IT executives truly dislike getting lawyers involved in any substantial IT-driven project. They see delays, undue scrutiny and concerns about risk avoidance that could change or stall their effort. The lawyer, meanwhile, appears to take forever, often because of the technology learning curve and a lack of time to devote to the project.
A master data management (MDM) project, or any data governance effort, definitely triggers these lawyer-avoidance reactions. Intensive, detail-oriented work on data consolidation, deduplication and synchronization of programs and applications consistently proves to be more difficult when lawyers are on hand.
However, an MDM system can significantly reduce your company's exposure to legal risk and lower the cost of legal and compliance services if designed and implemented correctly. How? Put a lawyer on the project team, use compliance to build your business case, then ensure that your new single version of the truth delivered via MDM meets compliance objectives, and you'll have a winning project all around.
Embed compliance into the MDM architecture
Of course, we aren't there yet. As MDM practices mature, companies are learning that project teams often overlook the need to align MDM data to existing compliance controls during the system assessment and design process. Remediating this omission downstream adds costs and runs the risk of a late-stage veto by the legal department.
By contrast, emphasizing compliance and resulting cost savings as a business driver for the MDM program ensures alignment from the beginning. The key is to ask: "How can MDM reduce the cost of compliance?"
To do this, the CIO needs to look at the compliance costs of working with status quo data that is inaccurate or in conflict
To continue reading for free, register below or login
To read more you must become a member of SearchCompliance.com
with other internal records as well as the costs of audits, inspections or legal actions associated with finding the right data. Another part of the justification is avoiding any potential legal penalities stemming from an inability to find data in a timely fashion. One midsized investment management firm, for example, recently confided it cost nearly $5 million to respond to a routine Securities and Exchange Commission "sweep" review.
Next, to embed compliance into MDM initiatives, the CIO needs to conduct a thorough risk analysis of how the MDM services affect the existing configuration of the organization's compliance framework and controls. This risk assessment has several steps:
Implementing these steps takes work. IT executives familiar with International Standards Organization-based information security controls can often manage the compliance dimension of MDM systems using the same process-based control orientation used to deploy security controls. Create a map of the compliance risks, the control objectives to be achieved and the specific controls to be employed. Here is a CastleQuest sample map with some ideas on how to integrate compliance into your MDM project.
Provide clear, measurable criteria against which to declare victory and move forward, making continual improvement of your company's compliance profile an important new benefit that MDM can achieve.
Not only will you build a stronger case for your system, but you'll also keep your legal team happy -- and perhaps more responsive for your next project.
Jeffrey Ritter, Esq., is CEO of Waters Edge Consulting LLC in Reston, Va. Waters Edge offers strategic consulting services to develop improved information governance. Write to him at editor@searchcio-midmarket.com or Jeffrey@wec-llc.com.
