Without Information Management how do we Apply Governance Policy?
Date Released: March 2019
In the Digital Age enterprises understand the need to transform their business model to automate business processes leveraging the data and information that is available across the enterprise. This represents a tremendous business opportunity but is also a significant challenge.
At the heart of this transformation, and increasingly a by-product of it, is digital information. In a global digital economy, making use of information and data as part of the business model is critical for progress and success.
Information Governance, a relatively recent practice, has been defined by IGI as: “The activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs”
There are many elements to Information Governance with the major ones being:
« Information Management
« Records Management
« Cyber Security
« Data Governance
« Data Analytics
« Risk & Compliance
2. Information Governance – Value or Compliance?
The 2018 IGI’s State of Information Governance Report states that Information Governance does not happen in isolation, it covers many different disciplines and practices across an organisation and one of the challenges faced is that it is being very much driven from a compliance perspective rather than a value perspective.
For typical organisations goals for Information Governance are to:
« Treat information as a business asset
« Use information to support business goals and objectives
« Increase the business value of information
« Reduce operational, legal and regulatory risk
« Ensure information is managed in a compliant manner
Information Management covers management of the following aspects:
« Data – the facts and figures from which information is derived.
« Information – data in context.
« Knowledge – the practice of creating, using, managing and sharing information
« Wisdom – the bodies of knowledge that develop across an enterprise
« Insights – learnings that are available for making future enterprise decisions.
The key component of Information Governance that delivers Enterprise Information Value is Information Management. In fact without understanding the information that drives an organisation and how it is used there will be no understanding of where to apply governance to achieve compliance with any policies or procedures put in place by an IG program.
The AIIM 2017 industry survey on Governance and Compliance reported that the biggest challenges reported in relation to IG are getting anyone interested (38%), getting endorsement by senior management (35%) and having the right people involved (31%). 28% of respondents also reported that they had difficulty allocating enough time from their day job to support IG efforts, and difficulty enforcing IG policies once they are complete, indicating that though there may be verbal support from management, it is nothing more than that.
The business mindshare generated by increasing the value of information through a targeted Information Management project is a far easier route to project funding. Driving IG through this route in incremental steps is a far less daunting proposition than trying to get enterprise buy-in across all business areas for an Enterprise Wide Information Governance program.
A key challenge of an IG program is to balance the need to meet legal and regulatory compliance with the operational needs of the business, its users and the creation of value for all stakeholders.
3. Information Management
Typical Information Management programs ask the following questions:
« What Information do we need to manage – What’s important? What is of value? Who has it? Where does it live? Is it secure? Where do I start? What is the information lifecycle? How can we manage information across dispersed systems and geographies?
« Governance – When and how do we get this in place? Who is responsible for the governance? How do we get everyone on board? Where do we start? What about legacy systems?
« Records Management – Is this part of Information Governance - Where does this fit? What policies and processes do we need to put in place to meet requirements?
As controls and processes are introduced to deliver IG components it is important to understand the ramifications for the business and keep these in mind as the business solution is implemented. These processes usually involve the system, policies, processes, people, change and end user enablement.
More organisations are starting to see that an IG policy and related processes that are unnecessarily restrictive will in fact limit its adoption in the organisation.
The key to a successful implementation of an Information Management Solution is to incorporate IG into the solution looking at the way the organisation works with information to deliver business outcomes, including:
« The information that is required to complete the business processes to provide each outcome,
« How this information is used by the people who do the work to complete the processes,
« The technology to manage the information and enable the people to do the work, and
« The policies and processes that are required to manage the information from the perspective of the organisation’s legal obligations.
4. Information Governance Framework
An Information Governance Framework allows for the development of a common set of rules and processes for the management of information assets. It identifies the key stakeholders involved in Information Governance within the organisation, and the ultimate business outcomes sought. Ultimately, successful implementation requires a balance across all business drivers and stakeholder requirements.
A framework recognises the difficulty in establishing an upfront Information Governance initiative across an organisation and instead promotes an incremental approach based on organisational priorities and existing programs of work.
As IG controls and processes are introduced it is important to ensure a balanced approach when addressing common challenges which include:
« Most Information Management initiatives do not have stakeholders across the enterprise but are driven from a specific area of the business. Involvement of stakeholders from areas such as legal, records management, risk, security will be required to ensure specific IG requirements are understood and to get organisational wide stakeholders and raise visibility of the value.
« Typically, when implementing an Information Management solution, the Taxonomy is designed from analysing business artefacts rather than the processes that create, search for, and reuse these artefacts to add business value. Focussing on business processes supports increasing value rather than just managing information.
« To drive an enterprise initiative around IG, the focus needs to be on creating value. It needs to apply end to end across the business and be closely aligned to the business processes of the organisation both structured and ad hoc.
« A key challenge is to balance the need to meet legal and regulatory compliance with the operational needs of the business and its users.
5. Alignment of IG Concepts for Information Management Programs
The right conversations - Information Governance means many things to many people. Before engaging with stakeholders, you need to make sure you are having the right conversations in a language that your stakeholders understand.
Align IG to business objectives - Traditionally the drivers for an IG program are regulatory or legal compliance. In highly regulated industries this can be enough of a “big stick” to ensure its adoption, for many organisations though it needs to show greater value. The IG program must also:
« Address the broader needs - not just focus on legal and regulatory compliance
« Be connected to business objectives
« Tie into other organisational initiatives and programs of work
« Be included from the beginning as part of any new solution or business process that impact on how users manage information
Positioning IG holistically to drive compliance and deliver business value will vastly increase the business acceptance.
The subtle change to IG - Deploying an enterprise wide IG program at once in a ‘big bang’ manner increases the risk of failure by overwhelming the organisation. Instead by introducing these changes progressively across the organisation it increases the chances of success and provides the opportunity to refine the IG program before each successive roll out. This can be achieved in many ways:
« Focusing the program on certain information types exposed at the highest risk initially
« Performing a staged deployment department by department.
« By embedding new processes as part of other projects, process or system changes
« Including IG Roles and responsibilities in broader organisational changes
Gain business support early - After establishing the scope and breadth of the IG program of work it’s imperative to gain the support of the business before diving into the deep end. This is achieved by:
« Establishing the right sponsor. Sometimes the best sponsor comes out of areas other than Legal, Risk or Compliance. For example, an IG program that initially focusses on improving value of customer information, while still meeting regulatory compliance, could be driven by a sponsor from the sales or marketing as they will resonate most with the stakeholder impacted by the initial change
« Including the business in the development of the IG framework as involvement creates ownership
« Focusing the program on the business value of IG
« Avoiding over use of noncompliance “scare tactics”
« As business support increases it can then be used to create a critical mass for success across other areas of the business.
Key Learning – it is all about your people
Marie Felsbourg, Astral - Founder and Director Astral, Director Delaware, Director InfoGovANZ
This article was originally published on Astral website.