A few weeks ago, David Loshin, whose new book The Practitioner’s Guide to Data Quality Improvement will soon be released, wrote the excellent blog post First Cuts at Compliance, which examines a challenging aspect of regulatory compliance.
David uses a theoretical, but nonetheless very realistic, example of a new government regulation that requires companies to submit a report in order to be compliant. An associated government agency can fine companies that do not accurately report.
Therefore, it’s in the company’s best interest to submit a report because not doing so would raise a red flag, since it would make the company implicitly non-compliant. For the same reason, it’s in the government agency’s best interest to focus their attention on those companies that have not yet reported—since no checks for accuracy need to be performed on non-submitted reports.
David then raises the excellent question about the quality of that reported, but unverified, data, and shares a link to a real-world example where the verification was actually performed by an investigative reporter—who discovered significant discrepancies.
This blog post made me view the submitted …
A few weeks ago, David Loshin, whose new book The Practitioner’s Guide to Data Quality Improvement will soon be released, wrote the excellent blog post First Cuts at Compliance, which examines a challenging aspect of regulatory compliance.
David uses a theoretical, but nonetheless very realistic, example of a new government regulation that requires companies to submit a report in order to be compliant. An associated government agency can fine companies that do not accurately report.
Therefore, it’s in the company’s best interest to submit a report because not doing so would raise a red flag, since it would make the company implicitly non-compliant. For the same reason, it’s in the government agency’s best interest to focus their attention on those companies that have not yet reported—since no checks for accuracy need to be performed on non-submitted reports.
David then raises the excellent question about the quality of that reported, but unverified, data, and shares a link to a real-world example where the verification was actually performed by an investigative reporter—who discovered significant discrepancies.
This blog post made me view the submitted report as a red herring, which is a literacy device, quite common in mystery fiction, where the reader is intentionally mislead by the author in order to build suspense or divert attention from important information.
Therefore, when faced with regulatory compliance, companies might conveniently choose a red herring over a red flag.
After all, it is definitely easier to submit an inaccurate report on time, which feigns compliance, than it is to submit an accurate report that might actually prove non-compliance. Even if the inaccuracies are detected—which is a big IF—then the company could claim that it was simply poor data quality—not actual non-compliance—and promise to resubmit an accurate report.
(Or as is apparently the case in the real-world example linked to in David’s blog post, the company could provide the report data in a format not necessarily amenable to a straightforward verification of accuracy.)
The primary focus of data governance is the strategic alignment of people throughout the organization through the definition, and enforcement, of policies in relation to data access, data sharing, data quality, and effective data usage, all for the purposes of supporting critical business decisions and enabling optimal business performance.
Simply establishing these internal data governance policies is often no easy task to accomplish. Just as passing a law creating new government regulations can also be extremely challenging.
However, without enforcement and compliance, policies and regulations are powerless to affect the real changes necessary.
This is where I have personally witnessed many data governance programs and regulatory compliance initiatives fail.
Red Flag or Red Herring?
Are you implementing data governance policies that raise red flags, not only for implicit, but also for explicit non-compliance?
Or are you instead establishing a system that will simply encourage the submission of unverified—or unverifiable—red herrings?