For effective IT governance, we need to go back to basics

By Alan Jacobson, Chief Data and Analytics Officer, Alteryx.

  • Wednesday, 27th November 2024 Posted 1 week ago in by Phil Alsop

Data governance is a common concern associated with generative AI (genAI) and its enterprise rollout. The balancing act of opportunity and risk in expanding its use across an organisation is a common struggle for many organizations. Boards are therefore looking to IT leaders to demonstrate governance strategies so they can sleep better at night safe in the knowledge that genAI is being used responsibly within their organisation.

GenAI will undoubtedly change the face of analytics and what it means to be a data-driven organisation. Governance has an important role in realising this potential for organisations and warrants careful consideration of its purpose and objectives.

Let’s take an example scenario. An organisation with a senior leadership team that’s bullish about genAI communicates to the entire workforce that they need to get used to working with the technology and start integrating it into their daily routines. At the same time, the senior leadership has given IT the sole remit of policing all use cases of genAI internally to ensure ‘safety’. The result could easily become one of fear, doubt and bad morale sowed among employees because IT governance isn’t configured correctly. We need to prevent it from happening by bringing governance back to basics and optimising it for the new intelligence era.

A two-sided coin

Today, most IT governance functions in a similar way to what it has done for many years. A general approval process owned by a central IT department that dictates what the other functions can and can’t do with technology.

This, however, shouldn’t be the sole role of governance. Let’s take a beat to consider the concept of ‘governance’ in society. ‘Good governance’ is a typical description of a national government helping citizens to achieve their dreams and keep safe. Executing this on a national level isn’t simply about rule setting and following. Education is frequently considered a key ingredient of how this is done. And as a citizen, we are likely just as interested in how governance helps us achieve our dreams as to how it keeps us safe.

The same is totally true for how technology and its uses are governed in an organisation. When something novel like genAI appears, workers need to be taken on a journey to use the technology effectively, as well as be empowered to do so. Frequently, this education is the key to keeping people safe as well, as you likely won’t be able to find safety if your users aren’t properly enabled.

This may seem obvious, but the truth is that too many organisations have forgotten about the enablement piece of governance and have leaned heavily into rule setting and stringent oversight. This has never been optimal but it’s becoming increasingly obsolete in a world where analytics should be democratised for all business departments – be that through the emergence of genAI or simply the growing popularity of low/no code analytics software.

Self-defeat in the name of safety

There are some common examples of governance clashing with the democratisation of analytics. Let’s take an example of a finance department that independently uses analytics software to automate aspects of the team’s workload and saves an organisation money in the process. When the IT department becomes aware, their reaction can be a defensive one. We need IT approval of all workflows and for those workflows to plug into the organisation’s central data lake might be ‘rules’ that are put in place. But will this rule actually increase the safety of the process?

In this scenario, policy is being enforced but the IT team is seeking out the role of approver rather than being helpful may not have actually improved the outcome at all. Instead, they may have created bureaucracy and work for the finance team. Also, in the context of finance – being an approver of such workflows comes with serious legal culpabilities that finance understands but IT likely would not. Do you have a governance process that is just adding friction?

Another common example where an IT process may not be an ideal match for the business users leveraging analytics would be the typical IT SDLC process. IT typically sets up 3 environments (Dev, QA and Prod) to build the new solution. Organisations often have an all-encompassing policy for new systems and applications to be built using fake data in Dev and QA. At the end of the cycle, the developers are cut out and the new system or application goes into Prod using real data. While this process works for many IT projects, most democratized analytics do not work this way. A finance analyst that is developing a reconciliation process, or a tax person developing the tax filing must use the real data in the development process. If they do these things are Development or QA servers, suddenly there is a policy issue? And so we see modern organizations providing new names for these early environments used by the business, with names such as Pilot environment being used.

To be clear, the new environment that the business will use to develop analytics would likely then have full Production level securities put in place. And it is notable that the security is also different in that the finance personnel would normally have access to the data they are using, which is different than the IT scenario, where IT would not normally have access to the sensitive financial data.

Addressing issues like this requires a mediator empowered to help IT and the business work together to create a governance that can work well for everyone. The Chief Data and Analytics Officers (CDAO) role frequently serves this purpose, among others, and helps the organization get the most out of analytics and will be key in getting governance right with genAI.

Mediation and change

Putting a CDAO in place means empowering an individual to challenge “the way things have always been done” in the interest of driving change. It’s an appointment that more and more organisations across the globe are making. Notably, a lot of CDAOs hail from consultancy backgrounds, which compliments the consolatory role they can play.

A good CDAO can frequently apply a more nuanced role for IT approval processes and get conflicting departments into a room to agree on ways forward to use technology responsibly. It could be as simple as renaming processes or tearing up rules more boldly. The important thing is that a questioning drive is applied to governance for better outcomes.

The change management that CDAOs can carry out also supports technology enablement (the “other” side of governance) through greater internal education. Prioritising impactful training for all employees on how to use self-serve analytics results in better and safer outcomes. This should entail a balanced approach between training (how to use tools) and education (broader concepts). Many organizations are strong at offering the former, but lack the latter.

An example might be with visual analytics through dashboarding. Many organizations offer training on software (e.g. Tableau, PowerBI, Qlik, etc.) that teaches them how to build a dashboard, a bar chart or pie chart, etc. But these same organizations typically do not offer a short course that explains core concepts of creating best-in-class visualizations. The organization that misses the latter, likely gets frustrated that they now have 100s of dashboards that aren’t being used and aren’t very good.

Importantly, training should be supplemented by a long-term culture of upskilling and continuous education that a CDAO can take responsibility for driving. The result is an improvement and optimisation of analytics across all departments and a much greater chance of new technologies like genAI being used in the correct ways. This helps to achieve the aims of IT governance without being a product of strict rules and oversight. You will likely find that the use of Google search within your organization is much safer due to education on how to use search properly than by any policies your organization has written about using the search bar.

Rethinking IT governance for 2025 and beyond

Rethinking approaches to IT governance is a positive exercise. It takes organisations away from a culture of frustrations and static rules in favour of a culture of enablement that embodies an enthusiasm for being data-driven using new innovative technologies such as genAI. The required change is difficult and therefore requires empowered leaders and teams to bring it about. Organisations should make it a priority in 2025 and beyond.

Intelliworx unveils 2025 trends

Posted 12 hours ago by Phil Alsop
Intelliworx, a leading global IT managed services provider, has unveiled its predictions for the UK IT channel in 2025, highlighting the pivotal role...
Leaders feel the pressure; 98% report increased urgency to deliver on AI and 85% believe they have less than 18 months to act.
AI and generative AI (GenAI) are driving rapid increases in electricity consumption, with data centre forecasts over the next two years reaching as...

GTT study reveals SASE and SSE adoption surge

Posted 1 day ago by Phil Alsop
Vulnerabilities, ransomware and data theft top the list of cybersecurity concerns as enterprises move toward unifying networking and security teams...
More than 86% of EMEA CFOs and CIOs surveyed say their relationship has strengthened, with 43% of CFOs linking it to improved business outcomes.
CreateFuture warns UK risks ‘lagging behind’ without a clearer AI vision amid cost, security and skill concerns.
97 per cent of organisations using generative AI have faced security incidents or data breaches linked to the technology this year, according to...
70 percent of companies in the UK have fallen victim to a cyberattack at least once in the past two years. This is according to the "Cyber Security...