A health care organization that experienced a breach of sensitive patient information is battening down the hatches. As part of the process of shoring up compliance, an effort is being made to reassess existing user access levels and rules. At last check, more than 500 discrete user access levels were identified. The number is mind-boggling. It clearly represents an attempt to demonstrate control by accounting for every potential permutation and eventuality. Unfortunately, this level of complexity does exactly the opposite. The reality is chaos – the sheer number subverts clarity, maintainability and auditability.
On an entirely different front, a large retailer needs to standardize its product data in support of new omni-channel and customer-first strategies. As part of the strategy, an enterprise data management function was established to drive implementation of newly defined data policies and standards. The question arose: Should this function be owned by the same group or person in charge of the existing governance and stewardship programs?
At first blush, the question and approach, appear reasonable. After all, doesn’t centralized control equate to adoption? The reality, however, is a bit different. Product information is manipulated in every business process from sales and marketing to operations, merchandising and supply chain management. No one person controls these processes, so having a single “owner” for all aspects of the data has limited utility. If sole accountability is assigned to Joe, it’s Joe’s problem to solve. It’s ironic. Rather than ensuring support and participation, centralizing accountability for all aspects of the data – from policy to practice – may actually let the remainder of the organization off the hook.
These two scenarios are markedly different but share an underlying fault. Simply stated it is the perception that control equates to, or will result in, compliance. In the first case, control is predicated on an oracle-like ability to project and identify every potential usage scenario, no matter how minute or unlikely. In the second case centralization of control in the form of ‘one throat to choke’ presumes an authority that is unrealistic. Both companies focused on the wrong question. And in both, adoption and compliance of defined policies and rules has been fraught.
The yardstick for compliance isn’t absolute control. Or perfection. No one gets it right all of the time. And no one can predict with absolute certainty what the future holds.
The real measure of compliance is whether the organization has taken steps to account for events and requirements that can be reasonably foreseen. Secondarily, can the organization rapidly and appropriately identify, react to and rectify issues when they inevitably occur? The compliant organization can answer the questions:
- What are the policies and rules? And who decides?
- What processes and systems are required to implement?
- How will we monitor compliance, manage exceptions, and react to emerging issues and requirements?
Ultimately, the question is not do I have control but what are my controls? It’s a subtle but critical differentiation.
Today’s organizations must balance regulations and data privacy issues with the need for business decision makers to access, analyze and explore data. How do you enforce complex and layered compliance efforts in an environment where the underlying data – and the users who need access to the data – have different levels of sensitivity that are always changing? Read Madhu Nair’s series on data federation. Nair shares some of the features, use cases and technology considerations related to data federation.