AIIM Open Forum

 View Only

Information Governance Success: Getting Your Program Off the Ground

By Robert Smallwood posted 02-12-2015 14:32

  

7 Key IG Accelerators

Searching for ways to launch an Information Governance (IG) program, or expand an existing one?

IG is "policy-based control of information to maximize value and meet legal, regulatory, risk, and business demands." One of the biggest problems with kicking off new Information Governance programs is that they take on average a year or more to form, according to research by the IG Initiative. Beyond that, many IG programs lose steam and fail to meet the organization's objectives. This can occur for a variety of reasons, adhering to the Anna Karenina principle, which is derived from the opening to Tolstoy's book,

"Happy families are all alike; every unhappy family is unhappy in its own way."

In other words, every IG program failure is unique and due to a mix of shortcomings.

One IG industry leader confided, "I have designed perfect IG programs and nothing happened." In this case there likely were significant weaknesses in the approach, including lack of strong executive sponsorship and developing a clear business case. Other failed IG programs may not have had the right mix of players named to the IG Program Team or Steering Committee. Others may not have properly planned roles and a clear RACI matrix (which identifies those Responsible, Accountable, Consulted, and Informed) early on which doomed the program to failure. Still others may have lost focus on the organizational change management and communications aspects which are required to keep an IG program on track.

But there have been some lessons learned from these failures, and the approaches to creating and maintaining successful IG programs are starting to coalesce. Here are seven key accelerators which can help launch or expand your IG program:

1) Recruit a strong executive sponsor - If there are multiple executive sponsors on board then nominate the most senior one, or if that is not logical, the one with the most commitment (and the most to lose or gain). If you have none and are evaluating executive sponsors, find that person who has the highest information risk levels, the one who has the most to lose from a data breach, from noncompliance fines, or from soaring legal costs. Or even rapidly increasing information storage costs.Think General Counsel, CIO, COO, Chief Risk Officer, Chief Information Security Officer, Chief Privacy Officer, and similar titles. Ideally, the CEO is a solid choice. They have clear budget and decision authority. These senior executives likely have been considering various piecemeal measures and you can educate them on the benefits of taking a holistic IG approach and aligning the effort with strategic business objectives. Of course, if you are one of the few to have a Chief IG Officer that is the obvious choice for executive sponsor;

2) Find common ground - most larger organizations have some form of a data governance or at least data quality program on an ongoing basis. The goals of a data governance program align with higher level IG program goals. Remember, IG programs must be driven from the top down, but implemented from the bottom up for best results. So this should be a good marriage. "Find your natural allies," as Bennett Borden of the IG Initiative says. If your organization is planning on implementing email archiving, and email policy is going to have to be reviewed and revised, this is a good time to dovetail off of that project to launch a fledgling IG effort. If you are in records management, your skills can be helpful in working with your General Counsel to improve litigation readiness, reduce legal e-discovery costs, and reduce attorney document review costs. If you are in IT you may want to team with the records management lead and approach business unit leaders who have the biggest information management problems or the most litigation and help them improve their approach to records and e-document management;

3) Leverage Audit Findings - an internal audit of procedures and practices may reveal weaknesses that are putting your information at risk. If you are looking to gain a mandate for IG, findings from an internal audit can provide the mandate for moving forward with an IG program;

4) Piggyback on existing projects - especially those that are approved and funded, or those that are likely to. For instance, if your organization is due for a refresh in enterprise content management (ECM) this would be an ideal time to go a step further and implement a more comprehensive IG program which can work in lockstep with the ECM implementation. If you have a Chief Data Officer and robust data governance program, IG is a natural fit. If legal hold notification (LHN) has been implemented and now additional efficiencies in the e-discovery process are being pursued, a broader IG approach may be well-timed;

5) Emphasize hard cost savings - show a hard dollar benefit, then layer on the benefits of information risk reduction, reputational risk reduction, improved compliance capabilities, and improved efficiency in implementing legal holds and other litigation-related tasks. Where do you find those hard dollar savings? An easy target is storage. With a current and complete data map and leveraging file analysis tools you can show executives which information is worthless redundant, outdated or trivial (ROT) and how much storage costs can be cut or at least the rate of growth can be slowed. Other cost impact areas may be reductions in cyber-insurance costs and e-discovery costs due to an ongoing IG program;

6) Cite the impact of poor IG - one large financial institution we are working with presented their executives with a list of all the compliance fines that their competitors have paid - sometimes into the billions - when making the case for moving forward with an IG program. You may also want to cite "worst case" general examples of breaches that have heavily damaged companies like Sony Pictures, Anthem, and Target;

7) Establishing a legal defense - if executives still are not convinced, then let them know that in cases like Sony Pictures and Anthem, where employees or customers have had their personal data compromised, there will be lawsuits. And if an organization has an IG program in place and has taken reasonable "best effort" steps to secure sensitive information including personally identifiable information (PII) and protected health information (PHI), then the foundation for a legal defense is in place, and although culpability may be found, the awards will be smaller which lowers the cost of legal claims.

These are just some of the accelerators that can help get your IG program launched or expanded. I'd be glad to hear of more that you have found to be fruitful and effective.

Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, which can be found at www.IGTraining.com. He teaches comprehensive courses on IG and E-records management for corporate and public sector clients. He is the author of 3 leading books on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).

Follow Robert on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!



#InformationGovernance
0 comments
80 views

Permalink