The new science of Meta Analytics has been formalised to enable broad oversight of data and processes, with key objectives of supporting governance thereof, proving compliance, achieving alignment and leveraging efficiencies.
By Mervyn Mooi, director at Knowledge Integration Dynamics (KID)
As governance and compliance becomes an increasingly top of mind issue for data stewards and their enterprises alike, the challenge of mapping governance, risk management and compliance (GRC) rules to actual the data and processes has come to the fore.
Where once, companies tended to focus on the content – the data itself – rather than its containers – the metadata – management of metadata is now becoming a key focus. Metadata, covering factors such as data and process context, design and specifications, execution information might accurately be described as the ‘information about data’. Metadata Management has become a science in itself. However, in South Africa, systems analysts, database administrators or systems administrators still tend to interrogate metadata at a fairly basic and technical level for operational purposes.
Mapping for GRC
Linking metadata to GRC rules, the latter which are abstracted or prescribed from the organisation’s PPSGs (Policies, Principles, Procedures, Standards, Regulations and Guidelines) has become increasingly important, since it allows for the mapping of metadata directly to organisational capabilities, services, processes, data objects, work-flows, service/business units and individuals. In doing so, it provides a clear view of the business and operational architectural landscapes and data lifecycles. Furthermore, the mappings link in confirmatory communiques and audit trails, as evidence of compliance, action or conformance to the rules (PPSGs).
Typically, the processes and data within computer application systems are designed, built and mapped based on functional and information requirements, often not considering vertical lineage to business processes, work-flows or services, mapping to PPSG (GRC) rules, inclusion of risk management factors and linking to architectural model and capabilities. These are usually managed separately by a different competency team and set of tools like Business Process Management or Data Modelling tools.
The operational processes that result from this situation are often disjointed, manual and non-aligned to the PPSGs. Evidence is there of mappings being done for audit purpose, but on a small-scale, ad-hoc basis the practice of which is not sustained and usually do not link directly to the business and operational roles of individuals on the ground tasked with operating in alignment with particular PPSGs.
When called on to produce evidence of compliance or conformance to the PPSGs, business units, departments and IT must often rush to map processes and surface execution evidence of the rules on data thus to prove compliance e.g. with POPI, FICA, other legislation or internal standards. This process is time consuming and challenging, and even though the department can produce mapping and recon reports, they can seldom show exactly which actions were taken where, to align with which GRC rules and the risk of not applying these.
The evolution of MA
GRC mapper tools tend to have limited capabilities – simply linking an accord, condition or service. Moving beyond these rudimentary capabilities is becoming increasingly important as businesses depend more heavily on the quality of their data and processing economy, and GRC compliance / conformance becomes crucial.
In recent years, KID has evolved solutions and methodologies that encompass a “marriage” (convergence) between governance and metadata management, enabling the proving of compliance and delivering a complete oversight of the business and operational landscapes.
Formalising the solution under the banner Meta Analytics (MA), we can now link respective metadata to all applicable compliancies.
The mapping process can be a lengthy one, but fortunately, it’s a once-off exercise with updates thereafter as the landscapes change / improve. The process identifies the PPSGs in scope and steps thereof – the steps constitute RCCSs (rules, conditions, checks, controls, constraints, technical standards) or actions, as it should be applied in the lineage of the services and/or system processes and roles involved. The RCCSs are plotted against a data management life-cycle (DMLC) for the data being processed and linked to organisational capabilities. This gives cross-sectional views of the RCCSs against PPSGs, Services, Processes, DMLCs and architectural components e.g. data models.
The advantages of MA
The MA methodology gives enterprises insights of gaps or dispositions within the landscape, to data life-cycles, how GRC (PPSG) rules are articulated and where, where processes are duplicated / overlapped, who are involved in which processes, when rules are executed (actions) and enables risk analysis. All of this to support efficiencies (e.g. where services or processes could be merged) and prove compliance.
MA shows the affinities of roles and activities, indicates automated or manual processes – it also allows enterprises to attach risk weights to PPSGs, services or individual processes, and attach processes to competency teams or architectural capabilities. When linked to actual metadata – like system execution logs, e-mail communiques or signed documents – MA delivers evidence that all necessary steps (rules) are being executed.
From a data governance point of view, data stewards and analysts will use MA to determine at any point in time who is using what data and in which processes; or they could gain insights such as the last execution date of a process or the date of the last confirmation email. This allows for the surfacing of many gaps in compliance and support for the identification of risks associated with not applying rules in line with the guidelines. It also allows for the identification of dispositions and mavericks, and supports investigations.
With MA, ad-hoc mapping on demand becomes a thing of the past: if a Chief Data Officer wanted to see a synopsis of all automated and manual processes or gauge compliance risk, they could use these mappings to view the environment in a single step. MA enables data stewards or business unit managers to interrogate exactly what happens to their customer data during its life-cycle.
MA supports back-end efficiency, enhanced customer experience, averts compliance risk and – of course – enables proactive oversight of the entire environment. As a welcome by-product, MA also surfaces gaps and dispositions, or misalignments between the operations and business environments, which is good for efficiency and complimentary to change and project management.
MA brings a new approach to giving oversight for compliance and for surfacing gaps and inefficiencies – not just at a technical level, but also at a business level. It helps enhance both data and processes and delivers better data for better business.