Deborah H. Juhnke, IGP, CRM
Director of Information Governance Consulting
Husch Blackwell LLP
Debbie is a founding member of Husch Blackwell’s Privacy and Information Governance group, whose exclusive focus is development and implementation of information governance programs and privacy and data security compliance. In her role, Debbie brings her more than 25 years of information management and computer forensics experience to her work in records inventory, retention schedule and policy development, as well as project management, information governance program implementation, email and legacy data cleanup, and security risk assessments. Her work has benefited clients in a variety of industries, including public utilities, retail, manufacturing, business-to-business services, financial services, education and healthcare. Debbie is a Certified Information Governance Professional and a Certified Records Manager. Contact here at Deborah.firstname.lastname@example.org and find her on LinkedIn: www.linkedin.com/in/deborahjuhnke/
1. Information governance is just a fancy term for records management.
Traditional records management has its roots in the management of paper based files, of which most were truly capital “R” records. Fast forward seventy-five years, and we find that most records are no longer in paper form and most communication is now electronic. Cyber-security is a significant concern, and the out-of-sight, out-of-mind reality of digital storage has allowed for vast accumulations of information that—were it in paper form—would have long ago been disposed.
The response to this situation has shaped the discipline of information governance, “…an organization’s coordinated, interdisciplinary approach to satisfying information legal and compliance requirements and managing information risks while optimizing information value.” (The Sedona Conference Commentary on Information Governance, December 2013)
2. I need to create a big information governance program to get started.
Inertia is your enemy, and you must do whatever is necessary to break through it. That means simply doing something. It could mean finding a visible pain point—such as e-mail overload—and addressing that first. It might mean responding to an information governance tipping point—such as whether to purchase more data storage—by re-evaluating your assumptions and assessing whether it makes more sense instead to clean out the junk. It may mean envisioning a fully-formed information governance program, but starting your implementation with a small group, tweaking the details as you engage the rest of the organization.
The important thing is that it is possible to do something while at the same time keeping your eye on the long-term goal of implementing information governance broadly within your organization.
3. Information governance is IT’s job.
Information Technology as a discipline is certainly deep in the mix of information governance, but it is only part of the program. As countless commentaries on information governance have agreed, it ultimately does take a village to accomplish broad-based information governance.
Who takes the lead? The choice will usually be driven by the initiator of the program or tactical initiative. It may be IT, it may be Legal, it may be Compliance/Audit. Regardless of the lead, the name of the game is personal accountability. Information governance is everyone’s job.
4. I can just buy more storage and not worry about information governance.
Sure, it’s easy to buy more storage, especially when the initial procurement price continues to fall. What’s lost in this equation, however, is that the true cost of storage is not simply the purchase price. Depending on whose numbers you use, the true out-of-pocket cost can be as much as 5 to 7 times annually the cost of the hardware. Further, soft costs associated with decreased productivity and missed opportunity must weigh in.
So, it’s “pay me now, or pay me later.” We can either take a time out and consider whether we can slow the growth of data storage (and thus avoid a premature purchase), or continue to add to the information glut, only to face the same problem again next year.
5. I need to buy an ECM system to do information governance.
At some point, you may want to investigate more structured and automated ways of managing content, and an ECM may be the way to go. As with all technology purchases, however, you should consider carefully the itch you’re trying to scratch. It is likely that the perceived need—such as an inability to find information—must first be addressed by ensuring that your underlying information structure is sound by developing file plans, metadata tags, and rules, all of which will ultimately be required by an ECM. The single biggest failure of implementing enterprise systems is a lack of planning.
6. My employees will rebel if I impose information governance rules.
There may be a few grumbles here and there, but for the most part employees are happy to finally understand what they are supposed to do with their information. Most have spent years simply doing the best they can to organize their information, usually keeping everything “just to be safe” or, in the worst case, as a CYA.
7. My company is too small to care about information governance.
No company is too small. In fact, you could argue that small- to mid-sized companies have a harder time managing their information than the big boys. They have fewer dedicated resources, and may even fully outsource their IT function, or use cloud services. They often believe they live outside the scrutiny of regulatory agencies, but as Business Associates in healthcare are finding out, for example, HIPAA regulations apply to both large and small alike. Consider, too, the role of a small business such as Fazio Mechanical in what has shaped up to be one of the most visible data breaches in the last year.
Information governance pertains not just to how information is stored, but also to how it is created, protected, used, and disposed. Remember that all it takes is one employee yielding to the temptation of a phishing e-mail to initiate the cascade of a data breach. This, too, is information governance.
8. Information governance costs too much.
Does managing your financial assets cost too much? How about maintaining your office? Information is a business asset, and smart companies leverage its value, while satisfying legal requirements and controlling risk. You’ve probably heard that old saying that if you think old age is bad, you should try the alternative. Though attention paid to improving information governance may consume soft resources, poor information governance exposes organizations to increased hard costs associated with e-discovery, with growing storage requirements, and with wasteful inefficiency in finding information, not to mention increasing the risk of a regulatory misstep or data breach.
Out-of-pocket costs can be reduced, if not eliminated entirely, by applying a “Zero-Based” approach to information governance. Cut cost first by slowing the growth of information and analyzing more critically such Band-Aid technology requests as e-mail archives or yet more storage. Develop policies and provide training on better e-communications. Dust off that old retention schedule, get it updated, and take steps to apply it to your legacy repositories of paper and data. It is possible to make progress now, without spending a dime of hard, cold cash.