The complexity of the governance and compliance landscape has magnified many times over the past two decades. Driven by regionally diverging laws, a growing complexity of consumer obligations and growing volumes of data collection, many organizations are at a point where their compliance and governance teams are approaching the size of the teams building digital enablers and technology platforms. This type of staffing ratio leads to slow growth, limited innovation as well as unclear and overlapping responsibilities between corporate, IT and data governance teams. Our governance structures and approaches must evolve to ensure we align with our corporate strategy, our value chain(s) and the regulatory obligations unique to our industry, consumer type or operating geographies. The goal of all governance programs is to create formalized structures to ensure we meet our compliance obligations. The traditional silos of governance tasked with ensuring compliance include:
- Data Governance - This is the domain of governance most often associated with the storage, processing and retention of data. Oftentimes compliance requirements including CCPA, CPRA, and GDPR are the foundation for defining requirements, process and training. While these are strong foundations, they can often create conflict with IT governance (addressed below) due to overlapping boundaries for data storage and processing and corporate governance with differing requirements for data retention to support separate business processes.
- IT Governance - IT governance is often the beginning of managing systems, networks and application inventories. Compliance requirements including HIPAA, and PCI are often owned by the IT governing team. IT governance is important to ensure proper use of IT resources but can run into conflicts with corporate governance over the level of investment necessary to meet compliance obligations versus the risk posed by individual legacy applications.
- Corporate Governance - Corporate governance is often the domain of financial controls, business process documentation and delegation for approval and contract signatures. SOX controls and audits will often be owned by this organization. This can create conflict with IT governance due to overlapping or duplicative audits and controls.
Below outlines the overlap between the current governance domains. The complex and varied areas of overlap, each owned by different governance teams and enforced through differing architectural patterns can create significant friction for application and engineering teams looking to deploy new capabilities but requiring the approval of multiple, independent and uncoordinated teams. While these silos have met the need for multiple decades, the rapidly changing landscape of compliance obligations coupled with rapid deployment of new digital capabilities creates the need for a new model. Modern digital-first organizations must structure their governance teams to minimize conflict between the different compliance obligations a company must meet. Modern governance structures must create clear paths to rapidly identify, discuss and agree to paths forward that balance risk with reward for the organization. The faster an organization can identify and resolve conflict within organizational leadership the more effective engineering teams can focus on execution and avoid having to deconflict across different teams with the same goal of protecting the company’s reputation and financial standing in the industry. Some common themes for structuring modern digital governance teams include:
- Privacy Requirements & Customer Expectations - Our first obligation is to our customers, ensuring that our policies align with our actions and compliance obligations. Our governance structure should anchor to this and build a strong depth of understanding for our customer base, their needs and expectations.
- Investment Priorities - Many times, governance teams are tasked with making investment decisions regarding digital capabilities with an understanding of how risk will be lowered across the organization. A unified digital governance program can look at all risks to data, systems, buildings and applications in a uniform way for remediation investments.
- Architectural Tradeoffs - There is seldom one way to design digital infrastructure. Each possible pattern comes with unique tradeoffs for time, risk, cost, capabilities and usability. Many times, technology teams can get stuck in analysis paralysis without an effective outside arbitrator of organizational priorities that lead to architectural decisions.
- Regional Specific Requirements - Many organizations operate globally, creating unique compliance obligations for one part or segment of their business. Centralized digital governance teams will work to structure how these unique, specific requirements will be enforced and how broadly their requirements are applied across the enterprise.
Below begins to identify the functional components of a digital governance team and their relationships. This team collectively has the skills, training resources and authority to manage and deconflict the many compliance obligations an organization must adhere to. This single team becomes a focal point for engineering teams to partner with on implementation details and audits, minimizing touch points and providing leadership accountability for rapid decisions and resource allocation. This new model accepts that data, systems, networks and analytical models are not separated for compliance purposes and rather compliance requirements span our digital estate.
Some highlights of functions within our digital governance structure include:
- SMEs - The subject matter experts are the anchor for connecting technology potential with compliance obligations and controls. They represent domains of cyber, data, applications, connectivity, end user computing, analytics, connectivity and collaboration. They are expected to be experts at existing implementations and controls and keep a strong connection with upcoming industry capabilities and how best to apply them. The SMEs bias toward the individual domains of governance needs and partner with business teams to understand needs and discuss tradeoffs.
- Policy - By having a single policy team, you can ensure uniformity in how different compliance obligations merge to become a single set of standards for organizational execution. This team is accountable for researching, defining and communicating the policies of the organization. Architecture - Your architecture team compliments your SMEs by being the technical experts. They assess, mockup and create reusable technology assets for engineering teams to consume.
- Industry Engagement - Many industries have specific groups focused on influencing compliance obligations and upcoming laws. These industry groups often allow for representation and your company's representation is key to understanding emerging requirements and influence how they are applied to your organization, industry, customers and geographies.
- Enablement - Many organizations have a Data Literacy function, emerging from traditional data governance programs to ensure teams are trained on tools, policies and usage of data. This model is now growing to expand and include the entire range of governance and compliance needs and ensure uniformity in delivery by partnering with corporate Learning & Development and HR to influence training calendars and curriculum.
Now is the time for a fundamental rethink of your governance programs to ensure compliance with today and tomorrow's requirements. Many organizations are investing heavily in new digital capabilities, Generative AI and other next generation technologies. This investment opens opportunities to reevaluate structures, tooling and approaches to compliance that can simplify governance structures while maintaining compliance with legal and industry obligations. The organizations that shift from siloed governance programs to holistic digital governance will see the highest velocity release of new capabilities for market feedback and growth.