In response to Research Question 1 (RQ1), it is important to describe the theoretical context, foundations, and key concepts of the data governance field. According to the Data Management Association (DAMA), a significant reference in this area, data governance involves a combination of responsibilities, control environments, governance, and decision-making related to an organization's data assets (Al-Ruithe et al., 2019). This concept is distinct from data management, which DAMA characterizes as the process of defining data elements, acquiring, managing, and storing them within an organization, and overseeing how data flows through IT systems. Data management also includes the policies, procedures, and plans that support this workflow (Al-Ruithe et al., 2019).

Given this, we define data governance as the planning, management, and governance of data and related activities. According to Sifter (2017), data governance can be viewed as a combination of highly managed and structured collections of resources and assets, which are critical to an organization's business and decision-making processes (Sifter, 2017, p. 24). The main objective of data governance is to enhance a company's capability, effectiveness, and sustainability by supporting its decision-making processes with robust, high-quality data, leading to more precise and informed choices (Sifter, 2017).

Ragan and Strasser (2020) similarly view this field as one that enables organizations to leverage data to communicate their needs, while also aligning business strategy with available data. This alignment leads to better supported, more organized processes and more informed decisions.

Moreover, the success of a data governance program is closely tied to an organization's culture, as well as the dedication and engagement of its administration and human resources (Ragan & Strasser, 2020). Hoppszallern (2015) highlights the importance of clear governance in information technology, noting the possible negative effects of unclear governance on an organization and the value that can be created through effective implementation. Similarly, Sifter (2017) argues that strong data governance may address obstacles related to an organization's processes, people, and technology, enabling it to tackle data management problems and uphold a long-term commitment to integrity in data and asset governance. Meyers (2014) shares this perspective, recognizing data governance as the application and oversight of data management rules, processes, and formal procedures throughout an organization's operations.

Furthermore, the literature identifies data governance as one of the most crucial areas for firms to incorporate into their operations. Indeed, it can be seen as a critical asset for the success of their business strategy because data are seen as the future and a competitive edge that can differentiate successful businesses from those that fall short (Ragan & Strasser, 2020, p. 10). Rivett (2015) argues that data governance represents a significant gap that businesses need to address, especially as it becomes increasingly complex over time. However, organizations should remember that data governance involves more than just managing data. It also encompasses how data are collected, produced, utilized, controlled, and reported, as well as who is responsible for ensuring quality throughout the lifecycle (Janssen et al., 2020).

Moreover, Riggins and Klamm (2017) describe this field as an exercise in process and leadership focused on data-based decisions and related matters. It comprises a system of decisions and responsibilities defined by an agreed-upon model, which outlines how an organization can take action, what type of actions can be pursued, and when those actions should occur in relation to data and information. Dutta (2016) describes this field as the combination and definition of standards, processes, activities, and controls over enterprise data to ensure that the data are available, integrated, complete, usable, and secure within the organization. Organizations are striving to define and implement resolutions that manage the quality and master data, ensuring truthfulness, quality, and completeness—specifically non-transactional data, data at rest, while often disregarding transactional data, data in motion (Dutta, 2016).

As highlighted by Abraham et al. (2019), while data governance is increasingly recognized as being critical to the success of organizations, there is still no unanimous agreement within the scientific community regarding its scope. Current literature and other relevant sources often focus on specific aspects of the discipline, such as data protection, security, and the data lifecycle. Alternatively, some sources provide limited reviews that focus on theoretical approaches without offering frameworks and tools to improve and strengthen data governance and quality. Therefore, our approach to this topic ensures that this discipline is analyzed in a way that integrates both theoretical and practical concepts, tools, and frameworks, aiming to improve the overall effectiveness and efficiency of this field and its impact on organizations.

Research Question 1 (RQ1) focuses on the recognition that, for a given data governance framework and strategy, there are several concepts that organizations need to understand and embed in their operations. According to Gupta et al. (2020), a data governance framework should encompass strategies, knowledge, decision-making processes related to data management, relevant regulations, policies, data proprietorship, and data protection. One important concept is the notion of data lake, which is considered a centralized repository that allows an organization to collect and distribute large amounts of data. In a data lake, data can be both structured and unstructured, often with limited contextual information, such as the data's purpose, its timeliness, its owner, and how, or whether it has been used (Rivett, 2015).

Another vital concept corresponds to data lineage, which represents the traceability of a given data within an organization. Data lineage allows organizations to visualize and understand the impact of data throughout the organization's system and databases, as well as to trace data back to its primary source, including the stage where it is stored (Dutta, 2016). The literature highlights the importance of embedding data lineage in an organization's end-to-end processes to ensure accurate and complete traceability throughout the data lifecycle, including the systems and processes the data pass through (Dutta, 2016).

Bordey (2018) emphasizes the importance of understanding data lineage and how a firm can control and monitor the data life cycle. To assess a firm's data quality capability, Bordey proposes a set of questions that any firm should consider: i) What activities are being performed, and who is responsible for executing and monitoring them?; ii) What are the conditions and requirements for the planned and performed activities?; iii) Where can the necessary data be retrieved, and what exact phases are required to manage and use that data?; iv) What will be the result of this activity, and for whom is it being produced?; and v) What are the next steps after the result is delivered? (Bordey, 2018).

Moreover, to build and develop a robust and effective data governance strategy and framework, it is essential to establish foundational pillars that should be employed to provide a solid baseline for this field. We recognize that organizations remain vulnerable to data disasters and are hesitant to invest in prevention measures, such as robust and secure infrastructure designed to guard against potential system outages and data disasters, namely through the loss of data (Johnston, 2016).

Johnston (2016) identifies three fundamental topics for managing and maintaining a solid data governance strategy: data visibility, federated data for better governance, and data security. The author emphasizes that defining the baseline for a data governance strategy and framework is crucial. According to this author, the first pillar should be data visibility, which encompasses the activity an organization should go through to understand “what you have, where it is, and how to recover it, when necessary” (Johnston, 2016, p. 52). In addition, Johnston describes the principles organizations should comply with to secure their data: i) deleting low-value data that that has little to no business value, such as outdated, or duplicated data, or data that has exceeded its retention period; ii) organizing valuable data by storing it in controlled repositories using information technology tools; iii) enforcing rigorous data security procedures and mechanisms to ensure data privacy and the protection of financial, personal, and other types of data, while also ensuring it is secure and properly backed-up; and finally, iv) maintaining and controlling access, user privileges and their management (Clarke, 2016). Similarly, Mcintyre (2016) suggests that every organization should implement data redundancy measures to ensure an organization is prepared for a disaster and recovery. This includes setting Recovery Point Objectives (RPOs), which determine how much updated and current data the firm is willing to lose, and Recovery Time Objectives (RTOs), which define how long the firm can go without access to its data assets.

Similarly, Rivett (2015) describes that context, or cataloging of data, is a layer that can answer critical questions and provides the organization with greater visibility over their data and information. This visibility allows organizations to perceive their data, determine their usage, identify ownership roles, and know who to contact in case of data errors. According to Rivett, a business can only define and implement an effective data governance strategy—one that includes appropriate data management procedures to ensure proper governance and compliance—if they have complete visibility of the data within the organization's infrastructure.

In addition to data visibility, Johnston (2016) emphasizes the need for organizations to focus on federated data to improve organizational governance. The process of federating data involves retrieving data from different databases or sources and standardizing it into a single, unified source for front-end analysis and visualization. This process allows companies to analyze and access data from a single source without needing to modify, move, or recover data across different infrastructures (Johnston, 2016). Johnston also identifies data security as the third pillar, which includes protecting and securing data, defining extensive policies, and applying encryption and authentication mechanisms to ensure that only authorized individuals can access the data (Johnston, 2016). Similarly, Rivett (2015) examines the importance of context and governance in implementing a data governance strategy. This author stresses that organizations need to be able to address questions related to data responsibilities, the up-to-date status of data, data meaning and usefulness, and the technologies used for management and storage.

Similarly, Sifter (2017) argues that for a data governance framework to achieve excellence, it must be supported by five essential attributes. The first attribute is related to data accuracy, ensuring that all data flows are managed, controlled, audited, and monitored across the organization's system landscape. Sifter also highlights the importance of data consistency and availability, which are essential for enabling business stakeholders to access data whenever necessary. The other three key attributes, according to Sifter (2017), include: i) the ability of organizations to maintain a single repository for essential data storage, ii) a commitment to maintaining data quality and availability across all processes, and iii) effective planning activities that address data requests by business stakeholders with suitable swiftness and repeatedly whenever necessary. Additionally, it is essential to ensure that data governance aligns with the organization's Master Data Management (MDM). MDM encompasses a set of practices and techniques whose primary goal is to increase and sustain data quality and usage throughout the organization's environment and processes (Vilminko-Heikkinen & Pekkola, 2019).

In response to Research Question 2 (RQ2), and because organizations increasingly focus on fostering robust data governance practices to support their personnel, business processes activities, and technology infrastructure, they are likely to achieve positive outcomes that create value for the overall business and its stakeholders. Sifter (2017) explains that data governance can enhance an organization's human capital by providing more trained, equipped, and knowledgeable personnel, particularly in roles that require ownership and accountability in governance and data management. This approach is not about restricting access to data for certain privileged users, but rather about enabling all users within the organization to access and utilize data governed by appropriate controls (Riggins & Klamm, 2017).

Similarly, this author suggests that an organization's processes will also improve because they are more controlled and monitored for consistency and efficiency due to the strong support of established policies, procedures, and practices. As a result, data governance provides organizations with a set of tools and directives aimed at ensuring that the correct data are accessed and analyzed by the appropriate people whenever and wherever decisions need to be made (Riggins & Klamm, 2017). Additionally, an organization's technology infrastructure will be strengthened as companies strive to optimize and update their systems across the entire environment, rather than just within individual business units (Sifter, 2017). In fact, with better use and understanding of the data they manage, companies are more likely to make well-supported decisions, thereby unlocking greater potential from their data (Burniston, 2015). Consequently, accountability and reliance on data are enhanced when organizations take responsibility for their data and systems, leading to better-designed and controlled decision-making processes (Sánchez & Sarría‐Santamera, 2019). Therefore, robust data management and governance can significantly improve organizational transparency (Cerrillo-Martínez & Casadesús-de-Mingo, 2021)

Moreover, Riggins and Klamm (2017) highlighted several benefits that organizations can gain from data governance including: i) the creation of a mutual, company-wide approach to data processes, which helps generate a single source of truth for the organization's data; ii) the definition and recognition of data controls and policies, which when aligned with organizational needs, foster data quality, accessibility, and security; iii) the development of a central repository for data management, aimed at defining a common terminology and taxonomy within the organization; iv) the establishment of real-time reports and standardized reporting techniques; and v) the enhancement of decision-making processes through the use of trusted data.

Furthermore, the importance of addressing data governance and quality is becoming increasingly prominent in both organizational practices and among regulatory bodies. Shabani (2021) notes that the European Union recently announced a proposal for a new Data Governance Act aimed at facilitating data sharing across various fields while establishing a bridge with the GDPR (General Data Protection Regulation). According to Shabani, robust data governance mechanisms and secure data-sharing practices should be adopted to guarantee compliance with rules and directives from regulatory bodies, such as the GDPR (Shabani, 2021). The author argues that providing organizations with a strong regulatory framework for data governance, which addresses all core elements of this field, can empower both organizations and individuals to better control and enhance their data usage and sharing (Shabani, 2021). Similarly, Janssen et al. (2020) propose that organizations should adopt a framework to regulate and control data sharing, stating that organizations must include requirements and standards for data sharing, formalize agreements, contracts, and service level agreements (SLAs), define authorization levels and approval workflows, and implement audit mechanisms to ensure compliance with relevant legislation and agreements. Kopp (2020) adds that when organizations recur to outsourcing activities, they must clearly describe and characterize the activities being performed as outlined in the formal contract.

Concerning Research Question 2 (RQ2), it is important to recognize that a given data governance strategy and framework can be applied across a wide range of areas and situations. These applications can serve as benchmarks for developing a solid and robust data governance program (Hassan & Chindamo, 2017). For instance, Perrin (2020) describes the recent impact of data governance in the advertising industry, where data fuel decisions made by marketers and brand managers to guide decision-making processes and create brand experiences for consumers. Perrin highlights the significance of current data management and usage regulations, such as the CCPA (California Consumer Privacy Act) and the GDPR (General Data Protection Regulation). Given that advertising relies on vast amounts of data for decision-making and brand promotion, organizations should consider benchmarking their data governance strategies against those in other industries and areas, whether similar, or different from their own. This approach can help them identify key learning points and best practices (Dencik et al., 2019).

Similarly, Perrin (2020) stated that data governance in advertising must encompass data efficacy, transparency, and consumer control. While data can be considered a new currency, increasingly stringent regulations are imposing stricter restrictions on data management and usage. Therefore, organizations must implement a data governance framework and strategy that aligns with the applicable regulations. This includes promoting internal processes to understand the different types of data within the organization, how they are collected, and how they are audited for efficacy and compliance. In the advertising industry, it is crucial for companies to integrate data governance into their operations, because failing to comply with regulations, or jeopardizing consumer trust could make it “nearly impossible to rebuild” that trust (Perrin, 2020, p. 35).

Sifter (2017) describes the importance of data governance in financial institutions, such as insurance companies, financial services, and banks. According to the author, a successful data governance program must address people, processes, and technologies. Sifter notes that these organizations often struggle with managing data quality and access to both data and technology. The author views data governance as a crucial tool for preventing data corruption and issues, maintaining long-term data integrity, and producing vital business data and assets that support operations and business management (Sifter, 2017).

Regarding RQ2, Sifter (2017) argues that for a data governance initiative to achieve excellence, it requires support from five key components: foundational elements, data portfolio management, implementation management, engineering and architecture, and operations and support. For the foundational elements, Sifter states that it is important for an organization to establish a charter and vision that can be controlled and assessed over time. This should include clearly defined ownership roles and responsibilities regarding data governance.

For the data portfolio management component, Sifter (2017) argues that organizations must be capable of designing, building, defining, and maintaining an up-to-date data inventory. This inventory should provide a comprehensive overview of how data flows within the organization's technologies, including how data are secured, preserved, and managed. For instance, a data inventory, also known as a data dictionary, or glossary, acts as a catalog of all the data used within the organization. It serves as a reference point for data and assigns data ownership. It resembles a data repository, with detailed metadata, including format, type, technical specifications (e.g., character limits, possible blanks, among others), and accountability and quality criteria and metrics (Clarke, 2019). The author highlights the importance of defining and regularly updating a data inventory to improve an organization's ability to maintain a centralized repository of data definitions, structures, and relationships, which is essential for consistency and clarity across the organization (Clarke, 2019).

Regarding implementation management, Sifter (2017) considers it essential to determine and define methods related to project, change, and access management within an organization. These methods should also facilitate the optimized management of human capital and training programs. Additionally, Sifter (2017) argues that engineering and architecture should support a data governance framework by establishing policies, procedures, and mechanisms across various aspects of the organization. This includes software management, quality assurance and auditing, change and security management, and the management of the technology landscape that characterizes the organization's operations and activities.

Lastly, Sifter (2017) emphasizes the need for organizations to have robust operations and support mechanisms, allowing their personnel to have clear communication channels whenever there is a need for assistance, or in the case of an incident. Additionally, Dutta (2016) proposes a framework to ensure the quality of data in motion, or transactional data. We believe that each of the steps outlined in this framework can be adapted to enhance an organization's data governance framework. Dutta presents a different approach to data governance, which is illustrated in Fig. 13. This approach is structured around the design of a conceptual framework consisting of six interrelated dimensions:

Fig. 13.

Framework for data quality of data in motion. Adapted from Dutta (2016).

(0.05MB).

In Stage 1, Discover, the organization must identify and acknowledge all critical information and how it flows within the technological and operational architecture. This involves defining and developing metrics and their foundations. The organization needs to inventory all data across existing systems, databases, and data warehouses, understanding, registering, and documenting data lineage, including sources from both internal systems and external systems and providers (Dutta, 2016). In this stage, it is also important for the organization to establish metric standards and implement techniques to improve data quality through collaboration with data owners.

In Stage 2, the organization should focus on identifying and defining the risks associated with data quality, including data domains and both data at rest and in motion. This involves formalizing issues related to data quality features, as well as recognizing the risks, potential gaps, and pain points that characterize the organization's current environment (Dutta, 2016). By identifying these risks, the organization will be in a position to develop a clear approach to evaluate, mitigate, respond to, and treat them properly.

Data transparency, reliability, and usability can be considered part of the data observability feature in a data governance program. This concept involves all the mechanisms and processes that allow employees to effectively monitor, assess, and produce insights from their data (Schmuck, 2024). According to Schmuck, data observability serves as a solution within a data governance program and encompasses characteristics such as data modeling and design, data quality and its architecture, metadata registry, data warehousing, and business intelligence, data integration and interoperability, and document management (Schmuck, 2024).

In Stage 3, Design, organizations must develop their information analysis techniques and establish processes for managing exceptions, errors, and incidents. To improve these processes, organizations should use automated techniques rather than traditional approaches like sample sizing. They should also implement controls designed to monitor real-time data and processes, such as the success of batch routines (Dutta, 2016). By designing these approaches, organizations should prepare for Stage 4, which involves deploying a set of actions and activities based on the prioritized risks, namely those that are most important and impactful to the environment. The implementation of these actions must involve various components of the organization, including technology, people, and processes, to ensure the effective deployment of these initiatives.

The last Stage, Stage 4, corresponds to Monitoring, where the organization's primary goal is to observe and review the framework that was applied to its context. This includes evaluating data quality metrics, incident management process, risk controls, and any activities that may influence and jeopardize the success of the defined framework (Dutta, 2016).

Furthermore, Al-Ruithe et al. (2019) identify three key components that should be ensured in data governance: roles related to data quality assurance, areas of decision-making, and overall responsibilities. They suggest that an effective data governance strategy should involve defining, monitoring, and implementing a comprehensive organization-wide data warehouse (Al-Ruithe et al., 2019). Despite the lack of recent literature on different methodologies and frameworks in this field, several existing data governance frameworks should be analyzed and compared to develop a robust framework that encompasses the best critical aspects of each. For example, the Data Governance Institute (DGI) framework, described by Al-Ruithe et al. (2019), includes ten components that an organization should ensure: 1) Mission and Vision involves defining and setting rules and boundaries, presenting the mission, strategy, and vision, and aligning them with data stakeholders while safeguarding compliance and regulatory requirements. In this step, the DGI suggests that organizations define data governance groups to provide an overview and ensure understanding of how data travel through human and technological assets; 2) Goals, Governance Metrics, and Funding strategies define clear goals and metrics following the SMART criteria (specific, measurable, actionable, relevant, and timely). It ensures that employees understand successful data governance and how to monitor and assess it continuously. In this Stage, it is important to have funding strategies to support roles such as data governance officers and other data stakeholders; 3) Rules include defining and aligning manuals, policies, and procedures to support data-related activities, including compliance standards, business rules, data definitions, lineage, existing conflicts, and areas for improvement, among others; 4) Decision rights clearly define decision-making processes and responsibilities, ensuring that employees understand their roles in the data governance framework and the creation of metadata for data-related decisions; 5) Accountabilities ensure that the organization can perform and prove compliance with its operations and business activities, maintaining control and documenting each step. 6) Control refers to the idea that any existing data within an organization's environment is inherently at risk, whether in terms of quality, or security. Therefore, organizations must ensure that their framework encompasses a variety of controls—both preventive and detective, whether manual, IT-dependent, or automatic. These data-related controls allow for a more comprehensive overview and monitoring of all operational and business activities. Additionally, these controls can aid any external audit and compliance requirements; 7) A data stakeholder refers to an individual, or a group of individuals who could either be impacted by or influence any data and related decisions within the existing framework; 8) A data governance officer is a role focused on facilitating and defining data governance activities. This includes articulating and aligning roles and responsibilities with the organization's critical processes and formal procedures, as well as deploying data governance initiatives and programs, among other activities; 9) Data Stewards are data users responsible for ensuring that data follows particular pre-defined criteria: completeness, accuracy, and integrity, as well as reporting to a business role, or a data quality team. According to the DGI, one of the best approaches an organization could take is to establish a Data Stewardship Council, bringing together all data stewards across the organization to define, monitor, and enhance the data governance framework and its current procedures. McDowall (2017a, b) mentions that alongside the data steward, there should be a Technology Steward—an individual responsible for managing the technological IT requirements of the data owner, or user. This role is essential to ensure the segregation of duties and the administration of systems and data warehouses; Lastly, the DGI refers to 10) Proactive and Ongoing Data Governance Processes. This emphasizes that the data governance framework must not be static. Instead, it must be continuously maintained, monitored, and improved while establishing mechanisms and metrics to guarantee continuous data governance and quality.

According to Al-Ruithe et al. (2019), another important framework is the IBM data governance framework, which is composed of 14 elements derived from a software provider perspective. Those components are: Required – 1) Definition of a business problem; 2) Sourcing executive sponsorship and funding; 3) Evaluating the maturity status; 4) Developing a roadmap in order to increase its current maturity robustness; 5) Defining the organizational blueprint and data flows; 6) and 7) Defining and implementing a data dictionary, while acknowledging existing data; 8) Designing and implementing a repository to store details on existing metadata; 9) Building metrics to measure operational success. Bordey (2018) suggests that organizations use stories related to user operations to describe operational measures, i.e., numbers, or values that can be provided with context and address a given performance metric to ensure the operation's success; 10) Designating data stewards, managing data quality, and implementing a management strategy for master data. Optional elements – 11) Using analytics to support governance; 12) and 13) Managing and monitoring privacy and security elements, and how data flows within the organization's resources, including human and technological ones; 14) Measuring the results of each data governance program and its initiatives.

Equally important, Abraham et al. (2019) present a conceptual framework for this field, describing six dimensions it should encompass: i) governance mechanisms, which represent the structure, procedures, and relational activities within an organization. At this level, it is vital to define, implement, and align roles, responsibilities, and procedural mechanisms. Additionally, organizations must establish essential and robust tools such as a data strategy, policies, manuals, standards, processes, key performance indicators, monitoring mechanisms, and issue management methods to ensure compliance with applicable legislation. Harper (2020) suggests that the most robust quality metrics for data and information must encompass the following attributes: completeness (all information and fields are filled with no unjustified, or applicable missing elements); timeliness (data accessed is the most updated and covers the required period for the user); uniqueness (no duplicates, or wrong data exist within the data assets); accuracy (information in the data assets is correct and precise); consistency (data are presented in a manner that matches user expectations, including expected content and formats, such as dates in a date format, among others); validity (specific requirements, rules and standards are met); and lineage (the data's journey throughout the data assets and data stakeholders is documented from the initial acquisition of the data to final reporting and destruction). Additionally, the framework includes: ii) organizational scope, where the organization defines the extent of the data governance program; iii) data scope, identifying which data assets the organization intends to govern and monitor; iv) domain scope, which relates to the organization's capability to explore the data decision process, including the quality, security, lifecycle and storage of data used to support those decisions; v) antecedents, which comprise the contingency factors, both internal and external, that affect the organization's ability to establish a robust data governance framework; and, vi) consequences, which represent the effects generated by having this framework, including those related to performance, controls and risk assessments.

Similarly, Alhassan et al. (2016) describe a data governance framework in which five related concepts are considered: i) data principles, where organizations define the direction for the decision domain by setting requirements and internal rules for managing their data assets. In this Stage, it is important for organizations to recognize that there is no one-size-fits-all solution. As a result, the data governance principles and scope will depend on various factors, including dynamic data, system dependencies, and personnel, among other elements (Bordey, 2018); ii) data quality, which involves refining the foundations to ensure that data are acquired, transformed, stored and reported in a controlled, effective, and efficient manner; iii) metadata, and iv) data access, are domains in which organizations seek to establish data quality standards to ensure robust management. Bindley (2019) highlights the importance of maintaining data integrity, specifically consistency, accuracy, and completeness throughout the entire cycle, from the systems used to manage the data to the transformations and processes applied to the data. Bordey (2018) considers data profiling and quality essential for users to understand the data being used. This includes performing informative summaries and aggregations, as well as implementing controls and processes relevant to the subject matter. Similarly, metadata plays a crucial role in an organization's success in governing data because it corresponds to the information that the user has on the data, including business and technical documentation (Chakravorty, 2020). Finally, v) the data life cycle involves managing the entire journey of a data point—from acquisition, analysis, and production to storage, reporting, and eventual destruction—within an organization's data management workflow.

Beyond the frameworks discussed above, Demarquet (2016) suggests that any data governance program should include a set of mandatory topics, such as: i) a change management program and workflow capabilities, which ensure that changes to the system, processes, and data follow a pre-defined process that encompasses the segregation of duties, testing, functional analysis and evidence regarding the approvals throughout the process; and ii) versioning and audit trails, which are also essential for tracking the history of creations, modifications, and deletions, including identifying the changes and the individuals responsible for those actions. Audit trails should be configured and active at all times to prevent users from disabling this configuration (George et al., 2017; Koltay, 2016).

Additionally, Hay (2015) proposes a different approach to data governance by gamifying the framework—using game mechanisms to empower data governance initiatives. The author highlights several mechanisms on which a data governance program can be based, namely: i) fast feedback, where users receive immediate feedback from their activities and actions, such as earning points for contributing to data definitions, or stewarding data, and being penalized if they do not provide any contribution; ii) transparency, where data management is made available for everyone to understand, functioning like an open community; iii) goals, where data users and other data roles recognize both short- and long-term objectives, including individual and group goals, to foster data quality metrics, business rules, and other essential governance aspects; and iv) badges, which publicly showcase the achievements of data users and other data roles, rewarding individuals for reaching different levels of compliance within data governance. For instance, Hay (2015) considers that badges and levels allow users to demonstrate their achievements and level up both individually and as teams. This system of scoring and earning badges can effectively foster and ensure that organizational goals are met; v) onboarding, which ensures that whenever a business user, or any data role joins the organization's governance initiative, the individual is introduced to it and efficiently integrated from day one; vi) competition and collaboration among data users and other data roles are encouraged by allowing them to work towards common objectives while tracking their standings on a leaderboard. This approach continuously enhances the maturity of data governance within the organization (Hay, 2015).

Correspondingly, the literature consistently highlights the critical importance of data governance for organizations of all sizes, industries, and types, whether large or small and medium-sized enterprises (SMEs), and whether private or public (Okoro, 2021). Okoro points out that while large organizations often lead the way in data governance, SMEs are beginning to understand the value of data-driven strategies but have not yet fully embraced data governance practices (Okoro, 2021). Consequently, Okoro suggests that while SMEs tend to prioritize their data assets, the data governance community has largely overlooked these organizations. As a result, there is a significant need for a data governance framework tailored to the specific requirements of SMEs because a standard universal approach that works for larger organizations may not be suitable for all. Similarly, the size of an organization can present unique challenges regarding data governance practices because SMEs often face more significant constraints in terms of resources and expertise compared to larger companies. Nonetheless, data governance practices and a well-established framework can support organizations in managing their assets more effectively, preserving data quality, and complying with regulatory requirements (Okoro, 2021).

Moreover, recognizing this challenge, Okoro (2021) proposes a data governance framework tailored for SMEs. The key components of this framework include: i) data security and privacy, which involves prioritizing data privacy and security by ensuring that data collection is limited to the business operations requirements and disposing of it when it is no longer needed. To achieve this, the author recommends that organizations implement robust authentication mechanisms, controls, and classification schemes for data, and monitor their data architecture, including related procedures and policies; ii) data impact assessment, which involves assessing the degree of data anonymization to reduce risks and protect confidentiality, especially regarding the identification of a person. Additionally, assessments of the impact of data protection, such as Privacy Impact Assessments (PIAs) and General Data Protection Regulation (GDPR), can help organizations ensure the safety, compliance, and confidentiality of their data processing activities; iii) designation of a data review board, which involves establishing a board that includes experts in data science, legal compliance, and security. This board should address and analyze data governance subjects such as data storage, collections, and assets; iv) avoidance of unfairness or bias, where it is vital for organizations and data users to make conscious efforts to prevent bias and ensure fairness when collecting, analyzing, and using data to make decisions. The author suggests that data users should guarantee that the data collection process represents diverse populations and is free from any inherent biases that could potentially impact results and their implications; v) data governance, ethics, and GDPR, where organizations should align their data governance strategy with ethical guidelines and any relevant data protection regulation that impacts the context, ensuring that data processing activities are precise, fair and transparent. Organizations must set strong data protection measures and manage their data responsibilities to adhere to ethical and data governance standards (Okoro, 2021). Within this framework, we believe it provides a robust ground for SMEs to fully harness the potential of their data, focusing on components related to data protection, data quality, and data strategy.

Government institutions, both public and private, operate in a unique landscape when it comes to data governance. Unlike larger firms and SMEs, these institutions face distinct challenges that existing practices and frameworks do not fully address. The strategic value placed on data in government institutions often does not fully align with these frameworks, which are primarily designed for business operations and goals. This mismatch results in ineffective controls over crucial data governance processes, such as data collection, processing, analysis, and reporting (Mao et al., 2021). To address this, the authors explored and developed a new data governance concept for these institutions, called the Data Middle Platform concept. This concept consists of a framework designed to address the complex context of government institutions by centralizing data management and supporting cross-departmental integrations. The concept is presented with key components including: i) service empowerment objectives, which focus on defining the data governance framework in a public context by protecting and enhancing data management capacities, especially for sensitive data, to develop robust public service capabilities. To achieve this, these institutions need to form strategies based on their public service goals and explore their ability to manage cross-relationships, namely across different levels, systems, and departments; ii) defining roles through structure, which pertains to how institutions should delineate roles and responsibilities across their levels, including the foreground, the middle platform, and the background. The author considers the foreground to represent public service access points used as dynamic interfaces where citizens interact with the governmental institution, requiring constant updates to meet public needs. In contrast, the background relates to the administrative departments and the layer encompassing decision-makers, including data governance leaders and councils, who are responsible for planning, strategy development, and resource coordination.

To connect these two components, a middle platform serves as a bridge between the foreground and the background, enabling collaboration between them. This platform also includes key roles within data governance practices, such as: data stewardship, which is responsible for ensuring data quality and compliance with policies; a Chief Data Officer (CDO), who oversees the overall data governance framework and strategy; a Chief Information Officer (CIO), who is responsible for the IT infrastructure; and a Chief Service Officer (CSO), who ensures that data-related initiatives positively impact public services. The platform is also responsible for: iii) defining and implementing procedures, including policies and standards. These procedures include mechanisms that support the decision-making process, data ownership lists, data governance and quality policies, procedures and standards, security protection guidelines and techniques to appraise and assess the effectiveness of the data governance framework and strategy; iv) openness through communication and sharing, which involves constructing and communicating a shared awareness of the data governance framework among stakeholders. It also ensures the facilitation of interagency data sharing (IDS) for collaboration and cooperation, as well as open government data (OGD) to promote the public use of data and thus enhance transparency; v) monitoring and control to ensure compliance, through which institutions must define and implement data security protection mechanisms, including personal data privacy protection, security audits, and supervision. Additionally, institutions must assess data quality, including accuracy, integrity, consistency and timeliness, using indicators and metrics as outlined by the International Organization for Standardization (2008); vi) execution of the data management life cycle, where the data governance framework must oversee and govern the entire data management life cycle. This includes activities such as data collection (the process of gathering data from various departments, citizens, and other internal and external sources), processing (activities to transform, clean, join, and plan data to ensure its quality), analysis (the process that allows for the visualization and reporting of data to make it insightful and accessible), and capitalization, i.e., activities performed to manage metadata and continuously monitor data flows (Mao et al., 2021).

Additionally, considering the importance of Industry 4.0, it is crucial to examine the potential benefits of a data governance framework that addresses precise specifications, functionalities, and requirements. This framework should particularly focus on challenges unique to the industrial environment, such as its distinct context and characteristics, inter-company collaboration and its silos, compliance with laws and regulations, and adherence to third-party service levels agreements (SLAs). With this in mind, Zorrilla and Yebenes (2022) propose a data governance system framework where data and data governance form the core of the architecture. This framework is based on three key principles: i) Data-as-a-Service (DaaS), ii) Monitoring-as-a-Service (MaaS) and iii) Platform-as-a-Service (PaaS). The data governance framework for Industry 4.0, proposed by the authors, includes several components: a maturity model, a method for architecture development, a standards information base, a reference architecture, a content metamodel, and a reference model establishing a set of Architecture Building Blocks (ABBs). In line with the framework's reference architecture, the authors draw on international standards and their iterations to define the Reference Model ABBs. For example, they incorporate i) an iteration of the TOGAF® Standard v9.2 framework, in which the authors introduced a new entity called “Policy.” This standard provides a framework for enterprise architecture, offering a structured approach for the organization and governance of technology, business processes, and data. It also incorporates the ISO/IEC/IEEE 42010:2011 standard, which establishes guidelines for the characterization and description of systems and software architectures, ensuring consistency and comprehensiveness; iii) an iteration of the Reusable Asset Specification standard, which defines each of the Architecture Building Blocks into different classes. These classes include: the asset (Name, ID, and Description); the profile (asset type and its lineage): classification (allowing the blocks to be managed in a repository); usage (detailing the set of activities performed within the asset); related-asset (relationships with other blocks); solution (Solution Building Blocks to be deployed within the governance framework); requirement; and architecture-description.

Considering the standards utilized, the authors developed two distinct ABBs. The first ABB is related to architecture principles, where data governance principles are defined, listed in a repository, and managed. This ABB encompasses essential organizational aspects, including requirements, mission, vision, strategy, goals, data governance bodies, and roles. The second ABB relates to policies and standards, including governance and stewardship. It encompasses the organization's critical data governance activities, such as compliance with standards, regulations, and established guidelines, as well as the definition of performance monitoring indicators.

Considering the frameworks discussed above, it is evident that organizations must align their data governance framework with comprehensive international standards that provide essential guidelines for data governance and quality. The International Organization for Standardization (ISO) has produced key principles that organizations can integrate into their data governance practices. Among these, three particularly relevant and complementary standards are: i) ISO/IEC Standard 25012:2008; ii) ISO/IEC 38505-1:2017; and iii) ISO/IEC TR 38505-2:2018. These standards establish critical components for effective data governance and quality management. ISO/IEC 25012 defines a detailed model for data quality, emphasizing the key attributes and features that management should analyze to improve data quality. ISO/IEC 38505-1 provides a framework for organizations to ensure effective data governance and emphasizes the need for a data accountability map and its key attributes. Finally, ISO/IEC TR 38505-2 discusses the implications for governing bodies to consider data accountability and management requirements. It details how governing bodies should develop a set of policies and procedures for data use, ensuring alignment with the organization's overall vision, mission, and objectives (International Organization for Standardization, 2008, 2017, 2018).

In line with this, ISO/IEC 25012, recognized by the International Organization for Standardization, plays a pivotal role in data governance, particularly concerning data quality. This standard provides a detailed model and principles for evaluating data quality, leveraging the data life cycle, which is often longer than the software life cycle (International Organization for Standardization, 2008; Rafique et al., 2012). This model focuses on data stored in computer systems in a structured format and aims to label and assess data quality requirements throughout the processes of producing, acquiring, and integrating data. It also helps identify criteria to ensure data quality, with a focus on assessment and continuous improvement. Additionally, it validates data compliance with current laws, regulations, and data quality requirements (International Organization for Standardization, 2008).

This standard asserts that data quality can only be assessed using a predefined data quality model, designed to guide the evaluation and continuous improvement of data quality while ensuring compliance with current laws, regulations, and requirements. Accordingly, ISO/IEC 25012 provides a model composed of fifteen different characteristics, including accuracy, consistency, timeliness, and completeness. This model is divided into two perspectives: i) an inherent perspective, representing the extent to which the intrinsic features of data meet stated and implied needs under predefined conditions. It considers factors such as the data domain, its relationships, restrictions, and metadata; and ii) a system-dependent perspective, corresponding to how effectively data quality is achieved and maintained within a computer system environment. It includes aspects such as hardware technology (ensuring data availability and required precision), a computer system software (providing backup for correct data recovery) and other software that ensures data migration and portability (International Organization for Standardization, 2008; Rafique et al., 2012).

Moreover, this standard identifies five specific inherent data quality characteristics, which include the following: i) accuracy, described as the degree to which data values correctly represent the actual value of a given concept. This characteristic measures the difference between the correct value and the value used; ii) completeness, associated with the data quality feature that ensures an organization has values for all expected attributes; iii) consistency, where data are expected to be free from any illogicality and must be coherent within their context of use, iv) credibility, which pertains to the authenticity and believability of data in their context of use; and v) currentness, where data correspond to the appropriate age and intended period of use (Haug, 2021; International Organization for Standardization, 2008). Similarly, the standard identifies three specific data quality characteristics related to the system-dependent point of view, including: i) availability, which ensures that data are only retrieved by appropriate and authorized users within their context of use; ii) portability, which refers to the ability of data to be shared, substituted, or integrated between different systems while maintaining quality; and iii) recoverability, which corresponds to the capacity to recover and preserve data and quality in the event of failure, data loss, or corruption.

ISO/IEC 25012 outlines a total of seven additional data quality characteristics that are common to both points of view: i) accessibility, which relates to the ease with which data can be retrieved and accessed by users; ii) compliance, where organizations ensure that their data adhere to relevant standards, policies, or regulations that are currently in place, iii) confidentiality, which ensures that data are protected from unauthorized and inappropriate access, maintaining privacy; iv) efficiency, which measures how well data processing optimizes the use of necessary resources; v) precision, which refers to the exactness of data, including the ability to be distinguished in their context of use, vi) traceability, where an organization's data contains audit trail characteristics to track the data's history, origin and lineage; and vii) understandability, which refers to the ability of users to easily read, interpret, and comprehend the meaning of data in their context of use (Calabrese et al., 2020; International Organization for Standardization, 2008; Rafique et al., 2012).

Based on the principles established by ISO/IEC 25012, the International Organization for Standardization recognized the urgent need for organizations to define the requirements and responsibilities of their governing bodies to ensure that their flood of data is continuously directed, evaluated, and monitored (International Organization for Standardization, 2017). Consequently, the ISO/IEC 38505-1:2017 standard was established in 2017. It provides principles and guidelines to support an organization's governing body—including data owners, directors, partners and managers, and others—in managing and governing data to maximize value (Sothilingam et al., 2021).

Accordingly, this standard stipulates that an organization's governing body must ensure its responsibilities regarding data governance. This body is accountable for managing data and ensuring compliance with obligations to both internal and external stakeholders. As a result, the standard emphasizes that the governing body should adopt a model based on three principles: Evaluate, Direct, and Supervise. These principles encompass the following activities: i) oversee and define a data governance framework that aligns with the organization's level of data dependency and allows for the evaluation of current and future data use; ii) clearly define the importance of data in achieving the organization's objectives and overall strategy, including the potential benefits and risks associated with its data; iii) direct the preparation and establishment of strategies, policies, and procedures to ensure that the data meet business objectives and establish a subcommittee to support the governing body in its overall activities, particularly from a strategic point of view; and iv) monitor and assess the overall effectiveness of the data governance and management framework, including the pursuit of maturity and conduct independent audits (International Organization for Standardization, 2017; Serrano & Zorrilla, 2021).

Additionally, ISO/IEC 38505-1:2017 defines a model for supporting an organization's data accountability through a mapping diagram. This model links the governing body's activities with the data management life cycle, including data creation, storage, processing, archiving, and deletion. The data accountability model encompasses the following activities: 1) collect, which focuses on acquiring, gathering, and creating data. This includes data entry into an Enterprise Resource Planning (ERP) system, transactions between and from other systems, sensors, reports, and subscriptions to data feeds. The process should also consider past decisions and the internal and external context. In this model, the governing body should determine how the organization will use or monetize data to achieve its strategic objectives; ii) store, which ensures the proper location and storage of data, whether physical or logical. In the store activity, the governing body should approve policies and procedures for allocating resources for data storage and subscriptions; iii) report, where organizations oversee the extraction, examination, and reporting of their data, either manually, or automatically, to support decision-making. In the report step, the governing body should guide managers in using the appropriate tools to maximize the total value of data; iv) decide, which involves making decisions based on the analysis and investigations of reports by both people and automated systems. In the decide step, the governing body should ensure that a data-driven culture is established and aligned with the organization's data strategy and expected behaviors; v) distribute, which refers to how the reported activity flows within an organization's internal and external environments. In this step, the governing body should define and implement a data distribution policy aligned with the organization's strategic plan; and vi) dispose, which focuses on identifying data that is ready for disposal during the reporting activity, followed by permanent destruction. In this activity, the governing body must ensure that approved policies and procedures for data disposal are followed for data that is no longer valid or maintainable (International Organization for Standardization, 2017).

After defining the data accountability map and the role of the governing body in managing it, the International Organization for Standardization introduced a technical report standard, known as ISO/IEC TR 38505-2. This standard provides detailed guidance on how the governing body should develop policies and procedures for data use, including activities within the data management lifecycle. These policies should be aligned with the organization's overall vision, mission, and objectives (International Organization for Standardization, 2018). This standard also connects with ISO/IEC 38505-1:2017 by emphasizing that, while the governing body is responsible for defining the data strategy and aligning it with the organization's overall structure and strategy, the management team is held accountable, within their delegated authority, for establishing and implementing these policies.

Furthermore, ISO/IEC TR 38505-2 defines a cascade mechanism for connecting business strategy to data management. In this mechanism, the governing body produces an informing policy in collaboration with management. This policy guides and influences the strategy, policies, processes, and controls to ensure alignment with the data strategy. It also ensures that reports are effective and that alerts are produced by controls.

Similarly, this standard establishes key areas that management should address within a data governance framework, including: i) the identification and definition of business activities and their needs, regulatory requirements, current gaps, and areas for improvement. This includes defining the roles of sponsors and stakeholders, as well as methodologies and approval processes for policy development; ii) the creation, revision, approval, and distribution of policies related to data and data governance; iii) the implementation of a mechanism to present and communicate policies, including the development of instructional activities to support the defined policies and ensure their operating efficacy and efficiency; iv) compliance monitoring with established policies and making necessary improvements, which includes conducting annual reviews and pursuing continuous improvements (International Organization for Standardization, 2018).

In response to Research Question 2 (RQ2) regarding the structure of a data governance model and its strategy, it is crucial that both roles and responsibilities related to data use and management are clearly defined, distinguished, and communicated within the organization (Jiya, 2021). In fact, Jiya (2021) notes that data ownership is often not straightforward, potentially involving shared or disputed responsibilities. According to Abraham et al. (2019), those in data governance roles must manage and supervise the framework or program on a day-to-day basis while ensuring coordination among the roles and responsibilities defined at the organizational level, including data owners, stewards, and users. Bennett (2017) expresses the growing prevalence of the Chief Data Officer (CDO) role in organizations. The CDO, the leader of data governance, is responsible for establishing and managing the data governance framework, ensuring that the firm's data assets are reliable, and that data quality is maintained throughout the data life cycle.

Moreover, Abraham et al. (2019) emphasize that roles such as data leadership, sponsor, data user, steward, and owner should be defined within an organization's structure, enabling reporting structures to facilitate and govern existing data assets. Understanding not just the existing roles within a data governance framework but also how they interact with daily operations is crucial. Data owners are typically operational executives responsible for managing the organization's data assets. They are accountable for reporting data requirements, risks, and existing controls (Abraham et al., 2019). In a RACI Matrix (Responsible, Accountable, Consulted, Informed), they are usually assigned the “Accountable” role, meaning they oversee and are answerable for specific activities (Clarke, 2019). The data steward role, on the other hand, usually represents the operational leader of a given operation who is considered an expert in a particular data asset. This role translates and maps business requirements of the data assets into technical specifications, including database design (Abraham et al., 2019; Clarke, 2019). In the RACI matrix, data stewards are typically “Responsible,” ensuring that rules and standards are enforced on the data and associated data sets (Clarke, 2019). Therefore, organizations must recognize that governance processes combining accountability with local empowerment can effectively support business operations and services (Gardner et al., 2018).

Moreover, at the lowest operational level of data governance, data producers and data users play crucial roles. Data producers are individuals who create, aggregate, and transform data generated by others. Data users, on the other hand, are the primary consumers of a specific data asset, typically using it for data-related reports (Abraham et al., 2019). In a RACI matrix, data producers are usually categorized as “Responsible,” often working under the direction of data owners or stewards. In contrast, data users are generally “Consulted” or “Informed” since they consume data content as customers and define what data they need and how they intend to use them (Clarke, 2019). Given these existing roles, organizations should establish committees or councils that facilitate hierarchical and cross-functional interaction, engaging data stewards with owners and users.

Additionally, Jiya (2021) emphasizes that the role of a Data Protection Officer (DPO) should be closely integrated with data governance, namely by providing expert knowledge on data protection issues, assessing incidents, and contributing to maintaining a robust data management system. Recent legislation, particularly the GDPR, has increased the focus on the importance of storing, using, and managing personal data, making it a major priority and concern in an organization's strategy and environment (Abraham et al., 2019). Furthermore, Dighe (2014) highlights that the growing demands for data governance are rapidly expanding, imposing challenges across various area and industries, including the financial and banking industries, where regulation has grown substantially.

Regarding the benefits of data governance (RQ2), Bennett (2015) argues that if an organization is capable of promoting and implementing a proper and effective governance framework, it can significantly enhance data quality and information across various areas of an organization. This improvement, in turn, ensures that data and information are available to the appropriate functions, particularly in supporting the decision-making process.

Similarly, enhanced data analytics and management can lead to increased revenue by developing new products or services and by creating synergies and efficiencies that may reduce costs. Improved data governance also allows organizations to better manage existing data, including more efficient retention criteria. According to Sifter (2017), the leading objective of data governance is to improve the sustainability and efficiency of an organization's operations by capitalizing on and delivering crucial business data while improving and strengthening the decision-making process.

In a survey examining the state of data governance across three different periods—based on responses from 91 respondents in 2014, 117 in 2011, and 119 in 2007—Russom (2015) found that by 2014, more organizations had implemented a data governance program than in 2007. The study also showed that data governance has continuously guided data-intense business initiatives, especially in areas like business intelligence, data privacy, and compliance, becoming increasingly important to organizations over time.

In response to Research Question 5 (RQ5), the literature highlights that different and intricate challenges in the field of data governance are becoming increasingly complex. These challenges include the companies’ ability to adapt to and sustain various realities and advances, as well as the difficulty leaders face in understanding the significance of this field and the risks associated with inadequate or unsuccessful practices (Bennett, 2015). Additionally, enterprises are increasingly focused on using technologies and their features as a service and tool to enhance competitiveness and support business operations (Bennett, 2015).

Given this context, companies are experiencing an increase in data points and silos—repositories of data that are held and managed by specific individuals or groups and are not readily accessible to others within the same company. This isolation of data can have a negative impact on businesses, making the implementation of a sound data governance program more crucial than ever (Johnston, 2016). Sifter (2017) states that corporations, particularly banks and financial institutions with larger employee bases, often develop data silos where different units or departments rely on and use separate data warehouses, data marts, sources, and systems. We believe this issue can be solved by defining and establishing a solid data governance program that integrates the company's culture, people, processes, and systems. To encourage value generation and manage risk and mitigation effectively, enterprises are urged to define and implement an efficient governance strategy and structure (Bennett, 2015; Chakravorty, 2020; Hoppszallern, 2015).

Similarly, challenges in data governance are becoming increasingly prevalent, especially given the continuous growth of data and the competitive pressure to utilize and manage data more effectively for businesses to gain a competitive edge (Paredes, 2016; Stratton, 2014). Table 7 presents the key challenges identified in the various studies analyzed related to data governance and quality, including the following:

In addition to these general challenges, Riggins and Klamm (2017) present specific issues related to data quality that organizations often face, including: i) duplicate data across systems and databases; ii) lack of timeliness, quality, appropriateness, completeness and integration of data; iii) non-existence and insufficient controls over data and data security; iv) data that is used but generates less important and valuable reports for the organization; and, v) data collection processes that are error-prone and inefficient (Chakravorty, 2020; Mansfield-Devine, 2017; Manus, 2019). In fact, innovation in data collection through various technologies and methods has driven the need for more robust data governance mechanisms (Milne & Brayne, 2020).

In addition to defining data governance, Bennett (2015) examines and reflects on the importance of information governance (IG) in an organization's overall business strategy. The author defines information governance as the combined application of processes, activities, and technologies that are implemented within an organization to maximize the value of existing information while mitigating associated risks and costs. Bennett (2015) claims that the unceasing rise of data and technological disruptions facing the world and its companies must be the key drivers of a robust information governance strategy and framework. Furthermore, the author claims that the effective and structured leadership of information governance and its framework are key to ensuring that appropriate strategies, procedures, policies, and processes are effectively embedded within an organization.

Bennett (2015) argues that the increasing volume of data that each organization is facing amplifies the risks that a proper information governance framework should address, such as privacy breaches in IT and communication systems, the costs associated with storage and retention policies regarding the ever-increasing data, legal and compliance risks, and cyber incidents. The author further argues that promoting and implementing an effective information governance framework will foster and improve data management and collaboration. This will, in turn, equip organizational leadership with quality data to support its decision-making and strategic planning (Bennett, 2015). Additionally, organizations will improve existing data management practices, including better and more efficient retention criteria.

In response to Research Question 4 (RQ4), understanding the concept of data assurance, its foundations, and its potential impact on the success of an enterprise's data governance is crucial for evaluating the importance and effectiveness of a data governance framework or program. This discipline addresses critical features of the framework for data management, including data quality, security, reliability, and monitoring (Dutta, 2016).

The literature indicates that organizations strive to enhance their governance, processes, and operations by leveraging artificial intelligence and its methods. Consequently, it is vital to recognize the different data domains within an organization. Typically, organizations contain two types of data domains, each presenting its own set of challenges and quality issues that may arise throughout the process flow (Dutta, 2016).

The first data domain is represented by data at rest, which refers to non-transactional data stored within a particular system, database, or data warehouse, not actively flowing through the organization. Examples of these domains include data within a CRM (Customer Relationship Management) system or an administration system, which serves as a primary source of input for other systems and databases (Dutta, 2016). Hassan and Chindamo (2017) describe data warehouses as technological tools that support business and reporting operations by acting as repositories for critical data assets and information, thus separating core operational and transactional systems from the processes of analyzing and reporting data. Common data warehouse technologies include Microsoft SQL, Oracle Database, and IBM dashDb (Hassan & Chindamo, 2017). However, Hay (2015) states that setting up a data warehouse is a complex and challenging process for any organization, regardless of its size and characteristics. This is mainly due to the organization's difficulty in ensuring their data assets are complete, accurate, and accessible (Hay, 2015). In fact, Mikalef et al. (2020) report that organizations struggle with data management due to siloed business units, making the data inaccessible and resulting in unclear definitions of the data assets, among other issues.

The second data domain corresponds to data in motion, which refers to data that is actively flowing and being exchanged or processed between two or more systems, databases, or data warehouses. This is commonly known as transactional data (Dutta, 2016).

When considering business analytics—a set of tools and techniques that organizations and individuals use to examine and analyze data—three types of business analytics techniques and components can be identified. The first corresponds to descriptive analytics, which aims to answer the question of what has happened or is currently happening (Riggins & Klamm, 2017). Tools such as business reporting, dashboards, scorecards, and data warehousing are commonly used in this approach. The second technique is predictive analytics, where the focus is on understanding and forecasting what will happen and why by using tools and methods like data mining, web and media mining, text mining, and forecasting (Riggins & Klamm, 2017). The third approach is prescriptive analytics, which seeks to determine what should be done and why, using activities such as optimization, business and decision modeling, and simulations (Riggins & Klamm, 2017). The summary of this taxonomy can be seen in Fig. 14.

Fig. 14.

Business analytics taxonomy. Adapted from Riggins and Klamm (2017).

(0.01MB).

Furthermore, data assurance involves various dimensions, from data quality and reliability to lifecycle and security. Understanding the implications of these areas in the data assurance field is crucial because they can significantly impact the effectiveness of a data governance program. Wang and Strong (1996) identified key data features—accuracy, consistency, completeness, cut-off (timeliness), availability, and relevance—as essential to overall data quality and that companies should address.

Recent literature demonstrates that, despite the dependence of data quality on the internal and external quality of its sources, the fundamental concepts of data quality have remained consistent over time. Data quality is defined as the ability of data to meet the implied needs of the user whenever required (Taleb et al., 2021). According to these authors, these dimensions and assurance assertions can be categorized as follows: 1) Accuracy—the degree to which data correctly represents the aspect that it aims to describe and characterize; 2) Consistency—the uniformity of the data across its lifecycle, systems, and sources, from the moment it enters the organization until it is stored, reported, or destroyed; 3) Completeness—the alignment and reconciliation of data with all required data elements for a given purpose; 4) Cut-off/Timeliness and Availability—ensuring data are available whenever required and up-to-date for the specific time it is being used; 5) Relevance—ensuring that the data being used and required are applicable and useful for a given context and intent (Taleb et al., 2021; Wang & Strong, 1996).

Data assurance aims to ensure that data are continuously monitored, maintained, and improved in quality within the data governance framework by leveraging different practices such as: i) data profiling, which is the process of scrutinizing data from various sources, both internal and external, to gain a thorough understanding of the data, and quality features, such as completeness, timeliness, and consistency. This involves techniques like statistical analysis, data visualization, and data mining to identify anomalies, patterns, and trends (Naumann, 2014); ii) data cleansing, also known as data scrubbing or cleaning, corresponds to a technique that detects and solves any issues or errors, inconsistencies, and inaccuracies in data. It also ensures that data formats are standardized, and duplicates and blanks are analyzed and treated using techniques such as statistical and descriptive statistics, algorithms, regular expressions, and machine learning models. This process is crucial for accurate analysis and reporting, ensuring that correct and standardized taxonomies are applied (Ridzuan & Wan Zainon, 2019); iii) data validation is a method certifying that data are precise, correct, and reliable throughout the lifecycle, while adhering to predefined business rules and standards. The goal is to identify and correct errors or imprecisions that may occur in data before being analyzed and reported.

Various techniques can be employed in the verification and validation of data to enhance quality and the success of a data governance program. These techniques include: i) field and format, which is the process of validating necessary fields against their expected data type, range of values, types and formats (e.g., ensuring dates are in date format and numbers in numeric format); ii) cross-field validation, ensuring that the relationships between different data, including data from different systems and repositories, are consistent and match with reality; iii) validation of data reference and source, which involves mapping data to pre-established business rules and standards, such as comparing a fiscal number or postal code to the country's valid taxonomy; iv) range and pattern analysis, which entails analyzing data to check whether it falls within defined thresholds, or follows expected patterns (Sohrabi et al., 2022); and v) data monitoring, which involves continuously evaluating, measuring, and reporting on data quality and errors. This process monitors adherence to defined quality standards, business rules, and objectives, aiming to identify any issues as early as possible for a timely and proactive response.

For this dimension, techniques such as those described can allow for effective data monitoring, profiling, cleaning, and validation. However, there are additional techniques, including data auditing to ensure that repositories where the data are stored align with business and regulatory rules and standards. Statistical analysis, which includes pattern and trend identification as well as outlier analysis, is also crucial. Other important techniques include data lineage analysis, where organizations formalize and describe the traceability of a data point from its origin (the moment data enters an organization) to its final stage (when data are destroyed, stored and reported), identifying all the steps that the data point passes through within the organization's systems. Lastly, data visualization techniques allow organizations to visually structure the data they intend to represent, enabling traceability, trend detection, and identification of potential issues (Ehrlinger & Wöß, 2022).

Considering this, we can highlight data assurance as an integral part of the data governance field, ensuring data quality and overall data management while ultimately driving better decision-making and reporting processes.

It is essential to consider Research Question 4 (RQ4) when discussing the importance of data assurance and data governance. Consequently, identifying potential trends in these areas where enterprises can play a role is vital. Firstly, there is a potential relationship between data assurance, artificial intelligence, and machine learning techniques. According to Gandomi and Haider (2015), these two techniques are increasingly being integrated into data governance frameworks, helping organizations automate their data assurance processes, including data profiling, cleansing, validation, and monitoring. They also assist in identifying events, patterns, and trends that may positively or negatively impact downstream processes. Secondly, with data assurance comes the importance of defining and implementing stewardship regarding data ownership, management, and its ethical and responsible use (Borgman, 2018). Data assurance can potentially foster an organization's data stewardship by ensuring that clear roles and responsibilities for governing data are defined and implemented. It also raises awareness of the ethical, accountable, and transparent handling of their data and assets. Thirdly, data assurance not only strengthens a more robust management of data quality but also enables more controlled, transparent, and secure sharing of data among an organization's sectors, stakeholders, subsidiaries, and external partners. These practices aim to ensure that data validation and monitoring are effectively implemented, thereby maintaining the quality standards described earlier (Gandomi & Haider, 2015). Lastly, a key trend closely related to data assurance and governance is the FAIR data principles, which emphasize the importance of ensuring that an organization's data are Fair: (F) findable, (A) accessible, (I) interoperable and (R) reusable (Wilkinson et al., 2016). By adopting these principles, organizations can create a more reliable and high-quality data environment, which in turn supports better decision-making, enhances collaboration, and improves reporting standards.

The first principle, Findable, ensures that data are always easily identifiable for any user who needs them. To achieve this, data should have a unique and permanent identifier and be accompanied by metadata to inform the user of the context, definition, characteristics, content, and source (Wilkinson et al., 2016). The second principle focuses on data availability and accessibility, ensuring that data can be accessed immediately when required. Organizations must ensure that their storage capacity is sufficient to accommodate all their data and that it is available in a way that is both accessible and system readable. The third principle emphasizes date interoperability, reinforcing the need for data to be integrated into tools and systems and used alongside other data. To facilitate this, organizations must store data in formats that adhere to business rules and standards, while ensuring that appropriate documentation and metadata are defined. Finally, the fourth principle focuses on the reusability of data, ensuring that data are available for reuse and can be analyzed multiple times as needed. Therefore, organizations must ensure that their resources are adequate, readily available, and appropriate to meet users’ demands (Wilkinson et al., 2016).

All things considered, it is evident that the trends affecting data assurance significantly impact an organization's ability to lead and manage a successful governance program. As data volumes and complexity increase, ensuring effective data assurance becomes a top priority remains a significant challenge. According to Dama (2017), emerging trends in data assurance and governance reflect the ongoing evolution and growth in these fields. By effectively addressing these trends, organizations can enhance data quality, leading to better decision-making, improved management of data assets, and greater transparency among stakeholders.

In response to Research Question 3 (RQ3), after recognizing the importance of trends in data assurance, it is crucial to address one of the biggest challenges in data governance and assurance: assessing the maturity level of a firm's data governance environment. This assessment involves evaluating the company's performance across key data governance dimensions, including policies, procedures, standards, roles and responsibilities, and other relevant aspects. As noted by R et al. (2024), a data governance program should not be treated as a one-time project but as an ongoing, continuous practice that requires sustained effort and commitment from organizations in defining, implementing, and regularly reviewing their data governance maturity level. Many organizations lack a clear and comprehensive data governance framework, particularly since there is no universal framework standard. Even those that do have one often fail to perform continuous monitoring to ensure that its maturity aligns with the expected level (Dama, 2017).

Similarly, with the recent growth in the importance and impact of data governance, this discipline has become a crucial element in determining an organization's success and its ability to meet or exceed market demands. This is especially true as data evolves into an asset that plays a key role in decision-making, modernization, and gaining a competitive advantage (Weber et al., 2012).

To address this gap, the literature has presented several data governance frameworks to help manage data as an organizational resource. These frameworks define data strategies, policies, and procedures, and promote the establishment of data stewardship within the organization's processes (Weber et al., 2009). However, it is not enough for organizations to simply define and implement a data governance model. They must view this process as an ongoing cycle of continuous monitoring and maturity assessment to foster organizational improvement and evolution. Consequently, maturity assessment models have been developed to evaluate the effectiveness and current status of these frameworks, helping organizations understand where they were, where they are, and where they aim to be in the future. These models enable organizations to stay aligned with best practices and maintain a continuous and effective data governance framework (Otto, 2011).

Subsequently, it is crucial to examine the relationship between frameworks and maturity models, as well as analyze and compare different maturity models for data governance, including their foundations, applicability, and challenges. In fact, Otto (2011) states that many data governance maturity models in the literature (also presented in this paper), are essentially “checklists” that have no practical application and lack support for diverse business contexts (Otto, 2011, p. 49). Similarly, Belghith et al. (2021) argue that no single model can meet all the requirements and characteristics of a given organization. Therefore, it is important for the community to understand the different models and their key components.

All things considered, it is fundamental to establish a data governance framework, monitor it, and periodically assess its maturity level. McDowall (2017a, b) presents a data maturity model composed of five different levels. These levels are: 1) Performed (lowest maturity), 2) Managed, 3) Defined, 4) Measured, and 5) Optimized (highest maturity). At the Performed level, the company's processes are ad-hoc and reactive, with no formal data governance initiatives or maintenance. At the Managed level, processes are more planned and executed according to documented procedures, with some level of process monitoring and involvement of relevant stakeholders. At the Defined level, the organization's processes are consistently employed in alignment with robust, established procedures. The organization has a mature understanding of managing data and perceives it as a unique asset. At the Measured level, organizations can measure their performance using metrics related to processes and data, conduct analyses and predictions, and safeguard the quality of the data lifecycle. At the highest level, Optimized, organizations continuously improve their processes, create synergies, and share best practices across their industry. Here, data are viewed as critical for surviving in a dynamic and competitive market (McDowall, 2017a, b).

In 2007, IBM introduced a maturity model named the Data Governance Maturity Model (DGMM), designed to provide organizations with a technique to assess their data governance capabilities and status while identifying critical areas for improvement (Belghith et al., 2021; Firican, 2018). This framework outlines five different levels of data governance maturity, including: i) Initial, ii) Managed, iii) Defined, iv) Quantitatively Managed, and iv) Optimizing. Each level builds on the previous one, aiming to establish a sustainable and continuous data governance framework that is integrated into the organization's processes and decision-making culture. The first level, Initial, indicates an informal, reactive, and inconsistent data governance status. At this level, data ownership is typically unstructured, and data quality is often poor or not assured. It also represents a level where the organization may lack formalization or documentation, with little understanding of its data assets and management. At the second level, Managed, organizations demonstrate significant improvement from their initial stage. Regarding their data governance framework, some practices are documented, and data ownership is defined, though some processes may still be reactive. At this level, the organization recognizes the value of data, and data projects may be in development or implementation. There is also a modest degree of automation, such as batch processing or job routines.

The third level, Defined, marks a cultural shift within the organization where data governance is managed proactively rather than reactively. At this level, data governance procedures and practices are formalized, focusing on compliance and risk management through the organization's processes. Data stewards are appointed and identified, even if their roles may not yet be fully developed, and data quality risk assessments are in place. At the fourth level, Quantitatively Managed, the data governance program is fully integrated into the organization's processes and driven by strategic business objectives while supporting the decision-making process. At this level, the organization focuses on continuous, systematic monitoring and measurement of its data governance effectiveness. The emphasis is on identifying and resolving data issues before they impact business processes and activities, including the use of predictive models to analyze and prevent future data-related events. Lastly, the final level of the IBM framework is Optimizing, where data governance is viewed as a competitive advantage. The organization's culture is data-driven, and data are integral to decision-making processes and achieving strategic goals. Organizations at this level allocate resources to continuously seek improvements and leverage data to drive innovation and growth (Belghith et al., 2021; Firican, 2018). This framework helps organizations evaluate their data governance capabilities and develop a roadmap to enhance the current state of their maturity. As a result, it is particularly useful for organizations with more mature data governance programs (Belghith et al., 2021; Firican, 2018).

Moreover, Zorrilla and Yebenes (2022) propose a data governance maturity model to help organizations assess their current state, capabilities, and framework. This model provides a roadmap for continuous improvement and enhanced maturity in this area. It includes five levels of maturity, each with a detailed description of its meaning and impact. Also, it offers a perspective on positioning data governance maturity within the organizational environment.

According to the maturity model provided by Zorrilla and Yebenes (2022), organizations can be categorized into five different maturity levels: Level 1) Initial (Ad Hoc) is where organizations are considered to be at a foundational stage with primitive, disorganized, and uncoordinated data governance practices. Data governance is not applied consistently across the organization, horizontally and vertically, and its functions are often limited to individual projects with ad-hoc ownership and stewardship responsibilities; Level 2) Managed, is where data governance practices are planned and carried out according to company policies. Processes are tracked and assessed, and there is growing recognition of the importance of data governance. Some degree of automation is required, and awareness is increasing. Level 3) Defined, is where data governance standards and practices are applied uniformly across the organization and are customized to meet specific requirements using integrated technologies. This allows for the automation of data management activities; Level 4) Measured, is where metrics are established and applied to assess data governance processes. Statistical and data mining tools are used to process performance and lifespan; Level 5) Optimized, is the highest level of maturity that involves constant use of performance indicators to evaluate and improve the company's processes. The organization has implemented and shared the industry's best practices, and data are vital to maintaining a competitive edge.

This science corresponds to a branch of forensic science and represents the part of this field that focuses on the digital domain. According to Valdez (2018), forensic science applies scientific principles and legal procedures to solve queries or crimes. It is an emerging field with numerous possibilities for application. For instance, forensic science encompasses a range of fields and applications, including digital forensics, accounting, toxicology, odontology, and criminal investigation. It also provides valuable methodologies and techniques that can be applied beyond the field of forensic science itself (Valdez, 2018). Moreover, digital forensics, formerly known as computer forensics, involves the analysis of all electronic devices, including computers, cell phones, printers, and cloud-based systems, as well as documents, email, and malware. This field encompasses the process of analyzing digital evidence to draw conclusions, or make inferences that can support analyses, findings, or investigations. The process involves gathering, preserving, analyzing, and reporting on digital evidence to achieve specific goals. While traditionally used to assist in legal investigations, digital forensics also supports organizational analysis, data assurance, and governance practices (Casino et al., 2022).

Nonetheless, forensic science, including digital forensics, was traditionally perceived as a set of methodologies designed to prove someone's innocence or guilt. However, the primary purpose of digital forensics is to present factual evidence obtained through the analysis of electronic devices (Valdez, 2018). In digital forensics, it is crucial for investigators to properly guard, label and document each piece of evidence, ensuring a clear chain of custody. This concept involves logging and tracking the whereabouts of all the evidence obtained to ensure that legal requirements are met (Valdez, 2018). Additionally, in digital forensics, investigators must not work with the original evidence directly. Instead, they must create and work with a forensic copy, which is an exact replica of the original file (Valdez, 2018).

Within the field of digital forensics, various models and methodologies are used to conduct investigations. We believe that understanding this science and putting it into practice can help enhance data governance and quality. As Valdez (2018) notes, forensic professionals never stop learning as technology continues to innovate and evolve, and the same applies to data governance and quality, which evolve with each organization's unique context. One methodology in digital forensics involves eight steps, illustrated in Fig. 15 (Valdez, 2018). This approach mainly focuses on applying digital forensics to solve a given crime but can also be extrapolated to other activities and methodologies. Step 1 involves responding to an event that requires digital forensics expertise, such as a crime, and necessitates a search warrant to legally support the investigator's presence at the crime scene (Valdez, 2018). Step 2, already at the crime scene, the digital investigator focuses on securing the scene and protecting any evidence present. To ensure proper documentation, the investigator must photograph, or videotape all the evidence, label it, and assign a number to ensure that the records are accurately and safely registered and maintained. In Step 3, the digital investigator identifies and extracts digital devices, creating forensic replicas of the original data on the devices. These images are then validated using hash values (Valdez, 2018). Step 4 involves preparing and packaging the evidence for transfer to the investigator's laboratory or a forensics-prepared site. In Step 5, the investigator selects appropriate methodologies and techniques for the forensic analysis, examines the forensic images, documents each step of the analysis, and records all the results obtained (Valdez, 2018). In Step 6, the investigator ensures that all analyses and data are formally documented to support the conclusions drawn in Step 7, which involves preparing a report with these conclusions. The final step is the submission and presentation of the findings to legal bodies, such as the court, if necessary (Valdez, 2018).

Fig. 15.

Digital forensics methodology. Adapted from Valdez (2018).

(0.07MB).

Moreover, Casino et al. (2022) outline the main steps that are typically performed within a digital forensics model. The process begins with the Identification phase, where the analyst establishes the context and objectives of the analysis. During this phase, the analyst also determines all the required resources, including relevant policies, procedures, areas, and personnel. Following this, the analyst proceeds to the Collection and Acquisition stage. The primary goal here is to gather digital evidence while ensuring its safety and integrity so that it cannot be tampered with. Once the evidence is preserved and safeguarded, the analyst moves on to the Analysis phase. In this phase, various techniques, tools, and methods are employed to obtain the desired outcomes. Stages 4 and 5 involve Reporting, Discovery, and Disposal. At this point, the analyst consolidates the analysis and its outcomes, thoroughly documenting the procedures and steps taken. A comprehensive presentation of the outcomes is then prepared, which can be disclosed to various parties, including internal stakeholders, external parties, regulators, or the courts. Finally, while presenting the results, the analyst must ensure that all the work performed is properly stored for future reference, or inspections (Casino et al., 2022).

Additionally, the National Institute of Standards and Technology (NIST) recognizes forensic science as a process consisting of four primary phases: i) Collection, where the analyst identifies, labels, registers, and stores all relevant digital evidence from various sources, whether internal or external. Throughout this process it is crucial to ensure that the data remain unchanged and preserved at every stage; ii) Examination, where the analyst processes the data acquired in the previous stage. This involves performing automated, semi-automated and manual extractions, and assessing the quality of these extractions; iii) Analysis, where the analyst applies various methods to retrieve findings or outcomes that address the organization's concerns. It is essential that all methods used are legally compliant and properly performed; and iv) Reporting, where the analyst compiles the outcomes of the analysis into a presentation or report. This report details the findings and outlines all the steps taken in the previous stages, ensuring the traceability and auditability of the work (Kent et al., 2006).

Accordingly, these authors emphasize the importance of organizations ensuring that the data, models, and techniques used in the digital forensics process are consistent, traceable, authenticated, verifiable, and secure. Similar to the objectives of data assurance, these features aim to ensure that data are properly controlled, managed and accurately used in any analysis, decision-making, and reporting process, thereby enhancing the effectiveness and quality of a governance framework.

This is achieved by ensuring that the data and techniques applied are: i) consistent, where organizations ensure that data have not been modified during collection, so the original state is accurately represented; ii) traceable, where organizations maintain a record of all systems and flows through which data have passed, understanding all transformations and events related to that specific data, from entry into the organization until they are destroyed, reported and stored; iii) authenticated, verifiable and secure, where organizations ensure that the data provided are securely available, have not been manipulated, and are unique to the relevant business rules and processes.

Furthermore, they guarantee that only authorized individuals can access the data (Casino et al., 2022; Kent et al., 2006; Valdez, 2018).