Information Management and Governance, Uncategorized

Role of the CDO: Learning from the Past to Enable the Future

James Howard

The role of the Chief Data Officer is evolving quickly, and has been compared to the CIO of the early 90’s, in that the CIO role was just starting to take shape, companies were just beginning to appoint CIOs and they were struggling to define responsibilities.  The similarities don’t end there. Consider:

  • Early CIO’s had strong IT backgrounds, but often didn’t truly understand the business they were supporting.  In some other cases, it was the exact reverse – the CIO was a business person with limited (or no) understanding of IT
  • The CIO was a “second tier C-level executive”, often reporting to the CFO.  This was often because in those days, the CFO was thought of as the principal consumer of IT, and companies failed to recognize how computers – notably PCs –  were penetrating and enabling other areas of the business. This lead to frustration among users, “shadow IT” lacking formality and control, and an incomplete understanding of the overall IT portfolio and spend.
  • Every CIO was different, and every IT mission was different, and highly tailored to each company.  In hindsight, the industry was “fumbling” (a term not meant in a disparaging way) as the IT industry went through a massive evolution; some may remember Tom Watson’s prediction that there would only ever be a market for maybe five computers.
  • The CIO’s senior staff were often technically proficient in their respective areas, but not very aware of the needs of the business they were supporting – and they lacked the tools to build the necessary bridges.
  • There was very little interface with “users” (a new term at the time) because most systems under the CIO’s purview were specialized and vertical, or were infrastructure – and end-user computing was evolving on its own, outside the CIO’s scope of responsibility.
  • Numerous “disasters” have taken place tied to IT (whether failed initiatives, outages, breaches or hacks) and the post-event analysis often failed to properly address the underlying issue, perhaps due to lack of understanding, or a desire not to reveal the extent of the issue, or because the business was not fulfilling their responsibility relative to IT governance.

In 1994, Charles B. Wang published the book “Techno Vision: An Executive’s Survival Guide to Understanding and Managing Information Technology”.  In the book, Mr. Wang shines a light on the “disconnect” between IT and the business they support, as it relates to understanding the role technology can play, and he makes suggestions on how to address the gap.

Now in 2018, the CIO is a universally accepted role, but there are still plenty of examples where the CIO has limited (or no) understanding of the business, and the business leaders’ eyes glaze over when any technology topics arise.  And IT is one of the largest line items on corporate budgets.

Enter the CDO

Conservative predictions foresee a massive increase in number of information-related products and services, as well as company spend on information-related initiatives.  Not to mention the exponential growth of information itself.  It’s helpful to look at the “typical” CDO in 2018, as a way to anticipate trajectories and avoid similar pitfalls that were seen with the evolution of the CIO.  Consider for comparison:

  • Most organizations are recognizing the transformative potential that exists in leveraging information, but the majority have not appointed CDOs.  And some organizations have appointed CDOs internally who don’t have an information management background.
  • Many organizations have emphasized the technical aspects of information leverage, and have appointed Data Scientists as the top leaders in information management, who in turn have flushed out their teams with data scientists and analysts.
  • Certain segments of the market – insurance, for example – seem to view information management as an “IT thing” and often place the CDO under the CIO, which immediately limits their ability to be successful.
  • Many companies are reacting to steps taken by their peers, and have appointed “me too” CDOs with limited thought to their responsibilities, scopes and measures.  As a result, vision and strategies are incomplete or non-existent.
  • Upon arrival, many CDOs are dumped on, getting assigned responsibilities that are at best loosely tied to information, but weren’t necessarily part of the scope originally envisioned.  This immediately interferes with their ability to deliver, even if the new responsibilities are appropriate and legitimate.
  • CDO’s teams are often thinly staffed, and are expected to transform the organization by exerting political influence on other leaders, often who have conflicting agendas or are protecting their turf.
  • Many business leaders speak about, but don’t understand, the strategic role that information leverage can play in their organizations, due to a lack of data literacy.

To be sure, none of these should be seen as evidence that the CDO is a passing fad or a failure.  Quite the opposite: there is a recognized need for a CDO, who is emerging as the executive who must pull together and execute a strategy to gain benefit from leveraging information.  Unlike other trendy business fads, the CDO is tasked with making use of a resource that is already there – and growing – increasingly recognized as key to greater prosperity.  By investigating the challenges faced by many early CIOs, there are opportunities for the CDO to learn from the past, and avoid similar issues.  

Support and Empowerment

For most forward-looking organizations, the CDO should be a company-wide role.  The CDO should be seen as a senior executive, should report to the highest levels of the organization, and have broad authority to effect policy and influence behavior.  They should have visibility and accountability to the Board of Directors. In terms of support, the CDO should have resources to execute in a credible way, including personnel and tools.   

Scope and Responsibility

If an organization believes that information is their lifeblood, and that leveraging information is key to continued success (or relevance), then they are acknowledging the strategic importance of information.  The CDO’s scope should align with the role information plays — both in terms of opportunity and obligation. Meaning, they should be tasked with deriving benefit from information in a way reflective of their business, but should also be responsible for ensuring obligations are met and risk is managed for that data.  

Qualification

The CDO is not a technician; they are a business executive.  While it is difficult to imagine there are enough CDO’s in the market who have deep understanding of the businesses of their employers, a good CDO should be able to bridge their skills as an information leader to the businesses they are tasked with enabling.  Just as a banking or manufacturing executive knows banking and manufacturing, the CDO knows information management. And just as that banking or manufacturing executive doesn’t understand every technical nuance of their business, the CDO needs to know enough to direct and guide their specialists.

Structure

Charles Wang, in his book, discussed the disconnect between IT and the business they support, and the risk of this occurring with the CDO is just as real.  In the 24 years since he published the book, some business leaders are just as illiterate in IT as they were then, but the breadth of tools is immeasurably wider.  Data Science is maturing at an incredible pace, and businesses are struggling to understand the intersection between what they do and the potential value data can add.  To help address this, the CDO needs to establish strong relationships with the business counterparts, and help develop data strategies. They need to work with the data scientists to identify potential use cases and opportunities with data, getting the business leaders on board.  While the CDO has a high degree of responsibility for helping execute the data strategies, ultimately the business leaders are accountable to their own stakeholders for the success of the data initiatives within their areas.

One model to establish and maintain the relationships is through a governance council or steering group, chaired by the CDO and attended by senior leaders across the organization.  The members are responsible for their own information investments, and attend the council to help ensure alignment to vision and consistency of strategy.

Scientific Method

WikiPedia tells us that:

Scientific method is an empirical method of knowledge acquisition, which has characterized the development of natural science since at least the 17th century, involving careful observation, which includes rigorous skepticism about what is observed, given that cognitive assumptions about how the world works influence how one interprets a percept; formulating hypotheses, via induction, based on such observations; experimental testing and measurement of deductions drawn from the hypotheses; and refinement (or elimination) of the hypotheses based on the experimental findings.  (before the reader dismisses this for having come from Wikipedia, the definition is pretty consistent with other sources)

The adoption of Data Science in business frequently takes a very different approach, where data scientists are empowered, and ask for more and more data to “play” with to see what they can come up with.  Perhaps this was the result of companies moving directly to the technical solution without first establishing a business vision and strategy, in coordination with their own business leaders. While some very interesting discoveries were probably made, there is likely there were a high degree of false starts, or developments that served no business purpose, or instances where the obligations limiting use of data were violated.  And without an appropriate degree of skepticism, can they be certain the algorithms really work?

Perhaps a more structured approach makes sense, taking a page from Scientific Method.  The data strategy should be articulated by the business, and transformed into a series of initiatives, some of which require research and experimentations. Certain of these should be treated like research endeavours with hypotheses formed – with significant participation by both the data scientists and the business stakeholders – which are proven in a lab setting before productizing and deployment.  

Relationships

The CDO is going to have to rely on relationships to a great extent for several reasons, including (1) the role is new and evolving, (2) many of the responsibilities the CDO should take on are initially held by others, leading to political turf-wars, and (3) at least initially, the responsibility for execution of initiatives is shared with other business stakeholders.  

Certain key relationships stand out, including:

CIO: The CDO’s initial scope probably most closely overlaps with the CIO, partly because up until the CDO’s appointment, many information-related initiatives were likely assigned to the CIO by default.  It’s critical that the relationship evolve more to a service-provider/client model, where the CDO looks to the CIO to develop technology solutions to meet business requirements for information management, and the CDO has to be careful not to overstep and attempt to drive the architecture of the solutions.

CISO: A key responsibility for the CDO is information protection.  Whereas the CISO has historically been responsible for blanket IT security, the CDO should have greater insight into the relative value of information sets, as well as how they should be accessed, transmitted and processed.  Moreover, the CDO should have greater insight into unique handling obligations tied to particular information sets. Meeting those obligations and protecting the information is likely achieved by a combination of controls — administrative, technical, manual, policy, physical, etc., responsibility for which may initially be spread across the organization.  So the CDO should emerge as a stakeholder for the CISO, where the CDO provides requirements and the CISO implements controls to address those requirements.

CPO: Much of the information leveraged by an organization might be subject to regulatory requirements, and some of those my fall into the category of PII, generally managed by the CPO.  Whereas the traditional scope of the CISO overlaps with the CDO, in the case of the CPO, the CPO’s scope is entirely contained within the scope of the CDO (after all, the second “I” in “PII” stands for “Information”).  The privacy rules are only one set of obligations, and apply to only a portion of an organization’s overall information portfolio. So logically, the CPO should move into the office of the CDO — with appropriate relationships with legal counsel to ensure regulations are interpreted properly.

Regulators: In organizations beholden to regulatory oversight (banks, insurance companies, accounting firms, government contractors, healthcare institutions), analysis reveals that a key concern driving the regulations is the handling of information.  And since the CDO’s objective is to manipulate and leverage information, it follows that it’s critical for the CDO to ensure that proposed data-use initiatives conform to regulatory requirements by design. Moreover, everyone — including regulators — are grappling with the new ways information can be used, and the appropriate ways regulations apply.  So it’s critical that the CDO establish a relationship with their regulators, so the regulators see the organization’s use of data through a clear lens and react fairly. This also provides common ground and language in the event regulators identify potential issues — or if data incidents occur.

Risk Management: Most larger organizations have recognized the importance of proactively measuring, monitoring and mitigating risk along lines appropriate to their business structure and objectives.  These evolve from time to time as the business environment changes – for example, the formation of IT Risk Management functions over the last 10 years. They are very useful for a variety of reasons, including establishing a common understanding of what can go wrong, potential consequences, and agreement on appropriate mitigating steps to take.  Given the rapid emergence and evolution of data science — algorithms, AI, cognitive, etc., — the market has limited experience with assessing data risk, grappling issues, and establishing a balanced risk acceptance/mitigation model. And this evolution is taking place at a pace far greater than control and risk management techniques. In the past, implementing formal Risk Management usually follows a catastrophic event that serves as a wake-up call, and the pendulum swings hard back toward the conservative end of the spectrum.  That in itself is a risk, since organizations might overcompensate, lose momentum, give up favorable market position, and miss opportunities while the re-trench. A much better approach is for the CDO to incorporate risk management into processes, by design. Risk should be assessed during design phases and mitigated during development phases, not after the fact.  This strengthens the argument for embracing Scientific Method during the development of data initiatives.

Conclusion

These are exciting times to be involved with information management.  The science is evolving and technology is becoming powerful enough to allow organizations to do incredible things.  Companies are scrambling to invest and exploit the opportunities created by data, and are placing sizeable bets on what they hope will return profit, with some degree of luck.  But “hope” is not a business strategy, and some argue there is no such thing as “luck”. Appointing, supporting and enabling a CDO is a significant step to help ensure success of the program, and applying lessons learned from other new classes of executives can help ensure the success of the CDO.

Contact me at james@jhoward.us

Published by James Howard

As the former Chief Privacy Officer and Chief Data Officer at KPMG, I developed, implemented and led an Information Management Office, positioning the organization to leverage the transformative opportunities that data analytics, cognitive computing and intelligent automation present. In that role, I was responsible for the processes, tools and controls necessary to meet complex information handling requirements, enabling use while ensuring protection.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s