7 Key IG Accelerators
Searching for ways to launch an Information Governance (IG) program, or expand an existing one?
IG
is "policy-based control of information to maximize value and meet
legal, regulatory, risk, and business demands." One of the biggest
problems with kicking off new Information Governance programs is that
they take on average a year or more to form, according to research by
the IG Initiative.
Beyond that, many IG programs lose steam and fail to meet the
organization's objectives. This can occur for a variety of reasons,
adhering to the Anna Karenina principle, which is derived from the opening to Tolstoy's book,
"Happy families are all alike; every unhappy family is unhappy in its own way."
In other words, every IG program failure is unique and due to a mix of shortcomings.
One
IG industry leader confided, "I have designed perfect IG programs and
nothing happened." In this case there likely were significant weaknesses
in the approach, including lack of strong executive sponsorship and
developing a clear business case. Other failed IG programs may not have
had the right mix of players named to the IG Program Team or Steering
Committee. Others may not have properly planned roles and a clear RACI
matrix (which identifies those Responsible, Accountable, Consulted, and Informed)
early on which doomed the program to failure. Still others may have
lost focus on the organizational change management and communications
aspects which are required to keep an IG program on track.
But
there have been some lessons learned from these failures, and the
approaches to creating and maintaining successful IG programs are
starting to coalesce. Here are seven key accelerators which can help
launch or expand your IG program:
1) Recruit a strong executive sponsor
- If there are multiple executive sponsors on board then nominate the
most senior one, or if that is not logical, the one with the most
commitment (and the most to lose or gain). If you have none and are
evaluating executive sponsors, find that person who has the highest
information risk levels, the one who has the most to lose from a data
breach, from noncompliance fines, or from soaring legal costs. Or even
rapidly increasing information storage costs.Think General Counsel, CIO,
COO, Chief Risk Officer, Chief Information Security Officer, Chief
Privacy Officer, and similar titles. Ideally, the CEO is a solid choice.
They have clear budget and decision authority. These senior executives
likely have been considering various piecemeal measures and you can
educate them on the benefits of taking a holistic IG approach and
aligning the effort with strategic business objectives. Of course, if
you are one of the few to have a Chief IG Officer that is the obvious
choice for executive sponsor;
2) Find common ground
- most larger organizations have some form of a data governance or at
least data quality program on an ongoing basis. The goals of a data
governance program align with higher level IG program goals. Remember,
IG programs must be driven from the top down, but implemented from the
bottom up for best results. So this should be a good marriage. "Find
your natural allies," as Bennett Borden of the IG Initiative says. If
your organization is planning on implementing email archiving, and email
policy is going to have to be reviewed and revised, this is a good time
to dovetail off of that project to launch a fledgling IG effort. If you
are in records management, your skills can be helpful in working with
your General Counsel to improve litigation readiness, reduce legal
e-discovery costs, and reduce attorney document review costs. If you are
in IT you may want to team with the records management lead and
approach business unit leaders who have the biggest information
management problems or the most litigation and help them improve their
approach to records and e-document management;
3) Leverage Audit Findings
- an internal audit of procedures and practices may reveal weaknesses
that are putting your information at risk. If you are looking to gain a
mandate for IG, findings from an internal audit can provide the mandate
for moving forward with an IG program;
4) Piggyback on existing projects
- especially those that are approved and funded, or those that are
likely to. For instance, if your organization is due for a refresh in
enterprise content management (ECM) this would be an ideal time to go a
step further and implement a more comprehensive IG program which can
work in lockstep with the ECM implementation. If you have a Chief Data
Officer and robust data governance program, IG is a natural fit. If
legal hold notification (LHN) has been implemented and now additional
efficiencies in the e-discovery process are being pursued, a broader IG
approach may be well-timed;
5) Emphasize hard cost savings
- show a hard dollar benefit, then layer on the benefits of information
risk reduction, reputational risk reduction, improved compliance
capabilities, and improved efficiency in implementing legal holds and
other litigation-related tasks. Where do you find those hard dollar
savings? An easy target is storage. With a current and complete data map
and leveraging file analysis tools you can show executives which
information is worthless redundant, outdated or trivial (ROT) and how
much storage costs can be cut or at least the rate of growth can be
slowed. Other cost impact areas may be reductions in cyber-insurance
costs and e-discovery costs due to an ongoing IG program;
6) Cite the impact of poor IG
- one large financial institution we are working with presented their
executives with a list of all the compliance fines that their
competitors have paid - sometimes into the billions - when making the
case for moving forward with an IG program. You may also want to cite
"worst case" general examples of breaches that have heavily damaged
companies like Sony Pictures, Anthem, and Target;
7) Establishing a legal defense
- if executives still are not convinced, then let them know that in
cases like Sony Pictures and Anthem, where employees or customers have
had their personal data compromised, there will be lawsuits. And if an
organization has an IG program in place and has taken reasonable "best
effort" steps to secure sensitive information including personally
identifiable information (PII) and protected health information (PHI),
then the foundation for a legal defense is in place, and although
culpability may be found, the awards will be smaller which lowers the
cost of legal claims.
These are just some of the accelerators that
can help get your IG program launched or expanded. I'd be glad to hear
of more that you have found to be fruitful and effective.
Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, which can be found at www.IGTraining.com.
He teaches comprehensive courses on IG and E-records management for
corporate and public sector clients. He is the author of 3 leading books
on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).
Follow Robert on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!
#InformationGovernance