Alter Everything

A podcast about data science and analytics culture.
Episode Guide

Interested in a specific topic or guest? Check out the guide for a list of all our episodes!

Alteryx Alumni (Retired)

Is the thought of an audit akin to the end of the world? Alteryx colleagues Philipp Maier and Adam Blacke put your fears at ease with their tips for how to get through your audit, and how to vacation-proof your workflow with a solid governance strategy.








Ep 127_Youtube Double.png




Episode Transcription


MEGAN: 00:02 

Let's say you inherit a workflow from your coworker and then they go on vacation. They're lying on a beach and you've been told to just keep an eye on things. But what happens if something breaks? Maybe the weekly report they've scheduled to go out doesn't go out, and now you're on the hook for fixing the break. What next? Having a governance strategy on your team and in your organization is crucial to getting through situations like these. But what if you're new to governance? What are some steps you can take right now to improve your workflow governance? And how can you help your teams make sure everyone is better covered in the future? To learn more about governance, I spoke with my Alteryx colleague, Adam Blacke. 

ADAM: 00:40 

I'm the VP of data science here at Alteryx. I've been here about four years. I was previously in banking and manufacturing. A longtime Alteryx user. So I've been involved with Alteryx as a consumer rep for a little over 10 years, I think. Huge fan. And so when an opportunity to join the Alteryx team opened up, it was my dream job. 

MEGAN: 01:04 

And Philipp Maier. 

PHILIPP: 01:06 

Hi, my name is Philipp Maier. I work as a global practice lead for Alteryx. I'm an economist by training. And prior to me joining Alteryx, I worked at a global tier-one bank for a couple of years where my team was running operational excellence. So essentially it has to do with making processes better and automating things. 

MEGAN: 01:22 

Perfect. Well, that's going to tie in nicely to our topic today. Adam and Philipp will share tips for creating a healthy governance strategy, where to get practical resources like workflow governance checklists and advice for how to get through anxiety-producing audits. Let's get started. Today, we're talking about data governance and Alteryx workflow governance, so I'd like to just start out by setting the scene just for background information. I used to be a data analyst. And companies where there's not data governance or where there's not any kind of governance, it can be really confusing and really working in an environment where you don't have clarity and direction, or you're working on things and then all of a sudden managers or people will come up and ask you questions that you can't answer. There's all sorts of things that can be working in a blizzard where the snow is all around you, the data is all around you, and you start to feel a little bit lost or a little bit overwhelmed. So I'm super happy to have you guys on as experts today to talk about how we can make sense of that blizzard and calm things down for the data analysts out there. So I wanted to get started by asking you guys, what is governance and why should we care about it? 

ADAM: 02:47 

From my perspective, using the blizzard analogy, tacking onto that, it's like shoveling the snow so that you can get to your mailbox. But without good governance in place, you can't really get through the noise and get through the lack of clarity and direction on your data because you don't know what is good data, what is bad data, and you're constantly fighting fires and your analytic processes. So you're so busy and so unclear on which direction to head, you don't know what to do. And so governance really helps you remove that friction and give you that clarity of insight. 

PHILIPP: 03:25 

I should add governance can really mean many different things to different types of departments and different customers. So for instance, some institutions or some processes might call for very tight governance. So for instance, financial reporting under Sarbanes Oxley, very tightly controlled. Other processes need to be much less tightly control. So for instance, if I'm developing a new forecast, say, to make a new marketing campaign, I'm using only publicly available data, I may not need a lot of controls. Now, one of the principles that we employ is we listen carefully to the client and we design solutions to her or his needs. And in many cases, it can be helpful to think about governance spanning a spectrum of use cases. So even within a client, we may have some processes that might need very tight controls. So by tight controls, I mean, for instance, access controls, [strange?] management controls, version controls, those type of things, and others can be much less tightly governed. And the beauty of this is that we can enable a very fast way to develop new tools, we can enable fast ways to change processes, but then we can put controls in place once we are ready to move on from the development stage into a production phase. 

MEGAN: 04:46 

Awesome. Yeah, so it sounds like there are steps to it, there are pieces to it, but it's definitely not one-size-fits-all. So then as you're building out a governance strategy, what do you both see as the most important thing to include? 

PHILIPP: 05:03 

Sure. Let me start. So as mentioned before, governance can span a spectrum of different cases, some requiring very tight controls and other use cases are low-risk and use public data. Still, there's probably a number of general principles that apply such as writing proper documentation around your analytics so that you understand what you're doing and others can replicate it. Probably also a good idea to have someone independently review your work notably when you get close to putting it into production and getting ready for these daily production tasks. We really strive to make it easy for everyone. For instance, on the Alteryx community, we recently hosted a simple checklist on governance that anyone can print out. They can put it next to their keyboard, so to speak, and before they put something into production, they can make sure that they check all the boxes that are best practices for their tools. And one other point on data governance is very important, many tools that end users use-- and this applies not just for Alteryx, this applies to Python scripts, for our scripts, for Excel files. Many of these tools won't allow you to do something that is not allowed by other tools or by other controls elsewhere. So for instance, I can not access data in Alteryx if I don't have the data permissions to do so. Alteryx itself will not overwrite these controls. These controls inherit permissions that you already have set elsewhere. And so the very first thing to do to make sure that everything is well controlled is to review your security architecture, your data entitlements, and so on. 

PHILIPP: 06:44 

Now, a complication is that some processes will use publicly available data and they blend it with confidential data like HR data or salary data or things like that. In that case, the discussion needs to focus on, how do we think about accessing the final product of it, right? So the report I'm going to produce may not have a blend of publicly available data and some private or confidential data and mixes those two together. How do I put proper controls around that? And so that, for instance, would be a discussion worth having. So how do I, or what does the distribution list look like for that PowerPoint that I'm going to produce or the access rights for the [OO-DashBoard?], things like that? 

ADAM: 07:25 

So let's take a step back and discuss the broader picture. More so than just the tactical implementations, you really need for your strategy, it has to be sustainable. You have to have a situation where your governance strategy is second nature to everyone involved. It has to come without thought and be integrated into the very fabric of how you do business. And so in order to do this, what you really need as a central point of your strategy is the center of enablement that includes the upskilling and training and education, really the why buy on why governance matters that everyone across the organization knows and understands so that they understand what value they're getting from your governance strategy. It doesn't do anyone any good if your governance strategy is a printed piece of paper that sits in some of these dash drawer. It actually has to be a part of your core [inaudible]. 

MEGAN: 08:18 

Right. And people need to, at all levels, be aware of what the strategy is and what the benefits are so that they don't feel like they're just doing extra work for nothing. 

ADAM: 08:28 


MEGAN: 08:30 

Awesome. Okay, so those are some really good tactical tips and high-level tips about governance strategy. But I wanted to just make this a little more concrete and talk about a scenario. Let's say I'm a data analyst, and we have a team member who is taking a vacation. How should we as a team plan for that so that my Alteryx workflow doesn't fail while I'm gone? 

ADAM: 08:54 

So this scenario reminds me of a time when I was actually a business analyst and I had a critical process at a manufacturing location that I had to go and implement. It ran every day, it was required for a startup of the plan, and at the time, we didn't have good governance practices in place. And so sure enough, if anything went wrong, which was only 5 or 10 percent of the time, I get a call though at 5 o'clock in the morning, "Adam, you got to come in. The daily reports didn't run. We can't start the line yet. You got to get here." And so I would haul myself into the office and I would look at what was going on and I'd have to do an analysis. If we have had good governance practices, desk procedures, and quite honestly followed Philipp's checklist, I wouldn't have had to come in and worry about that on my days off or around vacations. Somebody else would have been able to fill in that spot. And I think this gets back to the what's the why buy is it's important for everyone to have that checklist or to have that governance strategy in place because it's in your best interest, right? It helps you not have to go in on your vacation day to solve a problem with the analytics that didn't run. 

MEGAN: 10:04 

Definitely allows you to breathe a little and relax when you're gone. 

PHILIPP: 10:07 

Yeah. If I can just jump in here, I think proper governance helps everyone orient themselves around what their teams are doing. And the reason I say this is because there are people out there that think governance is just an exercise that they have to do or it's a tax on all the fun analytics that they get to do, "And now, gosh, now I need to document them," and so on. But once you realize that you're part of a team, to picture change is quite dramatically. You need to think about what happens if the person I'm sitting next to suddenly wins the lottery and leaves. Who's going to be able to run this? Or as a manager, I can tell you that pretty much every single improvement effort I've ever been part of starts with building out an inventory of resources, right? This includes mapping our data connections, mapping our data flows, which systems are used, which spreadsheets are used, what other tools are used, who's going to run them, and so on. Good governance facilitates building that inventory, and good governance gives you the ability to think about how you can make running a team better or making work perform better or making a process more efficient. You need all these pieces of information before you can start on any improvement project. So there's a real upside to good governance. 

MEGAN: 11:28 

Yeah, that's awesome. I really like the point you made too about as we're talking about checklists, it's not only just you and your analysts in an isolated environment, you and your one checklist, it's having that understanding across the whole team of what people are doing and how it all fits together. I've definitely been in situations where when that gets lost, all of a sudden, as an analyst, I'm creating a file that gets loaded into a Power BI Dashboard and then all of a sudden, my change breaks the dashboard or something like that. And if I don't understand how it all fits together and what things I should be checking for in relation to what other people's processes are, that's an important component as well. Okay, so next, I would like to talk about continuing with the scenario of me being a data analyst. Why do you think that I should care about the team's governance strategy? Because it could seem like a lot of extra work to go through on my part. 

ADAM: 12:28 

I mean, I like to think of it like the seat belt scenario. Why do I wear my seat belt? Governance is the same. You care about it because it really protects you from your mistakes. It helps you in the cases where you get audited. It's that layer of protection that you really need to keep yourself safe and to keep your team safe. And again, like we talked about with my early days as an analyst, it helps you so that you can take vacations with confidence, you can take those breaks because you know that the process is going to work, you're not going to have errors in your work that are causing downtime, and of course, you'll be able to pass audits. So it sets you up for success. And that forward thinking in that look for success as you're building your career, what does your manager really want from you, if he wants your job to just happen, he wants everything to just work, to be magic, and not to have any drama or concerns in it? And if you're following good governance practices and you're following those governance checklists, your stuff is just going to work. It's going to be very robust and successful. And that's going to lead to opportunities for promotion and taking on additional work for you. So it's really just a win-win all the way around for you to really implement a good governance strategy and to be aware of and help guide the governance strategy of your team. 

PHILIPP: 13:52 

Let me add to this a little bit and let me introduce the third guiding principle how we approach the discussion. So I mentioned before, we listen carefully to what a customer wants. That's the first principle. The second principle is we try and make it as easy as we possibly can for everyone. Now the third principle is we have ample capabilities to govern Alteryx and Alteryx workflows and they're really suitable to transforming the discussion, and I'll explain why. So if you run an Alteryx workflow, at the risk of grossly oversimplifying, you have two options. You can run it on a server, or I can run it on my desktop. Now, if I run it on a server as an administrator of that server, I get a lot of information. And as a compliance team, I can retrieve a lot of information on what workflow was run, who ran it, and so on. But the real scenario that a lot of folks are worried about in tightly-controlled processes is, what happens if somebody runs something on the desktop that I'm not aware of? And you can compare this, say, to, "I'm going to build a really complex financial model. But I'm going to run it in Excel, and I'm the only one that has that spreadsheet," right? How on earth would I know what's going on in that spreadsheet and how do I hand it off to somebody else? 

PHILIPP: 15:14 

Now, Alteryx has introduced a really cool feature called Customer Managed Telemetry. And what it does is when I run a workflow on my desktop, it will store the fact that this workflow was run and it will store the information about that workflow. And this is data that only the customer has access to. Alteryx does not have access to it. That's why it's called Customer Managed Telemetry. But what you can do is you can parse it and you can go through it and you can quickly get a snapshot of what is happening on someone else's desktop. Now, this is really powerful for a number of reasons. The first is I can essentially see how within a large team different users are leveraging Alteryx. So I can almost compare and contrast and see if there are some users that are more advanced, great; if there's other users that are more struggling with the tool, I can deploy really customized training to meet those needs. But the other really cool thing is I can see, for instance, every data input that is used into this particular workflow. Not the actual records, but I can see the data connection, which database is accessed, or with SharePoint site, or do I use a file that's sitting on my desktop somewhere? And so what this allows me to do is if one of my data connections changes, so if I make an upgrade to my data environment, for instance, I can very quickly identify all the workflows that have been accessing this one SharePoint site or this one database. 

PHILIPP: 16:45 

In real life, what would I do? I would probably send an email to all my users. Half of them would be on vacation, the next half wouldn't read it, or they would push it down to tomorrow. This is a way that I can identify every single workflow that relies on this particular data collection. So it's a very nice way where I can-- how my team leverages the tool and how I can avoid any roadblocks or stumbling blocks or errors down the road. So the bottom line is we listen carefully to our customers, we make it as easy as we possibly can for our customers, and Alteryx has some terrific capabilities to really transform the governance discussion from, "This is a burden on my work. This is a tax on the fun stuff," to, "Let me make this really easy for you." Oh, and by the way, now, we've transformed how we think about governance, and there is a massive upside there as well that I can reap. 

MEGAN: 17:42 

Yeah, that's really awesome. And it was great what you said about using the telemetry as a manager to be able to tell who might be struggling with Alteryx and being able to pinpoint some resources for them, things like that. That would be great, thinking about the analyst perspective if someone came to you with, "Hey, I have some tailored resources for you," or, "Hey, I noticed maybe you haven't been leveraging some of these more advanced tools. Maybe we could sit down and I could show you how we can implement these kinds of tools." So that's really cool. Okay, great. So we've talked a lot about governance strategies and plans and ideas and tips. Once you at your company have a governance plan, do you guys have any tips on how you walk other people through that plan, how you get stakeholders on board and start to socialize the governance strategy? 

PHILIPP: 18:34 

I can start on this one. So the first lesson that I've learned is be proactive, and that is work with stakeholders to make a plan. Reach out to your stakeholders. That could be IT partners, it could be partners in audit, it could be compliance teams. Once you have a plan, reach out to them and walk them through it. And now, you've changed the discussion because now the discussion is about what's the right plan. The discussion is no longer, "I do not like this tool. This tool is difficult to govern," or, "This tool is easy to govern." Now I have a plan and we can debate what the plan should look like. And that's really what the discussion needs to look at. Being prepared that way has a big upside. And when you get audited, and at some point in your life, you will get audited, you now have an existing plan that you can pull out and you can point to and you're not scrambling to put one together. Now, we have a number of ways to help our customers on their journey either on a community or on our website, and our customers can always reach out to us and we can work with them to discuss specific needs and situations that's going to help them come up with a good plan. But that's really the key thing: be proactive, think about what might happen, and make a plan, and then you can have a discussion around that. 

MEGAN: 19:56 

Great. Okay, so another question I was interested in is if you could tell us a little more about what the relationship is between governance and audit and how those two things go together. 

PHILIPP: 20:08 

That's a great question. The way that I think about this is, certainly for publicly traded companies, there are a number of provisions and restrictions and rules and regulations that you need to follow, one of which essentially meaning that there's a number of requirements around certain key processes. Audit will test that these controls are in place. So these are things that I mentioned earlier, access controls, for instance, of change management controls, or that nobody can tamper with your data, those type of things. What is interesting is that if you picture yourself doing a lot of work in a classical Excel spreadsheet or in a Google Sheets spreadsheet, what is really hard is to prove out who has done what, who has had access to this particular spreadsheet, and who changed this particular cell, and who is responsible for this particular number that downstream gets supported. In Alteryx, you can set this up in a much cleaner way. You can essentially move data between different systems with no hands and all you need to do is check who built that workflow and you check that workflow actually there's a good job. Now, this is particularly interesting because once I have tested that this particular workflow does what it's intended to do, and once I've proven that out, and once I run this workflow on a dedicated server environment such that nobody accidentally can change the workflow, I don't need to test this workflow over and over again because I've already proven out that the workflow works and that it is tested and that it accomplishes what it's supposed to be doing. 

PHILIPP: 21:42 

Now, the upside is that an external audit partner would also not have to retest the same workflow over and over again. So this is what is called an automatic control as opposed to a manual control where somebody, for instance, needs to manually testify that, "Yes, I have reviewed this. Yes, I have done this. Yes, the data is correct in my destination." So the reason I mentioned this is because this is a really nice way to reduce cost for your audit process, in particular the process, right? Your external auditors will typically hunt down all these checklists and all these sign-offs and all these attestations that are done manually. Now, what you can do is you can build your controls such that you test them once and then the next you don't need to retest them, and therefore the amount of hours that your audit company is going to bill you to do that testing is going to be reduced from [year?] to one onward. So that's a really nice way how you can drive cost savings through automation. 

ADAM: 22:42 

And I think you have started a relationship this way. Everybody's focused on governance and the governance strategy for my analytic processes. But what you really have with the auditing is it's the governance for governance almost. It allows you to stress test your governance process to make sure that it's effective in its catching everything. A lot of people view audits as a negative experience. I don't view it that way. I see it as an opportunity to catch all of the things that we just didn't think of, to get that external point of view that will help prevent, again, those future issues that I might not have caught otherwise. And so it makes it so I don't get that phone call in the middle of the night or while I'm on vacation. If I'm audited, and I know it's been audited, I know it's robust, now I've got independent verification of my processes, so I can sleep better and vacation better and sit on the beach drinking my Mai Tai, and I don't have to worry about what's going on with my governance process. 

MEGAN: 23:43 

Awesome. Yeah, those are really good takes on audit. I've definitely heard a lot of people, not many people are excited to do an audit, so I like your take on that, Adam. That's awesome. 

ADAM: 23:54 

I'm a little biased. I used to be an auditor at one point, so. 

MEGAN: 23:57 

Ah, okay, I have a lot of auditor friends, so hear about them a lot. 

PHILIPP: 24:00 

I was going to say, Adam, if you're on the receiving-- if you're on the receiving end of an audit in multiple times, we'll speak again. [laughter] 

MEGAN: 24:09 

Great. And Adam, you brought up some points I hadn't thought about before about it potentially being positive. But talking to friends who are auditors and friends on the receiving side, sometimes it can be kind of emotional or it can be tough. Do you guys have any insight into how people feel about audits or the feelings surrounding governance, in general? 

ADAM: 24:31 

I mean, again, a lot of people have that negative view of auditing because they're not sure of what their governance strategy process should be. I think the more confident you are in your governance process and the approach that you've taken and the more well-thought-out it is, the less-intimidating and emotional that audit process is. If you're tacking it on at the end of your analytics journey, then yeah, it's going to be pretty intimidating because you don't know you've caught everything, and it's just going to cause a lot of work for you, and it's going to be a stressful experience, right, having somebody check your homework, as it were. But honestly, I think if you've sat down and you've taken the time and you've applied best practices to it, then it shouldn't be that emotional journey, right? If you've incorporated it into everything you do and you're well-trained and organized, it's generally speaking a non-event. You just get that good feedback that can make your processes better. 

PHILIPP: 25:31 

Well, I can tell you from my own experience, I was part of a team that got audited several times over the course of two years and had almost an annual refresh of an audit. The first time is really stressful. And you have no idea what your audit partners are going to find. And they come up with a long list of recommendations, you work through them, and you realize that the second time you're in much better shape and much better position. And most likely, there are still a couple of things that you need to fix. But what you first audit does, at least in my case, it was truly a wake-up call where I realized these are all the things that could potentially go wrong. And you know what, [inaudible] reputation's on the line when we mess this up. And so it forces you to think about good governance and how do I prevent errors from creeping into the work. This is truly what good governance is all about. And so everything that we discussed earlier is basically born out of that experience, how do I make the transition from, "I do my work and I'm confident that I'm doing my work well," to, "We're all working as a team. We all as a team need to work well." and what are the potential things that somebody could potentially mess up or what are the things that could potentially go wrong or what happens if somebody suddenly leaves and that piece of knowledge that this team member had suddenly walks out of the door? How I'm going to replace it? How am I going to document that? How do I make sure that the next generation has the same standard and the same quality of work? That's truly what good governance is all about. And that basically is driving the approaches that we are proposing in this podcast. 

ADAM: 27:08 

And I think one more thought on that just as I'm reflecting on the question, I'm often reminded of the stoic philosophy, the obstacle is the way. When you're not stressing the system, when you're not actively trying to be better, when you're not having challenges, you tend to get lazy, right? You degrade, your performance overall degrades, and your governance follows that same pattern. And the audit process stresses the system, and it makes you better. And so it's a much more productive way of looking at it, I think. 

MEGAN: 27:43 

Totally. Yeah, and what you were saying, Philipp, I think is a great example of the whole audit is governance for your governance. And it can be a positive thing is what I'm learning today, so thanks. Do you have any advice that you've heard or given personally for your teams to help deal with that post-audit stress? It could be really stressful being on the receiving end of seeing the mistakes or seeing all of the recommendations, but how do you kind of work your way back up to just jumping back into it and proving and leaving those mistakes behind? 

ADAM: 28:23 

So as an auditor, one of the things I reminded everyone is, "Look, I'm not here to be your enemy. I'm here to help you out, help you to be more successful." And just because you've made these mistakes or you have these audit comments, it doesn't make you a bad individual. I'm not critiquing your soul or your commitment to your job. What I'm doing is I'm identifying gaps in your process that need to be met or made better so that I can, again, help you in the future, right, so you don't have these issues and so that we protect the company. And so we need to just put the past behind us and work on proactively engaging on how we're going to make things better and what steps and then learn from them, right? Here, how can I educate you so that you can be better next time so that the next time we go through the audit process, there aren't many other comments? 

PHILIPP: 29:16 

Yeah, and I would actually compare this to a really simple analogy. When one of my teammates has a big presentation and we do a dry run, there's usually a lot of comments, and sometimes it can make the person doing the dry run feel unprepared or feel unhappy because you want to put our point out these are opportunities for improvement. The comment I always make is it's better if you hear it from me than if your audience is unhappy with your story because your story doesn't work. It's better if you hear it from me because we can fix it and we can deal with it. Now, the reason I say this is because it's better if you hear what is wrong with your process from your audit partners internally than if the regulators were to tell you that something is wrong or if it turns out that you violating SEC rules and regulations. So it's better if you fix it internally. It is still not going to be fun, but it is a way better outcome for you than any alternative scenario. 

MEGAN: 30:16 

Thanks for listening. For resources like the governance checklist, information about Customer Managed Telemetry, and tips about vacation proofing your workflows, check out our show notes at Catch you next time. 


This episode was produced by Maddie Johannsen (@MaddieJ), Mike Cusic (@mikecusic), and Matt Rotundo (@AlteryxMatt). Special thanks to @andyuttley for the theme music track, and @mikecusic for our album artwork.