Information accountability requires data ownership

Imagine an organisation where information is presented to be valid when the data is scattered, unaccounted for, and unregulated. Data is the core raw material that is processed into information (data with context).

How reliable would the decision-making process be?

The answer is clear: not very.

Information is crucial for improved decision-making, strategic planning and operational efficiency.

Who is responsible and accountable for the data??

This is when the concept of data ownership becomes a critical organisational issue.

Data refers to pieces of information usually formatted and stored for a specific purpose. It can exist in various forms such as numbers, text, images and sounds. Data includes information printed, distributed, in electronic form and all other media such as paper.

In many organisations, you will find there are accountable information producers that are defined in the job role descriptions and responsibilities.

Three different organisational domains and the information they produce:

Human Resources:

• Employee records and data.
• Legal compliance and laws regarding employees.
• Employee benefits and policies.

Finance:

• Financial records and transactions.
• Financial reporting and analysis.
• Compliance and regulatory requirements.

Sales:

• Product Knowledge.
• Customer Information.
• Sales Process and Pipeline.

These are all generally written into the Head of the Domain job descriptions. They are accountable and the owners of producing this information. It is their responsibility to produce accurate information.

There is an unwritten assumption that with enough eyes looking at something, it’s highly likely to be correct. When a CFO produces incorrect financial information the most common theme I hear is “I produced the information based on the data that was available. I’ll look into what’s wrong”.

This more often than not leads to a scramble to find information about the raw data used (from HR/Sales). How it was processed and correcting the information that has been delivered. The time and effort required to fix this is proportional to the maturity of how data is used in the organisation.

It is not uncommon to find incorrect information published for years. Only when questions start being asked about the underlying data is it discovered to be incorrect.

Enron’s financial accounts were independently signed off for approximately six years before the fraud was detected in 2001. Enron had ~$60 billion in assets and Arthur Anderson had ~$9.3 billion in revenue that year. Once the fraud was discovered it led to the bankruptcy of Enron and Arthur Anderson LLP who signed off the financial accounts collapsed. The company's size, wealth and power could not protect them from the impact of the long-running fraud that was discovered.

Regulations were introduced to hold company executives more accountable for their company’s financial statements under the Sarbanes-Oxley Act (SOX) after numerous large accounting scandals which led to investors losing billions of dollars.

The impact of incorrect financial information can be devastating, leading to misguided business decisions, damaged investor confidence, regulatory penalties, and potential legal consequences.

Recent examples include:

• FTX (2019-2022): Cryptocurrency exchange where its founder and CEO was found guilty and jailed for 25 years in 2024 for siphoning ~$8 billion into another firm that was undetected.
• Theranos (2018): The CEO was accused of exaggerating or making false statements about the company’s technology, business and financial performance.
• Wirecard (2020):? A payment processor and financial services provider found €1.9 billion was missing.

Individuals owning the key report (data with context) without anyone accountable for checking or validating the underlying data and how it is used - is a recipe for ultimate disaster. However, it happens regularly as there is no real clarity around the data used or it is assigned arbitrarily to individuals without understanding the real effort it takes to manage and get the data in a fit state for use. SOX-compliant organisations need to provide a transparent view of the data flow from the source to ensure that all financial data is accurate, complete, and auditable.

Producing high-quality information relies on high-quality data. It is clear who is accountable for producing the information through the job descriptions. Clear data ownership and accountability for underlying data sets (business assets) are not optional if you want high-quality data.

Data Ownership

In the context of data ownership, we will use a taxi service example:

1. Data Consumer: As a passenger, you provide the destination information and expect the driver to use this data to deliver you safely to your location. In this scenario, you are the consumer of the data (the journey) for a cost.
2. Data Accountability: The taxi driver is accountable for using the data (your destination) to complete the journey. They are responsible for processing the data and delivering the service.
3. Data Asset: The taxi can be considered a data asset. It’s a physical entity that uses data (the destination) to provide a service (the journey).
4. Data Ownership: The taxi firm owns the taxi and is responsible for its maintenance, security, and proper usage. Similarly, in a data context, the data owner is the entity (person, department, or organisation) that has control over and responsibility for the data’s availability, integrity, and security.
5. Individual Data Owners: Within the taxi firm, individual roles may have specific data ownership responsibilities. For example, the mechanic team led by a chief mechanic is responsible for the physical maintenance of the taxi, and the management team is responsible for the areas related to the taxi’s security.

In summary, data ownership refers to having legal rights and control over how a set of data elements or data assets are used. The data owner is responsible for data quality, privacy, security, and compliance. Understanding data ownership is crucial for organisations to ensure data is appropriately managed and protected.?

Data owners are accountable for:

1. Quality: The information is of sufficient quality for its intended purposes within its area and other data consumers.
2. Security: Appropriate security measures are in place to protect from unauthorised access, alteration or deletion.
3. Compliance: It is processed and stored in compliance with relevant laws, regulations and organisational policies. This includes any data privacy laws and industry or professional-specific regulations.

In addition, they are typically responsible for defining what the data means, setting policies for its usage, and ensuring these policies are followed.?

Data owners are the strategic direction makers. They can leverage additional resources to execute the day-to-day data management responsibilities.

Regardless of format or medium, the principles of data ownership apply.

It is a significant level of responsibility and accountability.

Data Ownership in Organisations

In smaller organisations, an individual, a centralised IT, or a data team often owns the data. However rapid industry changes can make it challenging for one team to stay updated. While they can ensure data delivery, they may lack the expertise to validate its application, like in a financial statement. This task is typically for domain-specific experts.

Data ownership can be decentralised to heads of units (e.g., Sales, Finance, HR) who already manage information.

For example, HR understands various aspects of employee data:

• Sensitivity of how data can be used with age, gender, ethnicity and individual employee identification (based upon EU General Data Protection Requirements [GDPR]).
• Anonymisation of information to produce demographics around workforce composition such as age by range, gender, and ethnicity removes the ability to identify individuals within a firm.
• Retention duration for employee records is based upon professional-specific regulations and skills (CIPD – Chartered Institute of Personnel and Development) ensuring records are not altered when an employee has left the firm.

Domain-specific teams often lack skills in data quality, security, and compliance.

Here, a hybrid approach with centralised teams (data governance, security, legal, IT) can fill the gaps. This may require additional internal roles or require the use of external resources.

In the context of the EU, the GDPR views individuals as the ultimate data owners of information relating to them. There is no unified global common definition of data ownership and data owners. Regulations and laws around data ownership and usage are evolving rapidly. Although an individual may be the data owner of a set of records about themselves this does not prevent someone from being the data owner for the collective set of information about all individuals.

Regardless of the data ownership approach (centralised, decentralised, or hybrid), it’s crucial to clearly define each role’s responsibilities to enhance the organisation’s data integrity and security.?The approach chosen requires support from the senior executive team to facilitate the organisation's desired change across numerous business units.

In most circumstances, I would recommend a hybrid approach to leverage the collective expertise and wisdom that exists in the organisation augmented by external resources as required to fulfil the responsibility and accountability required.

Creating Data Owners

The process of creating effective data owners is known to be time-consuming and challenging.

The general steps required are:

1. Identify Data Owners: Align the chosen data ownership approach and data owners to specific job titles for specific categories of data sets.
2. Communication: The executive group must communicate the importance, responsibilities, and benefits of data ownership. Address any concerns or apprehensions about the role at an individual level.
3. Training and Support: Provide comprehensive training on data management best practices, data security, and data quality control. Offer ongoing support to help individuals adapt to their new roles.
4. Incentives and Recognition: Motivate individuals with recognition, performance reward alignment, or promotions for excelling in their roles.
5. Role Definition and Performance Metrics: Define the role of a data owner clearly and include specific performance metrics in the job description.?This gives individuals a clear understanding of what is expected and how their performance will be measured.
6. Change Management: Create a proactive change management approach and manage resistance to change by providing clear communication, addressing concerns, and offering support and training.
7. Succession Planning: Tie data ownership to specific job titles to ensure smooth transition plans for when individuals leave the organisation or change roles.
8. Performance Reward Scheme: Changing the individual performance reward scheme can be a difficult conversation but is necessary to ensure individuals are sufficiently motivated to deliver the required change.
9. Independent Audit: Conduct independent reviews and audits of data owners to ensure objectivity and impartiality. This may be through the internal audit team or external audit firms. This can be used by the executive team to address any issues or concerns that are identified.

This approach requires strong executive support, clear communication, comprehensive training, and effective change management. Persuasion, education, and influence can guide the pace of change, but its impact has its limits.?It’s also important to note that the impact of changing an individual performance reward scheme can be a difficult conversation but is necessary to ensure individuals are sufficiently motivated to deliver the required change.

The time it takes to have fully effective data owners will vary greatly depending on numerous factors such as:

• Size of organisation.
• The complexity of the data.
• Existing data governance structure.
• Level of support from the executive team.
• Organisational readiness for change.

It is highly recommended to take an incremental data ownership approach and move at a pace which is suitable for the individuals involved.

People take time to change - patience is a key element to success.

Data ownership is part of a wider ongoing journey and not a final destination to effectively manage data.?It is difficult to provide a specific timeframe for when effective data ownership should be expected, however, it should be a continuous process of improvement and adaptation.

The key is to start the journey and make consistent progress towards better data ownership to deliver improved information accountability.