1

INFORMATION GOVERNANCE (IG)

What Does That Really Mean?

Donna Read, CRM, CDIA+

November 18, 2014

Florida Gulf Coast ARMA Chapter

2

Agenda• Defining Information Governance• Why is it difficult to implement?• People – Processes - Technology• Wrap your arms around the beast.

3

Difference Between RIM & IG

• Records Management is tactical• Information Governance is strategic

To be strategic, you need partners, sponsors, and a network

• Tactical - Designed to achieve a particular effect or goal.

adj.tactical, expedient, schematic, strategic.

• Strategic - or a strategy - A method worked out for accomplishing something : plan, blueprint, design, course of action, plan of action, game plan, master plan, project, scheme, strategy, format, stratagem, procedure.

4

IG – What Does It Mean?

• “..a holistic approach to managing and leveraging information for business benefits encompassing information quality, protection and lifecycle management.” AIIM

• “..multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.” WikiPedia

5

From The Sedona Conference “Information governance means an organization’s

coordinated, interdisciplinary approach to satisfying compliance requirements and managing information risks while optimizing information value.

As such, Information Governance encompasses and reconciles the various legal and compliance requirements and risks addressed by different information-focused disciplines, such as records and information management, data privacy, information security, and e-discovery.”

Source: The Sedona Conference® Commentary on Information Governance (Dec. 2013)

6

No – Really What Does It Mean?

• “…enterprise-wide program that incorporates multiple organizational disciplines and that contemplates policies, procedures, processes, and controls designed and implemented to management information.” AIIM

• “...a vehicle to ensure compliance to regulation, encompassing people, processes and technologies to support the best practices of the organization.” KM World

7

Key Words • Holistic ----- the parts of something as intimately interconnected and explicable only by reference to the whole

• Managing – Leveraging – Controlling• Policies - Procedures - Processes• Ensure Compliance

• Encompassing: Information quality & protectionImmediate and future operational

requirementsPeople, processes, & technologies

8

Official Records

Holds

Non-Records

Reference and Convenience Information

TrashDuplicates

Information Security

(PII)

9

10

11

What Does ARMA Have To Say?• The Principles!!!!• Information Governance Maturity Model

“Information is one of the most vital, strategic assets organizations possess. They depend on information to develop products and services, make critical strategic decisions, protect property rights, propel marketing, manage projects, process transactions, service customers, and generate revenues. This critical information is contained in the organizations' business records.

• It has not always been easy to describe what "good information governance" looks like.” www.arma.org

12

Beginning to Look A Little Confusing –Like Herding Cats?

13

Why Is IG So Difficult?

• Confusion Terminology

• Frustration - inability to focus on positive side of cost avoidance and managing risk

• Why is adoption rate low?Perceived to have no direct business benefitChallenges in business buy-in and fundingSeen as critical but highly political, complex, long-term and multi-year

initiativeCurrently a “on size fit all” approachLack of metrics-driven measurement of benefitTotal cost of IT ownership (TCO) rarely measured or tracked

14

Status Quo Not Working

• “The one thing that everyone can agree upon is that the status quo is not working. Symptoms are everywhere with comments like ‘we need help to govern the data in these warehouses since the date is always wrong, incomplete or erroneous’ are the norm rather than the exception.”

• Thornton May, Futurist & Executive Director, IT Leadership Academy

15

TMI• IDC (International Data Corporation) Report: 1800 new

exabytes this year -- (1 exabyte = data equivalent to 50,000 years of continuous movies)

• Information governance is needed in a world where . . .

1. 80% of enterprise data is unstructured

2. 60% of documents are obsolete

3. 50% of documents are duplicate

4. 80% documents are not retrieved by traditional search

16

What Is Needed For IG

•Organizational Mindshare•Senior Level Support•Awareness of need for change•Willingness to change•Resources

17

Who Are The Stakeholders?

•Senior level management•IT•Legal•Records Management•Accounting•The Users

18

Getting Buy-In• Not an easy job• What does everyone care about? WIIFM

“You have to align with what your organization cares about – figure out what that is - to use as a lever for embedding Information Governance.” Monica Crocker

19

IG and Social Media

• New trends constantly emergingToday – SMC – Social/Mobile/Cloud

• Requires updating IG program and it’s deployment

• BYOD (bring your own device) muddies the waterDoes your organization have polices in place for BYOD?

• Content generated from company account or…• Content generated using personal account for business

purposes…..• Must be governed under same policies as rest of information

20

IG and Big Data

21

The Meeting of IG and BD• BD – “data lake” stores unlimited amounts of data, in any format, scheme

and type

• Theoretically could hold all of an organization’s data

• 1000’s of regulations impacting management of information

• Balance – information value with information risk

• Must know what you have – starting point for IG

• As data gets older, value diminishes – never really useless

• Risks in keeping include – increased storage costs, litigation, & regulatory sanctions

• Saving everything is unsustainable

22

Archives Must Include• Ingesting & retaining all types of information – both structured

and unstructured

• Auditing and preserving data and content to meet regulatory and governance mandates

• Require no dependence on originating applications to manage or reference information and records

• Maintain clear, defensible chain of custody

• Deliver records and retention capabilities with audit trails

• Preserve information in an immutable form

23

Three-Phased Approach• Current State Assessment Review all relevant policies and procedures Stakeholder interviews and focus groups to define current state of information

management practices Identify RIM vulnerabilities and develop key observations of “as is” state

• Analysis and Recommendations Identify best practice standards and benchmarking targets Evaluate current information management processes against standards and industry

best practices including “The Principles” Assign maturity rating and develop recommendations for the enhancement of

information management practices

• Strategy and Roadmap Summarize assessment, methodology and recommendations Validate with sponsors Develop strategies Develop tactical project plans for each strategy Develop implementation roadmap

Huron Consulting Group

24

Information Governance Infrastructure

Huron Consulting Group

25

Assess Current Situation – not an easy job

• Are your retention policies being applied to both structured and unstructured data?

• Are your shared drives/hard drive used as a dumping ground with no structure?

• Do you have an EDMS/RMA etc. in place but it not being fully utilized?

• Do you have an ESI Data Map, or a Data Source Catalogue?• Are there workarounds for system limitations that set, i.e. size

of email box?

• Can your employees find the correct and relevant data they need to perform their work?

26

Three Buckets1. The stuff you know enough about to keep

2. The stuff you know enough about to throw away

3. Outliers & anomalies: the stuff you don’t have enough information on to make a reasonable decision

Taking slices of the data: looking at a minimum amount of information (logs, dates, times, domains, custodians) to make the remediation call.

Huron Consulting Group

27

Structured Data Remediation Plan

For each identified system: (do you know your critical systems)

• Does the system contain “records” and how does this relate to the retention schedule

Issue of relational databases, transactional systems, etc.

• Risk / cost analysis of over-retention

• Remediation options• Manual• Systematic

Huron Consulting Group

28

Potential “To Do” List1. Does your RIM program need refinement?

2. Are your retention schedules and legal compliance rules up to date?

3. Do you need to update policies and procedures?

4. Should training be enhanced or include more staff?

5. Is there a strategy for dealing with unstructured content?

6. Do you have a structured Data System remediation plan?

7. Who is responsible for constructing the ESI Data Map?

29

Summary

• Need to define IG for stakeholders• Convince them why they should care• Assess current situation• Create plan for remediation

30

The End

Donna Read, CRM, CDIA+Florida Gulf Coast ARMA Chapter

dlread@verizon.net