Big Governance and the Politics of Self-Regulation

By Marc Solomon posted 10-11-2012 10:33


When we win new customers who doesn’t want to go public? it’s easy to think in external terms. No doubt the proposal team’s dancing in the end zone. And who’s inspiring them to spike the ball more – the hometown fans or the dejected opponents? However, once that revenue’s booked, opening this new account introduces us to a very different kind of performance number. Governance is strictly internal in a way that even those showboats in accounting can’t sequester. There are no victory dances. Only ulcers.

With that in mind I must commend Chris Walker of OpenText for his genius AIIM blog post “Governance Sucks But Doesn't Have To.” Governance is here to stay. Just because storage, networking, and development costs continue to plummet doesn’t mean that controls, safeguards, and protocols look the other way. But Walker doesn’t tiptoe around the excesses of the control freaks either:

“Governance is all the rules, regulations, legislation, standards, and policies with which we need to comply when we create, share, and use information. Don't misunderstand me; it's not the results or purposes of governance that annoy me, it's how governance is applied. The in-your-face, gavel banging, fanaticism driven approach of many of the legal, risk, and compliance crowd is the issue.”

What the man Is saying is that risk mitigation has become its own reward. If you’re a successful organization these days, you’re an anxious one. You’re stressed 24/7 no matter what face of the sun or moon is slipping over some regional border or legal boundary. Worse, stressed out organizations have come to believe that a state of agitation is a positive, a shared cultural value: You mean you’re not worked up as I am? It’s not a process for unifying a brand or promoting consistency or safeguarding a confidence. It’s now baked into the cost of doing business. Those sharp elbows are really a badge of honor.

Leave No Firewall Unturned-on

Here are some of the warning signs beginning with the admonishments. We’re dwelling on the don’ts in observance of the first tenet of big governance --  the penalties for doing harm far exceed the rewards for doing good:

1.      We don’t take our success for granted.

2.      We don’t let outside events control our destiny.

3.      We don’t take unnecessary risks in order to pursue new unproven and potentially fleeting opportunities.

Even the do’s aren’t affirmations. They’re warnings stained with the brush of suspicion:

1.      We follow procedures first and foremost.

2.      We are on guard for all potential breeches and lapses.

3.      We’re only as strong as our weakest link so let a thousand silos blossom.

Like an individual shouldering a stress disorder, such outfits are viligent in the pains they take to prepare for the next slippage, or breach, out outbreak. But what floats to the top of the anxiety agenda? Is it really about carefully considered risks and benefits or is it a knee-jerk aversion to change, regardless of the trade-offs?

Right-sizing Governance

This is not to be dismissive of governance itself.

Think of the last time you decided to send an official jumping ship email out to every one in the enterprise. You raise your toast to the best face you can put on a place you no longer call your work home. Do you read all the off-boarding guidelines for knowing what to say, how to express it and to whom? Or do you grab the nearest life boat and shove the woman and children out of the way?

In its most availing aspects governance can save us from our unfiltered verbiage when we wander off the reservation and kick back a few too many at the social media happy hour. It’s not a fashion statement that nearly every firm within Google radar range has published guidelines around their social media policies. It’s reality. And the goals that predicate governance are nearly universal in scope. Reducing legal exposure, protecting client confidentiality, preserving competitive assets, and promoting accountability are slam dunks, beyond debate no matter how out front or in back we are organizationally.

Problem is, sometimes those defensive postures end up hamstringing the same assets they were designed to protect. It calls into question the central premise of compliance as the overriding factor in how we design and maintain our ECMs. The question is this: Do we promote knowledge sharing and collaboration with support and guidance for mitigating risks? Or do we restrict access from the get-go? We dispense completely with the pandora’s box of what one says or does with said documentation?

The Anxious Idiot

How does an ECM perspective help the anxious organization down the road to at least partial sanity from the pile-up of total wreck? How does an inflexible and fearful culture swallow its medicine and keep its defenses up without succumbing to xenophobia, shutting out the potentials for innovation that nurture its community and growth?

Writing in the New York Times Daniel Smith defines the plight of the anxious idiot. But he might as well be speaking about the dysfunctional side of big, hairy governance as…

“An impractical and unreasonable person, a person who tends to forget all the important lessons, essentially a fool, one who willfully ignores all that he has learned about how to come to his own aid. A person who is so fixated on the fact that he is in a hole that he fails to climb out of the hole.”

Smith reasons that it’s not fear but laziness that prevent stressed out people from countering the demons that make them: (1) anxious in the first place, (2) often insular, and (3) leading to eventual lock-down.

Laziness? Who are we calling lazy? Certainly not the compliance sentinel who sleeps with one eye open!

That’s where an information professional needs not only to wear but wield their change management six sigma belt. It’s not about sharing and caring and kindred camp fires. It’s in the face of a fierce resistance to the benefits of honest disagreement, open discussion, and prospects for positive movement.

Sweating the Big Stuff

Here’s how those kinds of back-to-the-wall reminders can prod their way into a governance model that works by design and doesn’t run off the rails by default:

1) Imagine the Worst: Role play and scenario-build around those worst case situations. Where were the lapses. How did the model collapse? What could happen institutionally to protect itself the next time the safeguards are skirted or the rules are ignored? One note of discretion here. Don’t go undercover as some mystery shopper or create your own hacks or subterfuges for pointing out leaks or lapses. Becoming exhibit A will draw all the attention away from the illustration and towards the illustrator. More importantly you will draw down the goodwill of your colleagues faster than an IPhone battery on the fritz.

2) Separate Bad Actors from Good Information: Another sure sign of an uncritical acceptance of anxiety? Nothing is measured. Everything is dire and described in absolutes or lumped together indescriminantly. That’s why the basic handiworks of sound information practices like metadata management and search configuration are jumbled into the same argument for chinese walls and redundant servers. Knowing who can see what and when is not the same thing as folksfinding information they need, when they need it.As Walker points out: “If you think classifications and retention schedules are the same thing, there’s not an E[I]M solution on the planet that’s gonna help you and you’re not an Information Professional.”

3) Have the Conversation: The governance road map is not a one way street. If it was that easy, we’d be offered enterprise amnesty. A simple mouse-over would require us to report any unattended documents or orphan attributions to the nearest governance gatekeeper … now onto your real job! As Walker suggests this uneasy but necessary dialog requires the business weigh-in before a candid assessment can be made of what’s reasonable and necessary versus what’s over-the-top (as in sales people moonlighting as records managers). Make sure that it’s not just legal, regulatory, or security staff with a seat at the governance table. The business side needs to be there, not as a foil or reluctant player with better things to do. The revenue side needs to balance the deck with a less cloistered orientation to these same benefits and risks.

But whether the olive branch is a peace pipe or a chill pill, tread carefully. Just the suggestion alone could well inflame the passions of a compliance manager with their guard down. These overtures will have to do until yoga, or exercise, or therapeutic breathing replaces lunch at our desks and the insecurities of a sputtering economy.

Even if they’re not cure-alls for the impending panic attacks to come.

#protocol #framework #enterprisesecurity #employeepolicies #regulation #Collaboration #compliance #InformationGovernance #ITgovernance #ElectronicRecordsManagement #Procedures
1 comment


11-01-2012 15:27

Hi Mark,
I enjoyed the blog.
Good to connect again via social media.
Loved the anxious idiot part.
Seen way too many of those. :)
I wrote a blog on whether or not executives care about data quality.