Back To Top

Data Governance Program | Executive Summary

Welcome to the revolution, the digital revolution that is. Today’s global marketplace means that the competition to sell goods and services is higher than ever. Sticking to your market niche, or just going about your business the same way you always have is not enough anymore. Organizations need to be able to differentiate themselves, be it through a superior product, process efficiencies that lead to lower prices, and/or greater profit margins or retaining key talent that drive delivery of organizational services. The fourth industrial revolution, or the digital revolution as some call it, has been marked by digitalization, digital transformation, integrating AI, and other advanced technologies. All of these can be linked back to one key thing– data and its governance.

What is data governance?

The definition of data governance may change depending on who you ask. An employee who frequently works on the frontline interacting with customers may believe data governance is ensuring that they have access to the data they need to help their customers. A member of the legal department may view data through the lens of how it can be used against you in legal proceedings. A member of the IT department may think of data strictly from a risk and security standpoint. None of these are wrong, but they all miss the big picture. A good data governance program ensures that data is accurate, complete, and protected throughout the entire enterprise data lifecycle.

What is the enterprise data lifecycle? Simply put, these are the six phases in which data exists inside your organization. These phases include Create, Store, Use, Share, Archive, and Destroy. Now reconsider my examples. The frontline employee is worried about accessing and using data; the legal department is concerned with data retention and destruction when considering regulatory requirements or e-discovery; and the IT department is going to be concerned with cyber-related controls and access permissions. Data governance is of vital importance to all three of these employees, but for different reasons. This is why a good data governance program is of vital importance to the organization as a whole.

Components of a data governance program

Designing and implementing a data governance program will not happen overnight, it requires commitment and buy-in from all levels of the organization, not just members of the IT department. The first step in the process is ensuring that all impacted parties have a seat at the table. This ensures that all data, and the business processes that data is used in, is considered.

The cornerstone of an organization’s data governance program begins with a policy. The policy will address numerous areas, including Scope, Stakeholders, Roles and Responsibilities, Data/System Inventory, Data/System Risk Assessment and Classification, Quality, Access, Content Management, and Retention, just to name a few. The purpose of the policy is to provide guidance to anyone that interacts with the data. The next two components include the data risk assessment and data flow diagrams for key business processes. When used together, an organization can ensure that all risks to the organization’s data have been considered and appropriately mitigated throughout the entire business process the data is being used in, as well as throughout the data lifecycle.

There is no catch all list of components to designing a good data governance program; however, beginning with the three I mentioned above – policy, risk assessment, and data flow diagrams – a solid program can be built.

How does a good data governance program benefit me/my organization?

Data governance is not a one-and-done matter. It requires continuous monitoring and improvement, but the benefits are unmistakable. Some of these benefits include:

  • Improved quality of captured, processed, and stored data
  • Greater confidence in decision making due to the accessibility of accurate source data
  • Availability to access and share data and information amongst stakeholders
  • Regulatory compliance
  • Consistency in how data is defined, handled, and secured across the organization
  • Appropriate understanding and guidance on the use of data

The following white paper will provide an in-depth review of developing a data governance program, with a primary focus on creating the data governance policy. It will be a process, and one that will require a significant investment of time from employees all across your organization. Once the program is developed and in place, however, the organization will see improvements in both data security and overall data usage efficiency across the company.


YHB’s Risk Advisory Services team provides you the tools to make your information technology and internal controls work for you.

Your IT controls should protect your data, and more importantly your clients’ data in a way that it is secure, available, and accurate. Internal controls outside of IT should also protect your assets from fraud and errors. RAS can provide a thorough review of your controls by experienced professionals. We are CPAs that have devoted our career to Information Technology and internal controls.

About the Author

Stephen Weber, MBA, CISA

Stephen has extensive experience in IT Audit and Advisory Services. His background includes internal and external IT Audit services for state and federal agencies and Fortune 500 companies in retail, manufacturing and financial lending. His expertise spans financial statement audits, SOX, project management, legal and compliance and data analytics. To further his commitment to IT Security, Stephen has also completed the ISACA®’s Cybersecurity Audit Certificate Program.


Expert Contributors: 

Brad Brosig, CISA                                                                  Bryan Newlin, CPA, CITP, CISA