One of the key challenges with adopting a holistic approach to information governance is that the information is stored in multiple formats, in many locations, and managed by many people with different responsibilities. This article looks at a few of these different perspectives and identifies an approach to gaining control.
This has become a hot topic, and remains a current focus of many IT departments today. The challenge with big data is that it is data focused, and this remains (necessarily) under the control of IT. Looking back to the heyday of data warehouses, the challenge always existed to gather the right (accurate) information, store it in separate databases that would allow business intelligence processes to be performed, whilst protecting and preserving the integrity of the original data. The challenges remain similar, except now there is far more data to be taken into consideration. With the size of large data sets, new considerations emerge regarding appropriate systems to gather, manage and store all this data. From a governance and discovery perspective, the organization needs to ensure that the data is accurate, is up-to-date, and accessible only to those who need it.
The systems to manage big data must sit within control of the IT department, but questions need to be asked regarding who has the responsibility to gather and curate the data, both in its raw form, and the outputs from the business intelligence models being run.
Whilst big data is an issue, an even greater concern may be the management of all the unstructured information in the organization, that doesn’t sit in databases and corporate ERP systems. Although different organizations have different views on Enterprise Content Management (ECM), the fact remains that a very high percentage of information in an organization is in unstructured formats. Ignoring paper for a second, the amount of information in scanned images, office suites, word processing files, spread-sheets, presentations, videos and pictures is truly staggering.
Conventional industry wisdom talks of 80% of information in an organization being in unstructured formats. Whether the actual percentage is 80% or even as low as 50% is a moot point; the concern remains that organizations hold tens of terabytes of unstructured information. The nature of this information is such that it is generally created and stored in a decentralised manner, by office workers scattered around the globe. Ensuring that all this information is accurate, collated, used properly, protected, and stored in formal systems that allow its search and retrieval remains a nightmare for many organizations. This information is often out of the control of IT departments and may be stored on local or shared drives, with duplication being a major concern. Finding the latest version, ring-fencing it and preserving it are key issues from an information governance and discovery perspective.
Yes, I know, you’ve all gone paperless, and none of your organizations have any paper stores any more. Sadly this is seldom the case, and the use of paper is still increasing by over 10% per year. For many processes, and many organizations, paper remains a key source document, and hence a key store of information. Information governance requires management of information on all formats and media, and paper simply cannot be ignored. Whilst e-discovery is the fashion of the day, true discovery still begs the question – is there information out there on other formats which may be required in the event of disputes or litigation.As with electronic unstructured information, paper is often generated in a decentralised manner. It happens “out there” in user departments, very far from the control of IT. Much of this paper is a record and needs to form part of the organizations records management programme, and hence clearly needs to be considered as an integral part of information governance.
Big data, unstructured electronic content and paper records all need to be considered when implementing a holistic information governance programme. The fact that this information is generated and stored in multiple locations, by different departments is a cause of the problem. Ensuring that everyone creates and keeps the right information, and protects it according to company dictates isn’t easy. Formulating coherent global policies and creation of a multi-disciplinary information governance steering committee are two key starting points for getting control of the different types of information. The next step is recognising what information exists, where it is stored, and allocating responsibilities for it during its lifecycle. Monitoring, reporting and revising processes on an on-going basis become the cornerstone for implementation into the future.
It almost sounds like a contradiction in terms. Social media and Information Governance in the same sentence doesn’t quite work, and sounds like a “lawyer meets marketer in a bar” joke. The reality is far from a joke though, and the very nature of social media, and the ability for blogs, tweets and shares to go viral, means that we must be extra vigilant in our creation and publication of this “new” media. This article draws heavily on records management practices and uses the ARMA Generally Accepted Recordkeeping Principles as a basis for developing a social media governance framework.
Clear policies and procedures should be developed for organizational social media and on-line or internet based activities. A senior representative should be appointed with overall responsibility for the implementation, monitoring and oversight of the use of these technologies. Anyone given the mandate to be a voice of the organisation on these media must be appropriately trained (in the various technologies in addition to some form of media training), monitored, and supervised. The level of governance will be based on the perceived risk to the organisation, although this may be very difficult to determine until it is too late.
Communications should be monitored for accuracy, integrity and to ensure that they meet the ethical guidelines of the organisation. A designated person should be given the mandate to delete inappropriate content where needed, and systems need to be in place to record such activity. Ideally, an approval process should be implemented to prevent the wrong content from being published in the first place. A caveat is needed here, as a balance needs to be drawn between rigidity and the need for fast response to comments in the public eye. People should use their individual identities and must be authorized to speak on behalf of the organization.
Policies and procedures regarding confidentiality should be extended to include social media, to prevent the wrong content from being published. Intellectual property should not be published without authorization, and written consent should be obtained before publication of any information with value. Whilst the individual may be posting under their own name, policies must clearly state that the information belongs to the organization.
Content published on social media may be subject to laws and record keeping requirements for retention and destruction may apply. A clear understanding of the regulatory environment surrounding the organisation is required, and firm policies developed regarding whether these publications do form part of the records inventory of the organization or not. And of course copies of the records then need to be kept for the required period and under the appropriate conditions.
The publications should be indexed and searchable. This may not always be possible given that social media platforms are out of control of the publishing organisation. Wherever possible, service level agreements should be formed with the systems providers to ensure that information can be found and retrieved. Regardless of the choice of platform and service provider, the organization must develop the means to categorize, protect and retrieve information which falls under their records regime.
As with any other records system, retention rules need to be developed and adhered to. Input from key stakeholders is required to ensure that all considerations are included when developing the retention policies. Collation and storage of social media content should be automated as far as possible, and a system which aggregates and collates all social media activity is highly recommended. In this instance, a single social media management platform should be used, with secure authentication, to ensure that information is properly created, secured and retained.
Negotiations and agreements should be concluded with the social media platforms selected, so that publications can be deleted according to the organisations disposal policy. This may be far easier said than done, and even where an agreement is reached, it may be impossible to even find, let alone dispose of information which has been shared between multiple diverse social media platforms.
The power of social media may well prove the Achilles heel. Social platforms provide an opportunity for organizations to engage with clients and prospects in a real two-way dialogue. Organizations should be very clear regarding whether an option is the individual’s personal view or whether it is representative of the companies’ viewpoint. Real names should be used, and clearly state whose opinion it is.
This is a summarised view of what has already become a complex subject. As organizations grappled with managing e-mails as records for years, so this environment is going to create many opportunities for debate. The message is clear though, make sure that your information governance programme includes social media, and that you know what is being published, by whom, and if it is deemed to be official, that it falls under the same rules as any other record.
In order to avoid misunderstanding, the title of this post requires some clarity. Governance is critical, and we believe this wholeheartedly. The issue under consideration is how a governance initiative is adopted and implemented. Governance, and by its very nature, Information Governance, stands the risk that it is seen as another overhead, an expensive exercise with little value. If the executive team, and possibly more importantly, the staff, do not understand and buy-in to the benefits, it is likely to be approached half-heartedly, and the bare minimum, regulatory requirements will be implemented.
Governance is expensive – accept this as a fact. So the question becomes one of “how do we get some value from this expense?” If no attempt is made to seek real value, then the cost becomes one of insurance, “just in case”. The only time there is a return on the investment is when the information is required in the event of litigation, audit queries or investigations. If this never happens, then the investment is wasted. To my mind, wasted investment sounds like poor corporate governance.
A potentially greater risk is that “compliance for compliance –sake” leads to reluctance on the part of staff to comply. They don’t perceive any benefit, so will do the least possible to meet the compliance requirements. When the time comes to retrieve the information, the half-hearted attempts become apparent, and the information isn’t complete, it’s out of date, or worse still, can’t be found. In this instance, not only have all the expenses become wasted, but the organization still stands the chance of losing the court case as the necessary information isn’t available. Some information can be found, but no-one is sure whether there is more, and the e-discovery costs escalate wildly.
One method of obtaining the necessary buy-in is by making sure that the Information Governance initiative is very closely aligned to the corporate goals or objectives. These could be a combination of any of the following (or a host of others not mentioned here):
These are easily determined by analysing the annual financial reports, 5 year strategic plans, and even the organization’s mission and values boldly displayed in the corridors. The next step is to determine how Information Governance can assist in meeting each one of these objectives. Assisting with compliance is easy, but one needs to explore the other “non-compliance” drivers for these are where the value may well lie.
For example, truly managed information is more easily found, fewer duplicates are kept, and it can be trusted. This must lead to a reduction in cost, which assists the organization in that goal. If Information is easily found and staff don’t waste time searching unnecessarily, then their working days may be more fulfilling, and they can be better utilised, adding value to their daily tasks. Better information leads to faster processes, and ultimately a more efficiently run organisation.
By focusing less on the “governance” part of information governance, and instead looking to see how having properly managed information can assist the organization in meeting its objectives, there is a strong chance that buy-in can be achieved. Not only does it assist with obtaining the necessary commitment, but also helps to garner support from non-governance quarters.
As the discipline or field of Information Governance starts to take shape, it is natural that different stakeholders will apply their own interpretation and emphasis to an IG programme. This brings the risk that it does not follow a holistic approach, and different elements of governance end up in conflict. This article positions the components that should be included in an enterprise approach to Information Governance. Please note that this is not in any specific sequence, and it must be stressed that all of the various aspects considered should be given equal emphasis.
At its core, Information Governance is an integral part of Corporate Governance, so this is a natural starting point. IG structures and frameworks must fit tightly with any corporate governance requirements. In particular, careful consideration should be given to Sarbanes Oxley, King III or other industry- or country-specific requirements.
I hesitate to place this second on the list, as that draws a natural inference as to its importance. ITIL, CobiT, ISO 12207 and ISO 15288 are well established and could be key instruments for IT Governance. The challenge is to implement IT Governance, and link it to the other governance elements discussed below, without the emphasis being purely on IT.
Obviously a critical component of Information Governance, e-discovery initiatives cannot be conducted in isolation of records management, IT Governance or any of the other factors discussed here. The emphasis in this case is that IG cannot be a legal initiative alone, and needs to partners with a number of other stakeholders.
There is a great deal of focus on records management at the moment, and ARMA have developed their Generally Accepted Record Keeping Principles (GARP) model, known as “the principles”. Whilst this has much merit, and an Information Governance Professional certification has been developed in accordance with GARP, we should caution against thinking that Information Governance belongs purely in the Records management domain. The GARP model has a structure that can be applied across all aspects of Information Governance, but the records management team shouldn’t be applying GARP and ignoring the other focus areas.
Safety, Health, Risk, Environment and Quality often get bundled together, and they form a natural group of disciplines. The information Governance programme needs to span all of these, and make sure that the unique requirements of each are included in the governance framework. I place specific emphasis on Risk and Quality, as these get special mention in Corporate Governance requirements. ISO 9001 and 31000 (Risk management), with its supporting standards are a natural starting point and tend to be well established and understood in the corporate environment. Information Security ISO 27001 has been in place for a number of years now and is well known and implemented as an Information Security standard.
is one of the cornerstones of governance, and is specifically highlighted in King III as a key element of sound Corporate Governance. Regardless of whether the information concerned is in paper, electronic or other format, or the particular information is in data or document form (structured or unstructured), the information security framework needs to apply. Privacy (Data protection) The legislative environment around privacy is becoming robust internationally (The European Union Data Protection Directive, and the Safe harbour principles spring to mind), and the IG framework has to ensure that information gathered about individuals is correctly maintained and protected. In some quarters this is seen as conflicting with Access to Information Legislation, so both poles need to be considered and built into governance rules.
This could be seen as an element of IT Governance, but it warrants special mention. Development of data models and metadata schemas are fundamental to being able to meet some of the requirements already mentioned. Any data gathered needs to be managed so that it doesn’t conflict with any of the other requirements.
This article provides a very basic summary of the factors which need to be considered when putting a holistic Information Governance framework together. It cannot be stressed strongly enough that each of the parts described above obviously have merit in their own right. Developing a more complete framework as outlined here, ensures that all parts are aligned, and the potential for conflict amongst them is reduced.
As with any emerging discipline, there will always be the potential for projects to falter, or to start off in one direction, and end up producing something completely different than initially intended. This is the first in a series of articles which provides guidance regarding things to look out for, and some steps to reduce the possibility of the information governance programme fizzling out.
This may sound so self-evident that it doesn’t warrant mentioning, but if this isn’t clearly thought out, the project will quickly lose direction, and will fail to gain the necessary traction. Due to the emergent nature of information governance, it means different things to different stakeholders. IT for example could immediately interpret it to mean IT Governance, or Big Data. The records management team may well think it is all about the Generally Accepted Record Keeping Principles. To the legal practitioners it most likely translates to e-discovery or meeting Privacy requirements. And they could all be right, so firstly understand what the key business problem is that needs fixing, and focus on that.
Governance in any form is often seen as a grudge purchase, a necessary evil. An important part of the process is to make sure that information governance delivers some form of business benefit. Regardless whether the benefit to your specific organisation lies in cost saving, reputation management, risk reduction, litigation management, reduced e-discovery costs or better customer service, understanding the benefits is critical if the rest of the leadership team is to buy-in. Information Governance could deliver all (or none) of these, and just how seriously the initiative is taken depends on how closely it is aligned to the goals of the organisation.
Strangely enough, governance comes with a cost attached. Gathering the necessary financial and human resources to make it happen is reliant on the executives buying-in to the process. It is my experience that executives only buy-in when they fully understand the exercise, and they clearly see how it can benefit their sphere of operation. If the time is taken in step 2 to align IG to the key issues facing the organisation, then buy-in becomes much easier. Due to the fact that this industry is in its early stages, the onus lies on us to make sure that we clearly understand the benefits, so that we can formulate a coherent business argument for moving forward.
Information Governance touches on almost all aspects of organisations; hence it leads to people needing to conduct business in new ways. With new approaches comes the need for a sound change management plan. Regardless of whether your approach is one of “comply or else” or adopting a more gentle, encouraging attitude, staff need to be brought along for the journey. The end result must be one where all affected staff adopt and comply with the new governance regime, and ideally they should see the benefits, not only for the organisation as a whole, but also how it affects their daily tasks.
Of course there are more things to consider, but ignoring these key issues could spell the death of true Information Governance in your workplace, and open up the potential for significant risk. Paying close attention to these four steps, as early as possible in the process, should stand you in good stead as you embark on this exciting journey.