Overview
Data Governance is the exercise of authority, control, and shared decision-making (planning, monitoring, and enforcement) over the management of data assets. It provides the framework of policies, processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals. Data Governance is positioned at the CENTER of the DAMA Wheel, reflecting its foundational role in connecting and guiding all other data management knowledge areas. Data Governance is fundamentally about making better decisions about data. It establishes who has authority to make decisions about data, what processes they follow, and how the organization benefits from improved data management. A well-implemented governance program creates accountability through data ownership, establishes clear policies and standards, manages data-related risk, ensures regulatory compliance, and delivers measurable business value. The DMBOK2 emphasizes that governance is not a technology solution — it is an organizational program that requires people, processes, and technology working together. Key success factors include executive sponsorship (typically a CDO or equivalent), a clear operating model, defined roles and responsibilities, measurable objectives tied to business outcomes, and an incremental approach that delivers quick wins while building toward a comprehensive governance framework. Governance programs that focus purely on compliance tend to fail; successful ones demonstrate value through improved data quality, better decision-making, and risk reduction.
Key Concepts
Data Governance Organization Structure
The organizational framework for governance includes several layers: (1) Data Governance Steering Committee — executive-level body setting strategic direction and funding priorities; (2) Data Governance Council (DGC) — cross-functional group of senior business leaders approving policies, resolving issues, and prioritizing initiatives; (3) Data Governance Office (DGO) — operational team supporting the Council with analysis, metrics, and coordination; (4) Data Stewardship Teams — domain-level groups responsible for day-to-day data governance activities; (5) Communities of Interest — informal groups addressing specific topics. Reporting lines typically flow from stewards → DGO → DGC → Steering Committee. The CDO (Chief Data Officer) usually chairs or sponsors the DGC.
Data Stewardship Roles
Data stewardship is the most common approach to data governance accountability. DMBOK2 identifies several types: (1) Chief Data Steward — senior role overseeing enterprise stewardship program; (2) Executive Data Steward — business leader accountable for a data domain; (3) Business Data Steward — subject matter expert defining rules, quality expectations, and business definitions; (4) Technical Data Steward — IT professional implementing technical controls, managing metadata, and ensuring systems comply with policies; (5) Coordinating Data Steward — facilitates cross-domain governance and resolves conflicts. Stewards should come from the business side (not IT) because they understand the business meaning and usage of data.
Data Owner vs Data Steward vs Data Custodian
These three roles form the governance accountability triangle: DATA OWNER — a business executive who has ultimate accountability for a data domain. Decides who can access data, approves quality standards, and is responsible for the data's fitness for purpose. Typically a VP or Director level. DATA STEWARD — a business professional who manages data on behalf of the owner on a day-to-day basis. Defines business rules, monitors quality, resolves data issues, and maintains business metadata. DATA CUSTODIAN — an IT/technical role responsible for the physical management of data: storage, backups, security implementation, database administration, and technical metadata. The key distinction: Owners decide WHAT rules apply, Stewards manage COMPLIANCE with rules, Custodians IMPLEMENT technical controls.
Data Governance Operating Models
Three primary models exist: (1) CENTRALIZED — a single, central authority makes all data governance decisions. Provides consistency but can be slow and disconnected from business units. Works for smaller organizations. (2) DECENTRALIZED — each business unit governs its own data independently. Allows flexibility but leads to inconsistency and silos. Common in federated/conglomerate organizations. (3) FEDERATED (Recommended by DMBOK2) — combines central coordination with distributed execution. Central team sets enterprise standards, policies, and architecture while domain-level stewards implement within their areas. This hybrid model balances consistency with local responsiveness and is the most commonly recommended approach for large enterprises.
Data Governance Policy Hierarchy
Governance documents follow a strict hierarchy from most authoritative to most detailed: (1) POLICIES — high-level statements of intent and direction. Approved by governance council. (2) STANDARDS — mandatory requirements that implement policies. (3) PROCEDURES — step-by-step instructions for performing specific tasks. (4) GUIDELINES — recommended practices and helpful advice. Policies are enforced; guidelines are advisory. Standards and procedures sit in between.
Data Governance Maturity Models
Maturity models assess an organization's governance capability across 5 levels (based on CMMI): Level 1 — INITIAL/AD HOC: No formal governance, reactive data management, individual heroics. Level 2 — REPEATABLE: Some governance processes exist but are department-specific, limited documentation. Level 3 — DEFINED: Enterprise-wide governance framework in place, policies documented, roles assigned, but not consistently measured. Level 4 — MANAGED: Governance is measured and monitored with metrics and KPIs, continuous improvement processes exist. Level 5 — OPTIMIZED: Governance is fully embedded in culture, self-improving, data is treated as a strategic asset with quantified business value. Most organizations start at Level 1-2. Assessment should cover people, process, technology, and data dimensions.
Data Governance Council (DGC)
The DGC is the primary decision-making body for data governance. Key responsibilities include: approving data policies and standards, resolving cross-domain data issues and conflicts, setting governance priorities and funding, monitoring governance metrics and progress, ensuring alignment between data strategy and business strategy. Composition typically includes: CDO (chair), business unit leaders, IT leadership, legal/compliance, chief architect. The DGC usually meets monthly or quarterly. Decisions should be documented in meeting minutes. The DGC should NOT micromanage day-to-day data issues — those are handled by stewards and the DGO.
Data Governance Charter
A formal document that establishes the governance program. It should define: the mission and vision for data governance, scope (which data domains and business areas are covered), organizational structure and roles, decision-making authority and escalation paths, success metrics and KPIs, relationship to other governance programs (IT governance, enterprise governance), funding model, and initial priorities. The charter is typically approved by executive leadership and reviewed annually. It serves as the constitution for the governance program.
Data Asset Valuation
Quantifying data's value helps justify governance investments. DMBOK2 describes several approaches: (1) COST-BASED — what it would cost to recreate or replace the data; (2) MARKET-BASED — what others would pay for the data (or similar data) in the marketplace; (3) INCOME-BASED — how much revenue or profit the data enables or generates; (4) UTILITY-BASED — value derived from how the data is used in decision-making; (5) RISK-BASED — cost of not having the data, or cost of data breaches/poor quality. Most organizations use a combination. The key insight is that data's value increases when it is shared and combined (unlike physical assets that depreciate with use).
Data Governance and Regulatory Compliance
Governance frameworks must address regulatory requirements including: GDPR (EU data protection — consent, data subject rights, breach notification, DPO appointment), CCPA/CPRA (California consumer privacy — opt-out rights, data sale restrictions), HIPAA (healthcare — protected health information safeguards, minimum necessary standard), SOX (Sarbanes-Oxley — financial data integrity and audit trails), BCBS 239 (banking — risk data aggregation and reporting), PCI-DSS (payment card data security). Governance ensures compliance through policy enforcement, access controls, audit trails, data lineage, retention management, and privacy impact assessments. Non-compliance carries significant financial penalties and reputational risk.
Change Management for Data Governance
Implementing governance requires significant organizational change. Key elements: (1) EXECUTIVE SPONSORSHIP — most critical success factor; without visible, active executive support, governance programs fail; (2) COMMUNICATION — clearly explain why governance matters; (3) TRAINING — educate stakeholders on their roles, policies, and tools; (4) QUICK WINS — demonstrate value early with visible improvements; (5) METRICS — measure and report progress to maintain momentum; (6) RESISTANCE MANAGEMENT — address concerns about bureaucracy, loss of control, or increased workload; (7) CULTURE CHANGE — shift from data belongs to my department to data is an enterprise asset. Kotter's 8-step change model is commonly referenced.
Data Governance Metrics and KPIs
Effective governance requires measurable outcomes. Common metrics include: DATA QUALITY METRICS — accuracy rates, completeness scores, timeliness of updates; COMPLIANCE METRICS — percentage of datasets with assigned owners, policy adherence rates; PROCESS METRICS — time to resolve data issues, number of data-related incidents; VALUE METRICS — cost savings from improved data quality, revenue impact of better data-driven decisions; MATURITY METRICS — governance maturity scores across domains; ADOPTION METRICS — number of trained stewards, percentage of data domains under governance. Metrics should be tied to business outcomes, not just governance activity.
Data Governance Tools and Technology
Technology supports governance but doesn't replace it. Key tool categories: (1) DATA CATALOGS — for metadata management, data discovery, and business glossary (e.g., Collibra, Alation, Informatica); (2) DATA QUALITY TOOLS — for profiling, cleansing, monitoring (e.g., Informatica DQ, Talend); (3) MASTER DATA MANAGEMENT — for creating golden records (e.g., Reltio, Informatica MDM); (4) DATA LINEAGE TOOLS — for tracking data flow and transformations; (5) POLICY MANAGEMENT — for documenting, distributing, and tracking compliance with policies; (6) WORKFLOW TOOLS — for managing governance processes, approvals, and issue resolution. Tools should be selected after the governance framework and processes are defined, not before.
Data Risk Management
Governance addresses data-related risks including: QUALITY RISK — poor data leading to bad decisions; SECURITY RISK — data breaches and unauthorized access; PRIVACY RISK — non-compliance with privacy regulations; AVAILABILITY RISK — data not accessible when needed; REGULATORY RISK — failing audits and regulatory requirements; REPUTATIONAL RISK — public incidents involving data misuse. Risk assessment involves identifying risks, evaluating likelihood and impact, implementing controls, and monitoring residual risk. The governance council should maintain a data risk register and review it regularly.
Data Governance and Data Literacy
Data literacy is the ability of individuals to read, work with, analyze, and communicate with data. Governance programs should promote data literacy by: establishing a business glossary with clear definitions, training employees on data concepts and tools, creating data quality awareness programs, publishing data documentation and lineage information, encouraging data-driven decision-making culture. DMBOK2 emphasizes that governance is more effective when users understand why data management matters and how to use data responsibly.
Best Practices
- ✓ Start with executive sponsorship — governance programs without visible, active C-level support almost always fail
- ✓ Use a federated operating model for large organizations to balance enterprise consistency with local flexibility
- ✓ Define clear, non-overlapping roles: Owner (business accountability), Steward (day-to-day management), Custodian (technical implementation)
- ✓ Create a formal Data Governance Charter documenting scope, authority, roles, escalation paths, and success metrics
- ✓ Focus governance on business outcomes (better decisions, reduced risk, regulatory compliance) not just compliance activities
- ✓ Implement governance incrementally — start with one or two high-priority data domains and expand after demonstrating value
- ✓ Establish a business glossary early — agreed-upon definitions prevent misunderstandings and are a visible governance deliverable
- ✓ Measure and report governance metrics tied to business value, not just activity metrics like number of meetings held
- ✓ Align governance policies with all applicable regulatory requirements (GDPR, CCPA, HIPAA, SOX) from the start
- ✓ Create clear escalation paths so data issues get resolved quickly rather than stalling in committees
- ✓ Invest in organizational change management — governance changes how people work and requires communication, training, and quick wins
- ✓ Conduct regular governance maturity assessments to track progress and identify areas for improvement
💡 Exam Tips
- ★ Data Governance is 11% of the exam — one of the Big Four topics — expect 11 questions
- ★ Know the difference between Data Owner (business accountability), Data Steward (day-to-day management), and Data Custodian (technical implementation)
- ★ Understand the three operating models: Centralized, Decentralized, and Federated — Federated is the recommended approach
- ★ Remember: Data Governance is at the CENTER of the DAMA Wheel — it connects and guides all other knowledge areas
- ★ Policy hierarchy: Policies → Standards → Procedures → Guidelines (most authoritative to most advisory)
- ★ The Data Governance Council (DGC) is the key decision-making body — know its composition and responsibilities
- ★ Executive sponsorship is the #1 critical success factor for governance programs
- ★ Know the five maturity levels: Initial → Repeatable → Defined → Managed → Optimized
- ★ Data stewards should come from the BUSINESS side, not IT — they understand the business meaning of data
- ★ Governance is an ongoing PROGRAM, not a one-time PROJECT — it requires continuous effort and funding
- ★ Be familiar with how governance relates to key regulations (GDPR, CCPA, HIPAA, SOX, BCBS 239)
- ★ Data Governance enables (doesn't replace) all other data management disciplines