Data governance is one of those terms that sounds important but often lands the wrong way. I never liked the term. It tends to evoke images of overhead, bureaucracy, and a kind of policing function that slows things down rather than enabling progress.

That perception alone explains why so many governance programs struggle to gain traction inside organizations.

But, mind you! The issue is not the concept itself. It is how we define it, where we anchor it, and how we operationalize it. If you get those foundations right, governance becomes less about control and more about enabling better decisions, reducing friction, and ultimately driving business value.

So when I think about what to base a data governance program on, I do not start with tools, policies, or even compliance. 

I start with a few core principles that shape everything else. And if you get these right, the rest of the program has a much better chance of succeeding.

Begin governance where work happens

The biggest mistake I see organizations make is treating data as something that exists independently of the business. Actually, it does not. Data is created, transformed, and consumed as part of business processes. It exists because something in the business needs it.

If you try to anchor governance around systems or where data is stored, you will quickly run into problems. The same type of data can live in multiple systems across the enterprise. Customer data is a classic example.

If you assign accountability based on where data is physically stored, you end up with fragmented ownership and inconsistent definitions. One system says a customer means one thing, another system says something slightly different, and now you have confusion baked into your foundation.

Instead, governance should be anchored in business processes. Processes have clear owners. They have defined objectives. They create and consume data in ways that are directly tied to business outcomes. That is where accountability naturally belongs.

Think about it this way: A process owner is already accountable for the risks and performance of their process.

Data is simply part of that equation. If the data is wrong, incomplete, or misunderstood, the process suffers. So it makes sense that governance aligns closely with the people who understand why the data exists in the first place.

This also ties into broader risk management disciplines. In regulated environments, organizations operate with first, second, and third lines of defense. Each process has inherent risks, and the process owner is responsible for mitigating those risks through controls. Data governance should plug directly into that model, not sit outside it.

Once you anchor governance in processes, everything becomes clearer. You can identify critical processes, understand which data matters most, and prioritize your efforts accordingly. 

Nonetheless, not every process needs the same level of governance. Some are mission-critical, like regulatory compliance or financial reporting. Others are less critical, like marketing content creation. Treating them the same is not just inefficient, it is counterproductive.

Define the mission and scope of data governance

Another common issue is that organizations jump into governance without clearly defining what they mean by it. The result is predictable: everything gets lumped into the governance bucket.

Suddenly, data governance includes data protection, cybersecurity, privacy, records management, metadata, data quality, and more. While these areas are related, they are not the same thing. Blurring those lines creates confusion and unrealistic expectations.

I have a hypothesis that many organizations use “data governance” as a catch-all term because it is convenient. But that convenience comes at a cost. When the scope is not clearly defined, you end up with overlapping responsibilities, unclear ownership, and a program that is difficult to manage.

The better approach is to take a position early. Define what data governance means in your organization. Define its – mission and scope.

For me, data governance is a sub-process within the broader data management discipline. Its role is to coordinate, guide, and enable other processes. It is not there to own everything. It is there to ensure that the right practices are adopted, risks are understood, and value is delivered.

That distinction matters. A lot!

For example, structured data governance is different from managing unstructured data like documents and records. The latter often falls under information lifecycle management. Data protection and cybersecurity belong more squarely in the information security domain. These areas need to collaborate, but they are not interchangeable.

Position data governance as an enabler

One of the reasons governance has a negative reputation is that it is often positioned as an enforcement mechanism. Policies are written, rules are established, and violations are flagged. While those elements are necessary, they should not define the program.

At its best, data governance is an enabler. It helps people use data effectively and responsibly by improving data literacy, enabling self-service, and reducing friction in access and understanding. Data democratization means giving employees the information they need to do their jobs, along with clarity on what the data means, where it comes from, and how reliable it is. Data governance makes this possible.

It should not act as a gatekeeper, but as an advisor. When issues arise, the goal is to assess impact, bring stakeholders together, and resolve them collaboratively. Data governance facilitates alignment, especially when teams disagree on definitions.

This is where stewardship matters. Unlike “ownership,” which implies control, stewardship reflects shared responsibility. Data, like knowledge, is meant to be accessible and used widely.

Do not pursue perfection, follow a risk-based approach

If there is one area where organizations consistently overcomplicate governance, it is in the pursuit of perfection. There is a tendency to try to address every possible risk, implement every best practice, and build a fully comprehensive control environment. On paper, that sounds like a good idea. In practice, not so much.

It slows everything down and diverts resources away from what truly matters. The reality is that not all risks are equal. Some risks are governed by laws and regulations, and organizations cannot afford non-compliance.

Others are business risks that must be evaluated based on their likelihood and potential impact. The objective is not to eliminate all risk, but to ensure risks are mitigated to a level that aligns with the company’s risk appetite.

This is where a risk-based approach becomes essential.

• Start with what is required by policy and regulation.
• Then identify the minimum controls needed to meet those requirements.
• From there, assess additional risks and determine whether the cost of mitigation is justified by the potential impact.

For example, not having data lineage for a critical compliance process could have serious consequences. Not having lineage for a low-impact marketing process might not. Treating these scenarios the same does not make sense.

This approach also helps balance governance with agility. One of the common concerns is that governance slows down innovation. In many cases, that is because organizations are trying to do too much, too soon.

Instead, governance should focus on removing impediments to business objectives. If a lack of data quality or clarity is preventing a strategic initiative from moving forward, that is where governance should step in.

Otherwise, it is often better to wait until there is a clear need. This does not mean ignoring risks. It means prioritizing them intelligently.

In the end, data governance succeeds when it is grounded in how the business actually works, not in abstract controls or tools. By anchoring it in processes, clarifying scope, enabling users, and prioritizing risk, organizations can turn governance into a practical, value-driving discipline.

Done right, it becomes less about oversight and more about trust, alignment, and better decisions at scale.

Increasingly, automation and AI are playing a role here. For example, identifying where specific data elements exist across systems can be time-consuming if done manually. AI can help detect patterns, suggest mappings, and reduce the burden on data stewards.

Similarly, automation can help apply data quality rules consistently across systems, identify gaps, and even suggest remediation actions. These capabilities can significantly enhance the effectiveness of governance, but only if they are built on a solid foundation of processes and metadata.

Ground governance in frameworks and measurable outcomes

Finally, a data governance program needs a structure that is both credible and measurable.

This is where industry frameworks such as DAMA-DMBOK, NIST data governance framework, COBIT, DCAM, etc., come into play. Frameworks provide a common language and a set of best practices that organizations can build on. They also make it easier to communicate with regulators, auditors, and new hires.

Whether it is a data management framework or an information security standard, anchoring your program in an established model reduces the need to justify your approach from scratch. It allows you to focus on how you implement the framework rather than debating its validity.

Equally important is measurement.

Data governance effectiveness cannot be assumed. It needs to be demonstrated through metrics. These can include engagement levels, such as participation in governance forums, as well as control-related metrics, such as the completeness of data definitions or the coverage of data quality rules.

Risk indicators are also critical:

• Are there gaps in accountability?
• Are critical data elements properly managed?
• Are employees trained and aware of their responsibilities?

At the same time, it is important to recognize that not all metrics are equally relevant across the organization. This ties back to business processes. Critical processes should have more stringent controls and more detailed monitoring. Less critical processes may require a lighter touch.

The key is to produce evidence that governance is working. Not just in theory, but in practice.

Bringing it all together

If there is a single takeaway, it is this: Data governance should not be built in isolation.

It should be:

• Grounded in business processes
• Guided by clear scope and mission
• Focused on enablement rather than enforcement
• Driven by risk-based priorities
• Supported by well-defined processes
• Measured through meaningful outcomes.

When those elements come together, data governance stops being a burden and starts becoming a catalyst. It helps organizations move faster, make better decisions, and build trust in their data.

And perhaps most importantly, it starts to shed the reputation that has held it back for so long.

Key takeaways

• Anchor data governance in business processes, not systems: Data is created and used within workflows, so accountability should sit with process owners, not where data is stored.
• Define data governance scope early and explicitly: Avoid turning governance into a catch-all by clearly separating it from security, privacy, and records management.
• Position data governance as an enabler, not a gatekeeper: Focus on improving access, clarity, and usability so teams can move faster with trusted data.
• Apply a risk-based approach, not perfection: Prioritize controls where impact is highest instead of trying to govern everything equally.
• Align data governance with existing risk models: Integrate with first, second, and third lines of defense to embed data governance into how the business already manages risk.
• Differentiate controls by business criticality: Apply robust data governance to high-impact processes and a lighter touch where risk is lower.
• Measure outcomes, not activity: Track indicators like data quality coverage, ownership clarity, and issue resolution to prove data governance is working.
• Use automation and AI to scale, not substitute: Let technology reduce +
• manual effort, but only on top of well-defined processes and metadata foundations.

About this series

This article is part of a CDO Magazine series co-created with seasoned data leader Justin Heller, exploring how to make the Chief Data Officer role durable, effective, and embedded within the enterprise. The series covers:

• Succeeding as a Long-Term Chief Data Officer: Turning a temporary mandate into an institutional function, building trust across the leadership table, and evolving from transformation leader to operating executive.

• Creating Data Management Processes at Enterprise Scale: Moving from ad hoc fixes to standardized, scalable operating models embedded into business workflows.

• What to Base a Data Governance Program On: Shifting from tool-driven governance to principle-based frameworks grounded in risk, accountability, and decision rights.

• How to Make the Organization Actually Use Your Data Program: Overcoming resistance, aligning incentives, and ensuring governance is both effective and unobtrusive.

• Leading Through Technology Waves: Navigating shifts from big data to cloud to AI while maintaining a consistent operating foundation.

• Becoming and Growing as a Long-Term CDO in an AI-Driven World: Building the skills, mindset, and adaptability required to succeed and stay relevant as the role evolves.

About Justin Heller: 

Justin Heller is a seasoned financial services executive and former, longest tenured Chief Data Officer with more than 30 years of experience helping organizations succeed through data strategy, governance, and risk management. He is widely recognized for guiding institutions in strengthening data governance, advancing AI adoption, and enhancing regulatory, privacy, and risk frameworks, including work with G-SIB, D-SIB, and other systemically important financial institutions.

A respected voice in the industry, Heller has spoken at leading conferences and forums such as FIMA USA, CDAO Financial Services, and CDO Magazine, as well as numerous webinars, addressing topics including data governance, artificial intelligence, risk management, privacy, and data minimization. He also holds multiple patents related to data management and innovation in enterprise data practices.

His areas of expertise include financial services, AI and data strategy, data governance, regulatory compliance, risk management, and privacy.