Introduction

Le Environnement de contrôle des données Le terme « environnement de contrôle des données » désigne le mode de fonctionnement dans lequel les actifs de données d'une organisation sont gérés de manière holistique à tous les niveaux de celle-ci. Un environnement de contrôle des données performant repose sur trois éléments.

1. Les objectifs et les capacités de gestion des données (GD) décrits dans ce document ont été adoptés et intégrés dans toute l'organisation.
2. Le cycle de vie des données is fully supported by all stakeholders. These stakeholders ensure understanding, awareness and control of data throughout the data supply chain–from source to consumption to disposition.
3. DM is part of the organization’s data ecosystem. It is integrated and coordinated with all other control functions organization-wide.

The purpose of the data control environment is to coordinate the people, processus and technology of DM into a cohesive operational modèle. The data control environment defines the mechanisms used to capture data requirements, unravel data flows and linked processes and determine how data is to be delivered to the consommateur de données. The data control environment supports the cycle de vie des données. It ensures that proper resources and controls are in place as data moves throughout its journey. Also, the data control environment ensures collaboration and alignment to cross-organizational control functions. Areas such as Information Security, Data Privacy and Change Management must operate in sync with DM to ensure data is properly managed across all business functions.

To the extent that the data control environment is not achieved it results in potential data risk. Data risk should be managed in alignment with the overall risk management framework of the organization. Data risk scope includes areas such as architecture de données risks, métadonnées risks, qualité des données risks, data governance risks and Données de base risks.

Définition

Le Environnement de contrôle des données (DCE) Ce composant est un ensemble de fonctionnalités qui, ensemble, constituent l'environnement de contrôle des données pleinement opérationnel. Opérations sur les données, gestion de la chaîne d'approvisionnement, contrôle transversal fonction alignement et collaboration architecture technologique doivent opérer de manière cohérente pour garantir la réalisation des objectifs de l'initiative DM dans toute l'organisation.

Portée

• Travailler avec DM Bureau de gestion de programme (PMO) concevoir et mettre en œuvre des processus et des routines commerciales durables pour permettre un environnement de contrôle des données réussi.
• Rassembler les composants du DM en un écosystème de données cohérent et de bout en bout.
• Suivez les meilleures pratiques actuelles en matière de gestion des données en examinant et en auditant régulièrement les capacités et leurs processus.
• Assurez-vous que tous les aspects de la gestion des données soient pris en compte pour les données critiques de l'entreprise, telles que : cycle de vie des données, de bout en bout lignée des données et les agrégations de données sont pleinement opérationnelles.
• S'assurer que le DM est aligné sur les autres contrôles fonction politiques, procédures, normes et gouvernance.

Proposition de valeur

Organizations that improve their ability to reconcile requirements for data and accurately share data across the organization’s ecosystem are able to better respond to changes in business processus, regulatory, and audit requirements.

Organizations that deliver data through a controlled environment respond more rapidly to market opportunities and provide innovation to clients.

Aperçu

The DCE is where the execution components of Business & Architecture des données, Données & Architecture technologique, Qualité des données Management and Data Governance are made operational in the data supply chain by the producteur de données. This operationalization brings a defined set of data into control and makes it available to data consumers at a point in time, either real-time or period end.

Diagramme 7.1 : Chaîne d'approvisionnement des données

One of the first functions within the DCE is the orchestration of the DM component disciplines. These disciplines must be aligned to effectively manage data across the organization. The DCE forces the alignment of all the capabilities discussed in this modèle into a consistent operational flow. Each capability must be properly resourced and prioritized as well as supported by business, data and technology senior management.

The successful coordination of these components is a determining factor in the success of the DM initiative. It is the responsibility of the DM organization and the senior agent de données at each level of the organization to structure and coordinate the DM modèle opérationnel. This properly defines data meaning, ensures qualité des données (DQ), and delivers data in a timely and efficient manner. Evidence of the processes must be compiled through demonstration of organizational structures, charters, policies, and senior management directives.

Data is a core factor of input into business functions and operational processes. The cycle de vie des données tracks the progress of data from source to storage, to maintenance, to distribution and to consumption. From this point the data may be reused, sent to the archive and finally to defensible destruction. The mechanisms used to identify, align, and validate the data as factors of input into business functions are derived by reverse engineering existing business processes into their individual data elements and by unraveling the data assembly processes used to create the required data sets.

This reverse engineering processus to define data requirements needs to be managed with precision. Only precision will avoid confusion and miscommunication between what the business users truly need for their business fonction and what technology professionals need for technical implementation. Data requirements should be modeled, aligned with business meaning, prioritized in terms of how critical it is to the business processus and verified by all stakeholders. These steps ensure that essential concepts are not lost in translation. This is particularly critical for data that is shared among multiple data consumers and for core data attributes that are used as a baseline for onward expression in operational calculations or business formulas.

For complex applications and for all data aggregation-related processes, it is essential to understand and document how the data moves from system-to-system; how the data is transformed or mapped; and how the data is aligned to business definition and standard meaning. Gaining agreement on this lignée des données processus is fundamental for ensuring that the results of decentralized or linked processing can be trusted to be consistent and comparable.

Le dernier aspect d'une gestion des données efficace est l'intégration de la gestion des données dans l'écosystème de données de l'organisation. L'écosystème de données est un concept qui décrit la manière dont les données sont gérées de façon collaborative avec toutes les fonctions de contrôle transversales. Ces fonctions, telles que la sécurité de l'information, la gestion du stockage, les affaires juridiques et la conformité, la protection des données et la gestion des fournisseurs, ont toutes des responsabilités quant à la gestion des données. Il est impératif que les politiques de gestion des données soient intégrées et alignées sur celles des fonctions de contrôle transversales afin de garantir une gestion cohérente et globale des données à l'échelle de l'organisation.

Finally, a DCE ensures technology’s alignment with DM policies and best practices. DM capabilities such as architecture, governance, and DQ should be integrated into the organization's Software Development Lifecycle (SDLC) processes to ensure that DM considerations are being adequately addressed at the appropriate stages of the development cycle. Nothing should operate in a silo. Operating within an ecosystem recognizes interdependencies and ensures collaboration.

Processus, outils et constructions

• Entreprise Processus Intégration
• Intégration de la feuille de route technologique
• Intégration des exigences réglementaires
• Contrôle Fonction Requirements Integration
• Intégration des exigences d'audit et de conformité
• Data Supply Chain Management Construction
• Optimisation des capacités
• Matrice RACI
• Processus Conception et solutions de bout en bout Processus Intégration
• Guide des procédures
• Processus Mesure de la performance

Questions fondamentales

• Le concept d'expérience de conversion de données (ECD) est-il compris par les parties prenantes ?
• Les aspects du contrôle des données tels que les termes, les définitions, les relations, l'intégration et la priorité sont-ils établis de manière cohérente ?
• Are control processes applied across the full cycle de vie des données?
• Les concepts de contrôle des données sont-ils harmonisés dans l'ensemble de l'écosystème organisationnel ?

Première capacité

Evidence of the data control environment is the result of effectively integrating and executing the other six components defined in DCAM. Active engagement by stakeholders is required to ensure the DM capabilities are working collaboratively across the organization.

Première sous-capacité

Description

To establish the DCE the holistic execution of DM initiative is required at each operating level of the organization.

Objectifs

• Charter governing bodies and make them operational.
• Design and fill leadership roles. Document that they are functioning according to prescribed mandates.
• Deliver DM initiative capabilities.

Conseil

The data control environment is the result of effectively integrating and executing the other six components defined in the Modèle d'évaluation des capacités de gestion des données (DCAM). The integrated execution of these capabilities will create an environment where the people, processus, data and technology can produce an environment where the data is in control.

Questions

• Are the governance structures operational to effectively control the data?
• Are the DM leadership roles at each operating level of the organization defined and operating in harmony as designed?
• Are the DM initiative capabilities integrated and operational in alignment to the DM modèle opérationnel cible?
• Does the DM initiative have senior management support inclusive of the senior executive suite?

Artefacts

• Evidence of operations in alignment to the DM modèle opérationnel cible
• Dashboard summarizing the DM initiative program, outcomes, processus and DQ metrics
• Evidence of DM support top-down – e.g., formally stated support from the executive suite to the organization

Score

Sous-capacité suivante

Description

All stakeholders critical to the success of the DM initiative must be identified. Roles and responsibilities must be communicated. Active engagement by critical stakeholders is operational and evidenced.

Objectifs

• Define and communicate the roles and responsibilities of stakeholders who will support the DM initiative.
• Ensure support and provide authority for the DM initiative through partie prenante fiançailles.

Conseil

The DM initiative success demands the engagement of support-stakeholders. Management must support the initiative at each operating level of the organization. Also, Internal Audit must be involved throughout to ensure that the DM initiative is auditable and the politique and standards are enforced. The organization’s risk fonction must build an integrated risk framework for managing data risk. Senior leadership, perhaps including the board of directors must be informed, engaged and officially support the DM initiative.

Questions

• Have the support-stakeholders been informed of their roles and responsibilities in supporting the DM initiative?
• Has the required level of support-stakeholder engagement been achieved to provide sustainability of the DM initiative?

Artefacts

• Internal Audit schedules for DM initiative audits
• Integration of data risk into the risk management framework
• Senior management meeting minutes, including DM initiative strategy and performance reporting
• Board of Directors meeting minutes, including DM initiative strategy and performance reporting

Score

Sous-capacité suivante

Description

To achieve the DCE the full set of DM capabilities must be operational and applied against a domaine de données. It is important to understand the differences between planned and operational initiatives. Only operating capabilities contribute to the functioning DCE.

Objectifs

• Bring DM capabilities into operation and align them with the DM strategy.
• Bring DM capabilities into operation and align them with governance politique et les normes.

Conseil

Successful creation of a true DCE happens when all of the defined DM processes are operating in concert and all are aligned with the stated DM strategy.

Questions

• Have the DM processes been integrated into a single end-to-end operational processus?
• Les procédures, les outils et les routines nécessaires à la mise en œuvre des processus sont-ils en place ?
• Have innovative technologies such as AI and ML been considered as part of the integrated processes and infrastructure?
• Has the review of data ethics been included in the integrated DM processes?
• Are there standing meetings, planning sessions and regular communications validating the data control?

Artefacts

• Processus documentation that shows integration of the DM processes into an end-to-end execution
• Documentation of data ethics review as part of the data controls
• Governing body minutes and directives related to data control monitoring

Score

Prochaine capacité

Cross-control fonction collaboration includes: 1) aligning DM and other control fonction politique and standards; 2) establishing engagement routines; and 3) applying cross-organization controls to the data.

Première sous-capacité

Description

DM controls and best practices must be formally included in cross-organization control fonction policies and standards to ensure collaboration and alignment.

Objectifs

• Create entreprise politique and standards which formally include cross-organization references in each.
• Ensure formal coordination of each groups’ politique and standards through control teams which are held accountable and subject to Internal Audit.

Conseil

The goal here is to ensure that the policies and standards of the DM initiative are aligned with those of the other control functions. Take advantage of existing rules and integrate them into the DM policies, procedures, and standards. Other control functions should also reference the standards and processes of the DM initiative.

Questions

• Are the mechanisms in place to support cross-organization control fonction collaboration?
• Is there alignment between cross-control fonction policies, standards and processes?
• Is cross-organization control fonction coordination opérationnelle et en cours d'examen par l'audit interne ?

Artefacts

• DM policies and standards
• Other control functions’ policies and standards
• Politique and standards cross-referencing mechanisms

Score

Sous-capacité suivante

Description

In order to achieve collaboration among all the control functions that have requirements for data or DM a structure of regular interaction is required.

Objectifs

• Formally coordinate cross-control functions with the DM initiative via regular engagements, meetings and routines.

Conseil

Here is where the CDO becomes the Chief Diplomacy Officer. There must be an engagement strategy and plan to meet and collaborate with the other control functions. This collaboration is required of the agent de données at each operating level of the organization with their respective cross-organization control fonction peer.

Questions

• Are the mechanisms to support regular coordination defined and operational?
• Des réunions formelles sont-elles organisées entre les différentes fonctions de contrôle ?

Artefacts

• Engagement plan
• Liste des parties prenantes et preuves de communication bidirectionnelle
• Evidence of meetings including minutes and follow-up actions

Score

Sous-capacité suivante

Description

All new data introduced into or delivered out of the data ecosystem must be subject to cross-organization control standards to ensure organization-wide compliance.

Objectifs

• Subject design review and approval to data introduced into or delivered out of the ecosystem.
• Subject cross-organization data control politique and standards to data introduced into or delivered out of the ecosystem.

Conseil

The goal of cross-organization data control is to ensure that all data entering the ecosystem through any channel is subject to the same restrictions, tollgates, authorizations, and evaluations. The challenge will be to ensure that all of the cross-organization control functions understand and recognize the role and authority of the ODM.

Questions

• Have the cross-organization control functions’ policies and standards been widely communicated?
• Have the cross-organization control functions’ requirements for data or DM been inventoried and presented to the DM initiative stakeholders?
• Have the stakeholders been informed of their role and responsibility with respect to the onboarding of data into the organizational ecosystem?

Artefacts

• Evidence of cross-referenced rules from other control functions’ politique and standards that demonstrate alignment and collaboration with the DM initiative

Score

Prochaine capacité

Le formel processus of identifying data risk must be integrated into the DM initiative. Once identified, the risks must be tracked, prioritized and mitigated. These activities should be standardized and integrated into the overall risk management framework and processes of the organization (e.g., three lines-of-defense: unité opérationnelle, risk fonction and audit fonction).

Première sous-capacité

Description

All organizational units must be accountable for managing data risk in their unit. The organizational unit is the first-line-of-defense in the organization’s risk modèle.

Objectifs

• Define and operationalize the processes for self-identification of data risks.
• Manage the data risk processus to actively track, prioritize and mitigate data risks.
• Engage executive management in data risk management.

Conseil

The organizational units are accountable for their data and thus are accountable for the risk associated with their data. The formal processus of identifying data risk must be integrated into the DM initiative. Once identified, the risks must be tracked, prioritized and mitigated. These activities should be standardized and integrated into the overall risk management framework and processes of the organization.

Le Directeur des données and in some cases the Chief Operating Officer has a role in supporting the organizational units in the data risk management processus. This role may even be seen as a review point between the organizational unit and the second-line-of-defense.

Questions

• Y a-t-il un processus for identifying and managing data risk?
• Les procédures, les outils et les routines nécessaires à la mise en œuvre des processus sont-ils en place ?
• Est-ce que CDO, the Office of Data Management and/or the COO provide data risk management support to the organizational units?

Artefacts

• Documentation sur le processus to identify and manage data risk
• Preuve d'auto-attestation et entreprise revue ODM
• Preuve de CDO or COO data risk management support

Score

Sous-capacité suivante

Description

The data risk fonction must be accountable for establishing the data risk appetite and framework for the organization. The data risk fonction is the second-line-of-defense in the organization’s risk modèle. Le CDO must collaborate with the risk fonction to integrate data risk into the overall risk framework.

Objectifs

• Establish a data risk appetite statement and standard data risk categories and metrics.
• Provide organizational guidance and oversight of the data risk management processus.

Conseil

Data risk must be managed organization-wide in concert with other sources of risk. Standards must be set to define data risk appetite along with risk identification, classification and measurement. Because most data has many consumers across the organization a comprehensive view of data risk is critical.

Questions

• Is there a defined data risk appetite for the organization?
• Y a-t-il standard data risk categories and metrics?
• Has the Risk fonction provided guidance and oversight of the data risk management processus?

Artefacts

• Data Risk Appetite Statement
• Standard data risk categories and metrics
• Risk fonction guidance for the data risk management processus

Score

Prochaine capacité

Description

Internal Audit must be accountable for periodic review of the DM initiative against the defined politique and standards of the organization. Internal Audit is the third-line-of-defense in the organization’s risk modèle.

Objectifs

• Validate that DM politique and standards and processes are auditable.
• Perform periodic audit according to organization audit policies.

Conseil

Collaborating with Internal Audit is a valuable exercise to ensure the auditability of the DM initiative. It will also foster a shared understanding of the DM strategy, its objectives, processes, and data controls that will be valuable to both the data practitioner and the auditor.

Questions

• Existe-t-il un partenariat fonctionnel avec l'audit interne ?
• Le service d'audit interne est-il familiarisé avec les concepts associés à la gestion des données ?
• Le service d'audit interne a-t-il examiné l'initiative de gestion des données et déterminé qu'elle pouvait être auditée par le biais d'examens planifiés ?

Artefacts

• Evidence of communication with Internal Audit about the DM concepts
• Verification by Internal Audit that the DM initiative can be enforced and audited
• Internal Audit schedule for DM initiative audits
• Preuves de l'engagement et de l'examen de l'audit interne

Score