One of the key challenges with adopting a holistic approach to information governance is that the information is stored in multiple formats, in many locations, and managed by many people with different responsibilities. This article looks at a few of these different perspectives and identifies an approach to gaining control.
This has become a hot topic, and remains a current focus of many IT departments today. The challenge with big data is that it is data focused, and this remains (necessarily) under the control of IT. Looking back to the heyday of data warehouses, the challenge always existed to gather the right (accurate) information, store it in separate databases that would allow business intelligence processes to be performed, whilst protecting and preserving the integrity of the original data. The challenges remain similar, except now there is far more data to be taken into consideration. With the size of large data sets, new considerations emerge regarding appropriate systems to gather, manage and store all this data. From a governance and discovery perspective, the organization needs to ensure that the data is accurate, is up-to-date, and accessible only to those who need it.
The systems to manage big data must sit within control of the IT department, but questions need to be asked regarding who has the responsibility to gather and curate the data, both in its raw form, and the outputs from the business intelligence models being run.
Whilst big data is an issue, an even greater concern may be the management of all the unstructured information in the organization, that doesn’t sit in databases and corporate ERP systems. Although different organizations have different views on Enterprise Content Management (ECM), the fact remains that a very high percentage of information in an organization is in unstructured formats. Ignoring paper for a second, the amount of information in scanned images, office suites, word processing files, spread-sheets, presentations, videos and pictures is truly staggering.
Conventional industry wisdom talks of 80% of information in an organization being in unstructured formats. Whether the actual percentage is 80% or even as low as 50% is a moot point; the concern remains that organizations hold tens of terabytes of unstructured information. The nature of this information is such that it is generally created and stored in a decentralised manner, by office workers scattered around the globe. Ensuring that all this information is accurate, collated, used properly, protected, and stored in formal systems that allow its search and retrieval remains a nightmare for many organizations. This information is often out of the control of IT departments and may be stored on local or shared drives, with duplication being a major concern. Finding the latest version, ring-fencing it and preserving it are key issues from an information governance and discovery perspective.
Yes, I know, you’ve all gone paperless, and none of your organizations have any paper stores any more. Sadly this is seldom the case, and the use of paper is still increasing by over 10% per year. For many processes, and many organizations, paper remains a key source document, and hence a key store of information. Information governance requires management of information on all formats and media, and paper simply cannot be ignored. Whilst e-discovery is the fashion of the day, true discovery still begs the question – is there information out there on other formats which may be required in the event of disputes or litigation.As with electronic unstructured information, paper is often generated in a decentralised manner. It happens “out there” in user departments, very far from the control of IT. Much of this paper is a record and needs to form part of the organizations records management programme, and hence clearly needs to be considered as an integral part of information governance.
Big data, unstructured electronic content and paper records all need to be considered when implementing a holistic information governance programme. The fact that this information is generated and stored in multiple locations, by different departments is a cause of the problem. Ensuring that everyone creates and keeps the right information, and protects it according to company dictates isn’t easy. Formulating coherent global policies and creation of a multi-disciplinary information governance steering committee are two key starting points for getting control of the different types of information. The next step is recognising what information exists, where it is stored, and allocating responsibilities for it during its lifecycle. Monitoring, reporting and revising processes on an on-going basis become the cornerstone for implementation into the future.
It almost sounds like a contradiction in terms. Social media and Information Governance in the same sentence doesn’t quite work, and sounds like a “lawyer meets marketer in a bar” joke. The reality is far from a joke though, and the very nature of social media, and the ability for blogs, tweets and shares to go viral, means that we must be extra vigilant in our creation and publication of this “new” media. This article draws heavily on records management practices and uses the ARMA Generally Accepted Recordkeeping Principles as a basis for developing a social media governance framework.
Clear policies and procedures should be developed for organizational social media and on-line or internet based activities. A senior representative should be appointed with overall responsibility for the implementation, monitoring and oversight of the use of these technologies. Anyone given the mandate to be a voice of the organisation on these media must be appropriately trained (in the various technologies in addition to some form of media training), monitored, and supervised. The level of governance will be based on the perceived risk to the organisation, although this may be very difficult to determine until it is too late.
Communications should be monitored for accuracy, integrity and to ensure that they meet the ethical guidelines of the organisation. A designated person should be given the mandate to delete inappropriate content where needed, and systems need to be in place to record such activity. Ideally, an approval process should be implemented to prevent the wrong content from being published in the first place. A caveat is needed here, as a balance needs to be drawn between rigidity and the need for fast response to comments in the public eye. People should use their individual identities and must be authorized to speak on behalf of the organization.
Policies and procedures regarding confidentiality should be extended to include social media, to prevent the wrong content from being published. Intellectual property should not be published without authorization, and written consent should be obtained before publication of any information with value. Whilst the individual may be posting under their own name, policies must clearly state that the information belongs to the organization.
Content published on social media may be subject to laws and record keeping requirements for retention and destruction may apply. A clear understanding of the regulatory environment surrounding the organisation is required, and firm policies developed regarding whether these publications do form part of the records inventory of the organization or not. And of course copies of the records then need to be kept for the required period and under the appropriate conditions.
The publications should be indexed and searchable. This may not always be possible given that social media platforms are out of control of the publishing organisation. Wherever possible, service level agreements should be formed with the systems providers to ensure that information can be found and retrieved. Regardless of the choice of platform and service provider, the organization must develop the means to categorize, protect and retrieve information which falls under their records regime.
As with any other records system, retention rules need to be developed and adhered to. Input from key stakeholders is required to ensure that all considerations are included when developing the retention policies. Collation and storage of social media content should be automated as far as possible, and a system which aggregates and collates all social media activity is highly recommended. In this instance, a single social media management platform should be used, with secure authentication, to ensure that information is properly created, secured and retained.
Negotiations and agreements should be concluded with the social media platforms selected, so that publications can be deleted according to the organisations disposal policy. This may be far easier said than done, and even where an agreement is reached, it may be impossible to even find, let alone dispose of information which has been shared between multiple diverse social media platforms.
The power of social media may well prove the Achilles heel. Social platforms provide an opportunity for organizations to engage with clients and prospects in a real two-way dialogue. Organizations should be very clear regarding whether an option is the individual’s personal view or whether it is representative of the companies’ viewpoint. Real names should be used, and clearly state whose opinion it is.
This is a summarised view of what has already become a complex subject. As organizations grappled with managing e-mails as records for years, so this environment is going to create many opportunities for debate. The message is clear though, make sure that your information governance programme includes social media, and that you know what is being published, by whom, and if it is deemed to be official, that it falls under the same rules as any other record.
In order to avoid misunderstanding, the title of this post requires some clarity. Governance is critical, and we believe this wholeheartedly. The issue under consideration is how a governance initiative is adopted and implemented. Governance, and by its very nature, Information Governance, stands the risk that it is seen as another overhead, an expensive exercise with little value. If the executive team, and possibly more importantly, the staff, do not understand and buy-in to the benefits, it is likely to be approached half-heartedly, and the bare minimum, regulatory requirements will be implemented.
Governance is expensive – accept this as a fact. So the question becomes one of “how do we get some value from this expense?” If no attempt is made to seek real value, then the cost becomes one of insurance, “just in case”. The only time there is a return on the investment is when the information is required in the event of litigation, audit queries or investigations. If this never happens, then the investment is wasted. To my mind, wasted investment sounds like poor corporate governance.
A potentially greater risk is that “compliance for compliance –sake” leads to reluctance on the part of staff to comply. They don’t perceive any benefit, so will do the least possible to meet the compliance requirements. When the time comes to retrieve the information, the half-hearted attempts become apparent, and the information isn’t complete, it’s out of date, or worse still, can’t be found. In this instance, not only have all the expenses become wasted, but the organization still stands the chance of losing the court case as the necessary information isn’t available. Some information can be found, but no-one is sure whether there is more, and the e-discovery costs escalate wildly.
One method of obtaining the necessary buy-in is by making sure that the Information Governance initiative is very closely aligned to the corporate goals or objectives. These could be a combination of any of the following (or a host of others not mentioned here):
These are easily determined by analysing the annual financial reports, 5 year strategic plans, and even the organization’s mission and values boldly displayed in the corridors. The next step is to determine how Information Governance can assist in meeting each one of these objectives. Assisting with compliance is easy, but one needs to explore the other “non-compliance” drivers for these are where the value may well lie.
For example, truly managed information is more easily found, fewer duplicates are kept, and it can be trusted. This must lead to a reduction in cost, which assists the organization in that goal. If Information is easily found and staff don’t waste time searching unnecessarily, then their working days may be more fulfilling, and they can be better utilised, adding value to their daily tasks. Better information leads to faster processes, and ultimately a more efficiently run organisation.
By focusing less on the “governance” part of information governance, and instead looking to see how having properly managed information can assist the organization in meeting its objectives, there is a strong chance that buy-in can be achieved. Not only does it assist with obtaining the necessary commitment, but also helps to garner support from non-governance quarters.