In the previous installments (January 17 and January 26, 2014), I discussed my difficulties with the current definitions of “Information Governance,” a hierarchical view of Governance and Management, and the nature of the activities at each level. This installment looks at the Length dimension, and then returns to “Information” and “Information Governance.”
Length involves measurement. In this context, it’s performance measurement and monitoring. How is the corporation doing, and how is it doing that? And the corporation constantly measures and monitors whether the bar has been raised or lowered over time. Have the requirements changed and, if so, how have we responded?
The Board measures revenues and expenses, as reported by Management and confirmed by Audit. The Board also monitors the compliance system and reports of non-compliance with applicable law and with the corporation’s policies. The Board further monitors whether the requirements or risks have changed, and whether adjustments need to be made in controls such as corporate processes or policies. The Board also measures its world view against reality.
Management measures as well, but in more detail. Management measures revenues and expenses, but also operational efficiency, markets, customer and employee satisfaction, vendor performance, the competition, and a whole host of other metrics. Management also measures compliance by the corporation’s employees with applicable law and company policy, and monitors the effectiveness of the existing controls; part of that is a measurement of the extent to which the managers know the legal and policy requirements applicable to their field of operations. Management further monitors the risks that the corporation faces, and the controls and mitigations in place, to make sure they are still appropriate, especially as the business expands and contracts over time. Management also measures whether its technologies, people, physical plant, and operating structures are still appropriate for accomplishing the corporation’s objectives with reasonable efficiency. Finally, Management measures how ready they are for the future, whether that be by anticipating market developments or customer requirements or by preparing in advance for potential business crises.
Employees also engage in measurement, as only they truly manage their careers, by measuring where they are and where they want to get.
That concludes the description of the model.
Now, to bring it all together, let me tie this discussion of “Governance” into the broader discussion (or is it the narrower discussion?) of “Information Governance.” That requires a definition of the term “Information.”
I define “Information” broadly. I do not come at this from a Records Management view, where the world is broken into records and non-records, nor do I approach this entirely from the e-discovery point of view, where the scope of discovery is directed at documents, electronically stored information, and things. Rather, I come at this from the viewpoint of corporate information as a corporate asset.
For me, the “Information” subject to “Governance” at the corporate level is all information owned by the corporation or for which the corporation is responsible. By this I mean all information received or created by the corporation’s agents and employees in the course of the corporation’s business, except for public information. My definition extends to all information, whether written or unwritten, and thus includes the content of a phone call or a discussion in the hallway, as much as it does the accumulated knowledge of a 30-year employee of the nature and history of particular operations.
Having proposed such a broad definition of the “Information,” I am considerably more flexible in terms of how much “Governance” needs to be applied to the various different types of “Information.” Not every hallway conversation needs to be reduced to writing, widely shared, and stored for the life of the enterprise. But some of those conversations do need to be either shared or reduced to writing and retained. The difficult part is determining how much “Governance” or “Management” needs to be applied to each discrete bit of “Information.”
Turning full circle, I now perform a mash-up of “Governance” and “Information” and measure “Information Governance” against the HWL Governance model.
Society expects a corporation to maintain an accurate record of its operations and decisions for a reasonable time.
Law establishes an obligation for a corporation to keep accurate and complete financial records, to preserve documents when litigation or governmental investigation is reasonably likely, and to maintain certain records for minimum periods.
Shareholders require corporations in which they invest to comply with applicable laws and to not waste or give assets away.
The Board establishes a compliance system and regularly monitors the results to assure itself that the corporation’s employees are complying with applicable law and any other policies that the Board has adopted, including the applicable legal requirements for document creation, storage, and deletion. The Board delegates decision-making powers relating to information and its retention to the Chief Executive Officer. The Board is accountable for establishing, promoting, and maintaining a culture of compliance with applicable law and policy.
The Chief Executive Officer re-delegates responsibility and (arguably) accountability for information-related decisions to a specific senior individual or job title, providing the corporation’s information assets with an owner. This individual can re-delegate the responsibility but not the accountability to others in the organization. This individual determines the applicable legal requirements and applicable Board-adopted policies, and establishes additional group-wide policies and a system for monitoring the corporation’s compliance with those requirements. Individual managers are responsible for knowing the information-related requirements that apply to information received or created by employees within his or her remit and ensuring that those requirements are met, which may include developing a process with information-related compliance baked in. Managers engaging third parties from outside the corporation are responsible for ensuring that those third parties comply with the corporation’s information-related requirements. Management is responsible for ensuring that changes in the applicable requirements are managed over time. Management is accountable for supporting a culture of compliance with applicable law and policy.
6. Employees and others
Employees must follow the processes developed by their line management so that there is assurance that the applicable information-related requirements are met. In the absence of such processes, the employees need to know what requirements, both legal and policy, apply to information that they receive, create, transmit and destroy. Third parties must comply with the requirements of their contracts with the corporation.
Rather than arguing for a different definition for Information Governance, I propose that we agree that it is evidenced by
A corporation having a culture where compliance with applicable law and policy is an absolute condition of employment;
Management has a senior-level owner accountable for establishing and maintaining the information-related policies, procedures and systems;
Managers know the information-related legal and policy requirements and risks applicable to their area of operations;
Managers build processes for their employees that, when followed, result in compliance with applicable information-related law and policy, and that control and, as appropriate, mitigate those risks and hazards; and
The Board and Management monitor information-related requirements, risks, and compliance performance over time.
#governance #Management #information #compliance #policy #InformationGovernance #Structure #Risk #Board