Business Data Controls as a litmus test of your organisation's Data Maturity

First published on my website (Business Data Controls as a litmus test of your organisation's Data Maturity — AHUJA CONSULTING LIMITED)

The Data Maturity Assessment

We all know that Maturity Assessments are a vital health check over how well your organisation is managing it’s data.

These assessments help you to determine the next steps in your Data Governance initiative as you seek to move your organisation forwards to a point where data is truly managed as an important asset.?

Most assessments will look at something like the following:

·??????? Roles and responsibilities around data

·??????? Defined Data Governance Framework

·??????? DQ Issue Management process

·??????? Populated Data Glossary

·??????? Defined DQ Metrics

Very rarely, though, have I seen any reference to individual data controls as forming part of such checks.

I’m not talking here just about a set of Data Quality Indicators.?

I’m talking about the entire suite of controls concerned with ensuring the following:

?? that accurate data is entered into core systems

?? that data is not lost as it moves throughout the organisation

?? that new data products are created in line with the downstream requirements

Data Controls

It is these individual data controls that form the most granular level at which data is managed.?

The diagram above illustrates this with data controls as the foundation for your entire Data Governance edifice, ensuring that it is supported and can assure the quality of your organisation's data.

To fail to have a strong suite of data controls in place is to fail to manage your data effectively.?

Therefore, understanding how you can determine the veracity of your control framework is key to being able to determine your overall data maturity as an organisation.

Why is this important?

I’ve come across organisations that tick all of the boxes of the typical assessment; they have a Data Steering Group, owners in place and quality metrics.?

Yet, somehow, they still had to engage in considerable re-work.? The individual data controls, forming the nucleus of their frameworks, were not well designed.? Fixing these controls had an inordinate level of impact.

In one organisation, a key data flow had stopped working for several months before being picked up.? Turned out that it had inadvertently been switched off as part of the development work for a new project.? Ensuring that a reconciliation was in place, in situ, with clear and transparent criteria for success and an exception management process, would have prevented this.

Needless to say, the organisation made sure that such a control was in place afterwards, but it was a case of locking the stable door after the horse had bolted!

So let’s dive in and take a look at an important aspect at the heart of the control framework; the narrative.?

Effective Control Narratives

A set of clear and transparent narratives must form the basis of an effective control framework.?

Sounds obvious.?

You need to know what the control is doing and how to operate it.? Yet I’ve seen many controls with vaguely worded narratives.?

An example of a poorly worded narrative

Here’s an example of a narrative for a Quality Assurance check undertaken to ensure accurate and complete data entry in an insurer.

Narrative: A daily check takes place on the new policy registrations to ensure it is correct.?

What is wrong with this wording?

Let’s take a look at the issues.

1.??????? How do we know what fields are checked??

2.??????? How does the checker know what good looks like?

3.??????? Who is the checker in this scenario and are they suitably qualified?

4.??????? How would the 2nd or 3rd Line know that the control was operated effectively?

You can see that such a vague narrative provides little assurance of the content of the control.

If you don’t know what the control covers, how do you know it’s fit for purpose?

So what should the narrative look like?

A Robust Narrative

An effective control narrative needs to include the following points to ensure that its operation is transparent and repeatable:

ü? Who - team or role responsible for its execution

ü? What –nature of the control e.g. a QA check

ü? How – the methodology required to operate it

ü? Why – the risk that the control is designed to mitigate

ü? When – the frequency of operation required to be effective

Finally, a robust data control narrative must itemise the evidence required to enable the 2nd or 3rd line to audit its operating effectiveness.?

What good looks like

Let’s apply the above to our operational QA control:

The QA Analyst undertakes a QA check over the previous day’s policy and premium registration bookings.?

The purpose of this control is to ensure the accuracy of the 30 identified Critical Data Elements.?

The Team Lead operates the following process:

1.??????? Run the Bookings Report for the previous working day’s data

2.??????? Select at random 40% of bookings ensuring a proportionate split by team code

3.??????? The data elements are compared between the booking system and Front Sheet

4.??????? Discrepancies are recorded and referred to the technician for explanation or correction

5.??????? Non-responses by the Technician are escalated to the QA Lead after 2 working days

The result of each data element checked is recorded in the Workflow system, together with any referrals to the Technician and the responses received.?

?

It can be seen from the above narrative that the reason for the control and the method of operation is unambiguous, ensuring its repeatability.?

This means that you or a third-party reviewer, such as Internal Audit, can verify whether or not the control design is effective.?

It is only by ensuring that your data controls are defined clearly, in a transparent and repeatable way, that you can have confidence in their operation and, ultimately, the quality of your critical data required to drive your organisation's success.?

Reviewing Control Narratives as part of your Maturity Assessment

So when assessing your organisation’s data maturity, take a look at a random sample of your data control narratives.?

Don’t just assume that because controls are present, they are well-designed.?

Are your control narratives more like the first example??

That would indicate a low maturity with uncertainty over how a given control is actually intended to be operated.?

Or are they more like the re-worked example, which would indicate a higher level of maturity?

Ultimately, a mature organisation will have clear control narratives outlining all the bases we’ve covered above.? A less mature one will have vague descriptions of the purpose of the control, its operation and how it’s evidenced.?

Whilst your organisation’s controls are the most granular level of data management, taken together they form the backbone of your entire governance framework.?

Reviewing the narratives can therefore give you a sense of just how mature your organisation really is.?

Make sure you include them in your next assessment to truly reflect where your organisation sits on the maturity curve.?

?

?

In the next article, we’ll focus on why you need to incorporate a data risk assessment into your Data Governance Framework.

?

Subscribe here to get future articles in this series.

--

Need Data Governance help??

Book a call here to discover how we can support you.