Defining Governance
Andrew Serwin
Board Member, Investor, and Partner and Co-Chair of the Global Data Protection, Privacy and Security Practice at DLA Piper
Governance is perhaps one of the most often used, but misunderstood, concepts by business people and compliance professionals.?The goal of this article is to identify what governance is, how it can be implemented, and how it can be utilized in different contexts—“keyed” to different control frameworks, so that business people and compliance professionals can better understand how governance can be used as a tool to enhance outcomes across organizations.
If you raise the concept of governance, people immediately think of a specific type of “governance” and assume that is what you are talking about.?Sometimes that means they are focused on controls (operations), or sometimes it means they are focused on a particular type of governance—corporate governance, governance of a particular program, privacy, cyber, or BCP are good examples, but it in most cases doesn’t actually focus on what governance actually is.
Governance is a process, not tied to any particular substantive area, that does five things.?It sets a direction, develops a strategy, create an oversight structure, establishes operations to implement the strategy, and provide a framework for measuring progress and reporting back to the oversight layer on an ongoing basis.
To help further differentiate these points, the direction that is set is a broad vision for a company.?The strategy layer takes that direction and begins to tie it to actions.?As an example, a company might have as its corporate direction to grow market share. ?Its strategy to accomplish that goal might be to acquire a number of different companies.?If it desired to govern its growth process, it would then implement oversight, tie its operations to its direction and strategy, and measure and report on its progress towards its direction.?Some differentiate direction and strategy by calling them corporate strategy versus business strategy, but the terms used are less important than the difference between the two—one is a broad vision and one takes that broad vision and begins to tie it to specific actions.
Turning to data risk, what many companies refer to as privacy risk, we can look at the governance process a little more specifically.?For many companies, strategy around data includes defining a risk appetite and risk tolerance, because many decisions about data use are driven by them.?From an operations perspective, program and control creation and implementation are the critical points.?As illustrated by the purple box below, the operations component can be “keyed” to any particular control framework, depending on what the company’s direction and strategy are, and what laws or controls it wants to comply with.
Having defined the first two boxes, we move to the rest of the process.?It is perhaps easier to place this part of the process in a wheel, to illustrate the process that occurs.
The components of the wheel are largely self-explanatory.?This process allows companies to have a structure to implement their direction and strategy in a governed way.
Privacy officer and senior in-house counsel. CIPP/US
2 年Great article. I wish more people understood how much effort goes into first class compliance and governance programs. Merely stating a rule does not make it happen.
Brilliant as usual, Andrew.
Executive Vice President and Chief Legal Officer at Dexcom
2 年Thank you Andrew Serwin! Very useful.
Managing Director, Alvarez and Marsal's Disputes and Investigations Practice
2 年Andrew Serwin very clear and on point - thank you for sharing
Data Privacy Manager and Senior Consultant at Securiti | FIP, CIPT, CIPM, CIPP/US (IAPP) | LLM Queen Mary University of London
2 年This was very helpful Andrew Serwin. Always good to re-visit the fundamentals. You have explained it in a very fresh and structured manner. Umaiya Zahid Sheikh read this when you can, to understand the term 'governance'.