Newsletter Article
PEOPLE, PROCESS AND TECHNOLOGY: A CONTINUOUS GOVERNANCE SYSTEM
Governance is sometimes treated as a standalone process owned by a compliance, risk or data team.
In practice, trusted data depends on the continuous interaction of three elements:
People establish accountability.
Processes create consistency.
Technology applies and scales controls.
None of these elements can create confidence independently.
People may define strong policies, but those policies will be applied inconsistently if they are not translated into repeatable processes.
Processes may be well documented, but they will be difficult to maintain if they depend on manual checks across hundreds of applications and data sources.
Technology may automate access, validation and record-keeping, but controls will have limited value if ownership, purpose and escalation paths remain unclear.
The relationship should therefore be viewed as a continuous triangle rather than a linear sequence.
People define what responsible and appropriate use looks like.
Processes turn those expectations into repeatable activities.
Technology helps embed those activities into the flow of information.
The evidence produced through those systems then allows teams to review outcomes, identify weaknesses and improve the controls.
Governance is not completed once a policy has been approved or a platform has been deployed. It must continue to evolve as the organisation, its technology and its use of data change.
Modern data and analytics platforms can make governance easier to apply at scale.
They can support capabilities such as:
These capabilities are important because governance that relies entirely on manual intervention becomes difficult to maintain as the technology environment expands.
But embedded controls do not remove organisational responsibility.
A platform can restrict access according to a defined role. The organisation must still decide which information that role should be able to see.
A system can record how data was transformed. The organisation must still determine whether the transformation is appropriate.
A workflow can require approval. The organisation must still assign an accountable approver with the knowledge and authority to challenge the result.
A dashboard can display a governed KPI. The organisation must still agree on what that KPI means and how it should be used.
Technology strengthens governance when it turns agreed requirements into consistent operational controls.
It cannot substitute for unclear ownership, weak definitions or an absence of purpose.
A practical governance model should follow information throughout its lifecycle rather than focusing only on the final report or dashboard.
Establish why the data is being collected or analysed, who will use it and which decision it is intended to support.
This helps determine which information is relevant and what level of control is proportionate.
Identify who is accountable for the data, the business definition, the process and the resulting output.
Ownership should remain clear even when several systems or teams are involved.
Determine which systems should be treated as the recognised source for critical information.
Where multiple sources exist, document which should take precedence and under what circumstances.
Agree on the meaning of key business entities and measures.
A customer, interaction, resolution or conversion should not change meaning depending on which dashboard or team is using it.
Document how data is filtered, joined, calculated or enriched.
Transformation logic should be visible enough for authorised users to understand how the source information became the final result.
Apply checks appropriate to the use case, including completeness, accuracy, consistency, timeliness and relevance.
Quality should be assessed in relation to the decision being made, not as an abstract technical measure.
Align access with role, responsibility and purpose.
Users should be able to reach the information they need without gaining unnecessary visibility of sensitive data.
Maintain sufficient records to demonstrate where the information came from, which controls were applied and how the result was produced.
Evidence allows decisions and outputs to be reviewed, reproduced and audited.
Review the process as systems, regulations, definitions and business requirements evolve.
Governance that is not maintained will gradually become disconnected from the environment it is intended to control.
Global data and AI governance frameworks differ in scope, terminology and legal force.
However, they consistently reinforce several common expectations:
DAMA-DMBOK places governance at the centre of broader data management disciplines, including data quality, architecture, integration, metadata and security.
ISO/IEC 38505 positions data as an enterprise governance issue rather than a matter for IT alone.
COBIT connects the governance of information and technology with business objectives, value, risk and accountability.
ISO/IEC 27001 provides a management-system approach to protecting the confidentiality, integrity and availability of information.
ISO/IEC 42001 applies a similar management-system discipline to AI, requiring organisations to establish responsibilities, controls, evaluation and continual improvement.
The NIST AI Risk Management Framework structures responsible AI activity around four functions: Govern, Map, Measure and Manage.
The OECD AI Principles emphasise accountability, transparency, robustness and human-centred values.
The EU AI Act turns several of these principles into specific legal obligations for applicable AI systems, including requirements relating to data governance, documentation, record-keeping, oversight and monitoring.
Australia, the United Kingdom and Singapore have also introduced guidance and governance models that reinforce similar principles.
The practical lesson is not that organisations must build a separate process for every framework.
It is that a well-designed governance foundation can support alignment across many of them.
Responding to every framework independently can create another layer of complexity.
Different teams may develop separate policies, registers, assessments and reporting processes for privacy, information security, AI, data quality and regulatory compliance.
This can produce duplicated effort and gaps between governance functions.
A more effective approach is to establish a common control foundation.
For example:
The same organisational capability can therefore satisfy several governance objectives.
This reduces duplication and makes governance easier to embed into normal operations.
Traditional reporting already requires data quality, ownership and access controls.
AI increases the importance of those disciplines because it can analyse information faster, combine more variables and make answers accessible to a wider group of users.
It can also produce outputs that appear complete and confident even when the underlying context is fragmented.
Before an organisation relies on an AI-supported answer, it should be able to determine:
AI governance should therefore not operate separately from data governance.
An AI system cannot be trusted if the information feeding it is unmanaged, inconsistently defined or impossible to trace.
The faster the analysis becomes, the more important it is to know that the underlying process remains controlled.
Not every use of data carries the same level of risk.
An internal dashboard tracking low-impact operational performance should not necessarily require the same controls as an automated process influencing employment, financial access, healthcare or essential services.
The strength of the governance process should reflect:
Proportionate governance avoids two common failures.
The first is applying so little control that information cannot be trusted.
The second is applying so much control that teams create unofficial workarounds to avoid the process.
The objective is not to govern every dataset in exactly the same way.
It is to apply the right level of oversight for the purpose, context and potential impact.
Confidence in data does not come from the number of policies an organisation has written.
It comes from being able to answer practical questions consistently.
If these questions cannot be answered without locating a particular analyst, spreadsheet or system administrator, the process is not yet sufficiently governed.
A dashboard shows the result.
Governance creates confidence in how that result was produced.
That confidence comes from more than policy, technology or individual expertise.
It comes from a continuous system in which:
People establish ownership and accountability.
Processes create consistency and auditability.
Technology helps apply controls across the flow of information.
Each element reinforces the others.
As organisations adopt more applications, analytics capabilities and AI-supported processes, this continuous governance triangle becomes increasingly important.
The organisations that create the greatest value from data will not necessarily be those with the most dashboards, the largest teams or the most advanced tools.
They will be those that can demonstrate that their information is:
Clearly defined. Appropriately accessed. Consistently processed. Traceable. Reproducible. Governed.
That is what allows data to move beyond presentation and become a trusted business capability.

HUMAN JUDGEMENT REMAINS THE DATA ADVANTAGE