IT executives truly dislike getting lawyers involved in any substantial IT-driven project. They see delays, undue scrutiny and concerns about risk avoidance that could change or stall their effort. The lawyer, meanwhile, appears to take forever, often because of the technology learning curve and a lack of time to devote to the project.
A master data management (MDM) project, or any data governance effort, definitely triggers these lawyer-avoidance reactions. Intensive, detail-oriented work on data consolidation, deduplication and synchronization of programs and applications consistently proves to be more difficult when lawyers are on hand.
However, an MDM system can significantly reduce your company's exposure to legal risk and lower the cost of legal and compliance services if designed and implemented correctly. How? Put a lawyer on the project team, use compliance to build your business case, then ensure that your new single version of the truth delivered via MDM meets compliance objectives, and you'll have a winning project all around.
Embed compliance into the MDM architecture
Of course, we aren't there yet. As MDM practices mature, companies are learning that project teams often overlook the need to align MDM data to existing compliance controls during the system assessment and design process. Remediating this omission downstream adds costs and runs the risk of a late-stage veto by the legal department.
By contrast, emphasizing compliance and resulting cost savings as a business driver for the MDM program ensures alignment from the beginning. The key is to ask: "How can MDM reduce the cost of compliance?"
To do this, the CIO needs to look at the compliance costs of working with status quo data that is inaccurate or in conflict with other internal records as well as the costs of audits, inspections or legal actions associated with finding the right data. Another part of the justification is avoiding any potential legal penalities stemming from an inability to find data in a timely fashion. One midsized investment management firm, for example, recently confided it cost nearly $5 million to respond to a routine Securities and Exchange Commission "sweep" review.
Next, to embed compliance into MDM initiatives, the CIO needs to conduct a thorough risk analysis of how the MDM services affect the existing configuration of the organization's compliance framework and controls. This risk assessment has several steps:
- Account for all of the existing sources of rules to which compliance and source data are mapped, such as statutes, regulations, trade industry rules, business procedures and contract controls.
- Evaluate the compliance implications of migrating original source data into the MDM database. For example, the IRS and others have rules requiring that original records be preserved, so in the absence of a disciplined chain of custody migration processes, compliance could be at risk.
- Understand all of the tasks that will be required to sustain compliance around the MDM data. Here, it is vital to identify the various controls employed to protect access to and integrity of data, and to make sure those controls remain in place for MDM data. Doing so for personal information, transaction information and other carefully regulated data is particularly vital because migration to a central MDM database often exposes the information to new audiences.
- Design compliance into the overall MDM service plan. Doing so improves awareness of the implications of data governance and creates an inventory of the steps required to assure the new MDM systems enable effective compliance. These steps might include contract amendments, changes in internal procedures, reviews with public regulators and tests of data recovery and reporting technology and processes.
Implementing these steps takes work. IT executives familiar with International Standards Organization-based information security controls can often manage the compliance dimension of MDM systems using the same process-based control orientation used to deploy security controls. Create a map of the compliance risks, the control objectives to be achieved and the specific controls to be employed. Here is a CastleQuest sample map with some ideas on how to integrate compliance into your MDM project.
Provide clear, measurable criteria against which to declare victory and move forward, making continual improvement of your company's compliance profile an important new benefit that MDM can achieve.
Not only will you build a stronger case for your system, but you'll also keep your legal team happy -- and perhaps more responsive for your next project.
Jeffrey Ritter, Esq., is CEO of Waters Edge Consulting LLC in Reston, Va. Waters Edge offers strategic consulting services to develop improved information governance. Write to him at editor@searchcio-midmarket.com or Jeffrey@wec-llc.com.
