Welcome! GovernYourData.com is an open peer-to-peer community of data governance practitioners, evangelists, thought leaders, bloggers, analysts and vendors.
The goal of this community is to share best practices, methodologies, frameworks, education, and other tools to help data governance leaders succeed in their efforts.
Perhaps I am a stickler for this with my Lean background, but to me every Business Opportunity or Business Driver should have a measurable and monitor-able positive business impact. Even extra time we take to create re-usable artifacts should be measured to insure that they eventually pay off (or at least most of them do - we need to be allowed to "fail fast", as well). So while it is easy to think of measure for cost reduction, revenue generation, even improved agility (lead-times and first-time through percentages), other Business Drivers can prove trickier. Is the motivation for modernization "agility", "cost reduction", both, or something else? Are we looking to measure GRC in terms of efficiency (ie, lower cost and higher speed)?
As I've been doing the Business Opportunity Assessment, I've been putting the metrics I'd use to measure the continual improvement of the governance of data important to this opportunity in the Description section. What do others think?
There is certainly some food for thought in what you propose. I think there are some pretty big things you can do with your colleague data. For example, as colleagues move throughout an organisation, they acquire mainframe/mid-range access, LAN drives, all kinds of things. Very few organisations think to reduce their access if they move from one department to another. If you can get MI from your IS security, you can create a metric based on role and levels of access. Call it 'role' or 'zone' purity.
Commercial opportunity/cost reduction/agility are all great, but how about cost of risk measurement and mitigation activities in alignment with perceived corporate exposure to risk? As a governance tool, this can really focus minds on balancing expenditure on risk and reward.
Wasn't there a great TED discussion on "Trust is the new Currency"? I love your idea - increasing governance and compliance has a improved quality impact that can be measured, and measuring access and security reduces risk (and allows us all to sleep better) which is measurable as well. In other words, even things that don't seem measurable are actually measurable and have business impacts and that's where, IMHO, everything should start. As you say, "this can really focus minds" in an area where it's all too easy to proceed un-focused.
As Lord Kelvin once said, "When you can measure what you are speaking about, and express it in numbers, you know something about it." One book I would encourage anyone who is struggling with data governance metrics is How to Measure Anything: Finding The Value of "Intangibles" In Business by Douglas Hubbard.