And in the different corporate units and business units in the organization, who is the definer's producers and users of that data? That's the data that these rules are going to apply to. And if we document and record those rules somewhere and share those with the people, how do we expect that they're ultimately going to manage risk and comply if they don't know what the rules are associated with managing the risk and complying? Here's the operating model diagram that I've shared very often as well. And it's just the reason why I'm sharing it here is that it's kind of color coordinated with the previous slide. You can see where are the different roles? The roles are defined within the period diagram and in the common data matrix, it actually becomes a reality of well, where do they exist in the organization and what data is it that they need to know the risk management roles associated with data and the compliance rules. In fact, another organization, a different version of the common data matrix that looks like something like this. And this is an organization that I mentioned before that was focusing on classification of data. Highly sensitive data, and that's the data that's depicted in that here. Sensitive data that's in yellow and there's the public data that's in green. And so in this diagram, again, what we're doing is we're cross-referencing the different types of data with the different parts of the organization that use it. The thing I wanted to highlight on this slide was what I've circled in red. I'm going to put a square around in red and that's the rules associated with each of the different types of data. Somebody has to have the accountability to document those rules. Somebody has to have the responsibility to communicate those rules to everybody in the organization that's expected to be compliant and to manage risk, especially associated with data and our management will tell us that that's pretty much everybody in the organization. So if we don't do a better job of documenting those rules and sharing those rules with people, how can we be expected to manage risk? How can we be expecting to be compliant to the rules that are being imposed in terms of risk management and compliance in terms of reserve laws, international laws, classification rules, security rules, operational rules, business rules in the organization. Those are just some examples of different types of risk management and compliance rules that we have around us in our organization. We can measure governance in terms of risk and compliance is what percentage of our rules are documented and what percentage of those rules are linked to the data specifically and how many of those are being made available to the people that have their hands on that data. So how often is it being communicated? How often is it being refreshed? Because these rules associated with risk management and compliance are forever changing. So we can't just communicate with them once and that's it. We need to make sure that we refresh those rules. How many of those rules are being analyzed and are being reported when the rules are being followed? How many rules are being broken? How many rules are being followed? Those are things that we can measure in terms of risk and compliance in our organization. And you're probably familiar with ISO. And ISO has stated that risk management should do the following 10 things. It should create value and be an integral part of organization's processes. Decision making, address uncertainty, those things. I don't want to read through each of them individually but you can see that's really what risk management is all about. And if you attended my webinars in the past you'll know that when I talk about things in terms of an invasive data governance they should do the same thing. It should create value. It should become an integral part of our processes and in fact we should build governance into existing processes wherever we can. Again in our attempt to stay as non-invasive as possible to become part of the decision-making process. We need to address uncertainty. We need to be systematic and structured in how we go about doing it. It needs to be tailored to fit the culture of the organization. So ISO is telling us around risk management. I think that the same principles apply to non-invasive data governance as well. So what are the consequences of ungoverned risk management and ungoverned compliance we have informal roles and responsibilities. There's a lot of informal accountability if there's any accountability in the organization. Typically there is. One of the things that I suggest by staying non-invasive is that we look through is accountable and let's document who they are whether it's in the common data matrix or in whatever tools we're using. Workflow tools. We need to go from being informally accountable to being accountable. We need to go from having informal communications on the rules associated with management and compliance to formal communications. An informal action plan to formal definition and enforcement of the rules is really what governance is all about. So governance and risk management are not the same. Governance and compliance are not the same. Governance is truly the means that we will follow to get to the end by having a successful risk management practice within our organization and a successful compliance practice within our organization. What are some of the consequences of ungoverned risk management and compliance data? Well, if we break the rules, we get caught, we pay the consequences, and maybe I'm going a little bit overboard with the last things that I listed here, but tragedy, despair, hopelessness, train wreck, really bad things happen when we have ungoverned risk management and we have ungoverned compliance. And the way towards formalizing those are to formalize the way that we apply accountability within our organization. And my suggestion is the non-invasive approach. So my final words are following the rules is not optional. Accountability needs to not be optional. Oftentimes the accountability is already there and you just ask your management whether or not they think that this accountability is optional. And if they don't know it can't be optional, then what we need to do is we need to make certain that our governance approach includes formalizing who the stewards are, recording who the stewards are, and pretty communications with those stewards. So we need to formalize our approach. We need to be non-invasive in our approach before we take any questions. And I don't know if there's any questions or not. Please submit them to me after the webinar if necessary. But just again to let you know what are the upcoming webinars. In November I'll be talking about selecting the right approach. In December we'll be talking about big data governance. And you can register online at Data Diversity or the webinars. And I hope to see you there. So this session we covered these things, risk management and data governance. Risk management is the face of governance. Governance in terms of risk management using them to explain governance in the fact that none of these things are not optional in our organization. And we need to use that fact that they're not optional as the crux for success in our organization. And I would like to turn it back over to my friend Shannon to see if that works. Thanks Bob. And thanks for another great presentation. Unfortunately we don't have a lot of time left for questions. But the most popular question of course is if people are asking if they will receive a copy of the presentation and just a reminder that I will send a follow-up email for this webinar by end of day Monday with links to the slides, links to the recording, and anything else requested throughout the webinar. I don't see any questions coming in quite yet other than those. If there's anything out there, just make sure you type it in the Q&A in the bottom right-hand corner of your screen. If we don't have time to address them in this particular live event, then we can certainly get those questions to Bob and get those out in the follow-up email. Just one last question here. What is the most common question you get about this particular topic from companies that you work with? They want to know how do they bring these issues together? How do they use governance as their end to get to risk management and compliance? And the easiest answer that I have for them typically is that they need to document the rules. They need to document the risks. They need to communicate them to all the people in the organization that they know have some level of accountability for following those rules. That seems to be the most asked question per se. That's all we have time for today. And just a quick interview if you want to meet Bob in person, you can meet him at the Data Governance Winter Conference in Fort Lauderdale, Florida. You can see him happening December 8th through 12th. Bob, thank you for another great presentation and thanks to so much to our attendees for participating today. And I hope everyone has a great day. Thank you. Thank you, everybody.