Information Governance: How Exactly do you Govern Everything?

In Ricoh’s experience, companies (from SMBs to the largest multinationals) that have successfully implemented information governance programs have done so as a reaction to a set of circumstances. Not executive edict. Not top-down. 

Sometimes the cause may be as simple as an office relocation that presented an opportunity to clean up. Infrastructure-focused changes, like a planned migration to a new system, may prompt the effort. Other triggers can include a cloud migration and strategy or a paper-to-digital project that began in response to employees now working from home or other distributed workforce challenges.

Examples include:

• Becoming compliant with the GDPR, CCPA/CPRA.
• Discovery issues or DSAR response challenges.
• Becoming compliant with new regulations.
• A merger, acquisition, or divestiture.
• A data breach, misuse of PII, or exposure.

In short, any one of these events can be a trigger that surfaces systemic challenges and presents an opportunity to improve the organization's information governance maturity. 

This “bottom-up” approach to information governance – working from the perspective of the individual challenge as starting point and analyzing root causes – attacks information governance in strides rather than attempting the leaps and bounds so often stymied by budget and resource constraints. 

Immediate needs determine the priorities with this approach, which comes with benefits. For example, it mitigates risks (whether compliance and legal-related or competitive risks to the business). When structured well, it also delivers sustainable value. 

The alternative – approaching "information governance" holistically as a single project – has too many inherent risks of failure, not the least of which is the failure to launch.

Tackling information governance as a singular unified object would be nothing short of quixotic.

It can be difficult to comprehend executing a strategic cloud migration, a records location and classification project, a consumer communications project, and a digitization program all under a single remit with the same committee of stakeholders and the same executive sponsor. 

• Each has its own required policies and procedures, compliance requirements, risks, values, and governing principles. 
• Each requires very specific areas of experience and know-how. 
• The technologies deployed and infrastructure requirements are often specific to the challenge as well.
  

Yet, underlying information used, intersecting processes, and business requirements and constraints may suggest an interconnectedness between all of these projects. Even so, we should remember that this interconnectedness does not de facto demand approaching these disparate processes and all the things they touch as one program.

In our experience, it demands the opposite.

The most effective strategy approaches information governance as multiple workstreams – prioritized by an organization's most pressing need or opportune circumstance. 

With this approach, you can govern “everything.”

In fact, for many of our clients, we execute against multiple concurrent workstreams. Each positively contributes to the others and to the organization's overall information governance posture. The results are improved performance, lower costs, enhanced sustained value, and risk mitigation. These results are not confined to the individual workstream(s) but accrue to the organization as a whole.

This is not to say that an individual workstream is simple. A workstream can range from a "quick win" project essential to gaining executive buy-in to large – and complex in their own right – programs that extend over multiple years. So, while not necessarily simple, taken individually rather than as a whole, information governance improvements are no longer overwhelming.

Each workstream is an upward step on the stairs leading to a robust information governance maturity.

(We stress here that information governance projects and programs often not only pay for themselves but achieve very attractive ROI in real terms (read improved productivity and lower infrastructure costs, to name only two.) Others prevent potential losses, such as the harms of regulatory non-compliance or poor customer responsiveness.)

 

Business has an interest in information proportional to its value. Once that value expires, the business quickly loses interest in managing it, cleaning it up, or paying for it to be stored. —The Information Governance Reference Model

While the workstreams are focused, the assessment necessary to finding the optimum solution is programmatically information governance. The difference is a crucial one.

The focus may be improving a specific process (e.g., legal holds) or executing a specific transformational program (e.g., cloud migrations or RIM program). But individual workstreams share upstream dependencies, and of course, downstream and cross-stream effects. 

It is difficult to imagine any process or endeavor that does not ultimately rely on an organization's information assets in all their manifestations: records, documents, policies & procedures, intellectual property, employee knowledge, and more. Ultimately, every process' and every endeavor's value or risk is a function of information governance. 

This recognition is why the EDRM (electronic discovery reference model) evolved from the original eDiscovery model to include the now robust IGRM (information governance reference model). Everything flows back to information governance.

When you address individual challenges with an information governance purview, the result is sustained value. Conversely, if the approach is as narrow as the scope, you may not achieve sustainable value; you may create new problems.

Consider what might be viewed as a "simple" project: scanning to digitize hardcopy.

Despite promises of a paperless office stretching back 30 years, offices still have an abundance of hardcopy documents for:

• Client work
• Product, employee, and customer records
• Records necessary for regulatory compliance
• Documents containing intellectual capital
• And more.

Managing paper documents is unwieldy. It requires significant storage space. And search and retrieval can be difficult. (This is to say nothing of the mountains of paper at offsite storage locations.)

To tackle this problem, many enterprises scan those documents to a file location (often a SharePoint site), successfully turning a hardcopy mess into…well…a digital mess. In practice, these resultant PDFs may be even more difficult to search and retrieve than their hardcopy predecessors.

The wider purview of information governance corrects for this and ensures that a proper assessment is made. When executed, the project delivers its intended value, often preventing new (sometimes hidden) problems that surface later on.

Consider:

• For whom are the documents useful?
• How are the documents you are scanning going to be classified?
• How will different groups search these documents?
• What taxonomies or metadata and tagging needs to be considered for efficient search and retrieval?
• Is there ROT? Are there unneeded copies or documents that no longer have relevance?

A proper assessment premised on information governance principles makes all the difference between a limited or temporary benefit (or worse, even more risk) and outcomes optimized for enhanced value and reduced risk. After all, you want to fix a problem once and not have to fix it again and again.

The adage "if you can't measure it, you can't manage it" remains a popular truism. But if you can't account for the whereabouts or even the very existence of some of your information assets, you can't begin to measure it in terms of value or risk, let alone manage it.

Organizations are increasingly implementing data mapping strategies to:

• Enable cost-effective and efficient data discovery and classification,
• Understand what data assets are owned (especially PII and sensitive information)
• Know where that data resides, and 
• See how data flows between systems. 

For businesses that lack data mapping solutions, our consultants deploy methodologies and tools that both map and analyze information at the individual record level.

Data discovery and classification assessments are foundational to any information governance workstream and increasing overall information governance maturity. But perhaps more important is establishing an information governance management framework to support individual workstreams and larger initiatives.

At a top-level, our 4S IG Framework – Strategy, Structure, Systems, and Skills — positions organizations for excellent project outcomes and the ability to take on more complex long-term information governance programs. The 4S IG Framework is structured to engender insights, leverage the firm's culture, align with organizational structure and resources, and deploy technology and processes to their best effect.

This framework helps organizations:

• Develop useful information governance strategies that align with corporate vision and better assess priorities; 
• Provide a means for choosing committee members, executive sponsors, and organize stakeholder involvement; 
• Ensure appropriately skilled resources are available; and,
• Deploy communications about awareness, education, and training programs. 

The challenge with all enterprise-wide initiatives has always been the specter of "boiling the ocean" futility. They are too complex, drain resources, and expensive. For example, when enterprise content management (ECM) appeared on the scene, the failure rate of ECM initiatives was estimated at 60%.

Companies are dynamic entities. As such company-wide initiatives have a complex web of dependencies, reinforcing loops, counter-balancing loops, interactions, and constraints (many unknown) that also change over time.

The approach to information governance presented here recognizes these dynamics and is designed to neutralize them:

• Self-prioritizing "Bottom-up" approach vs. "Top-down" edict
• Relevant leadership defined by the challenge instead of a "standing committee" and executive sponsor
• Simplification via a focused workstream
• Assessments to drive sustained value (not big bills for big studies and reports that quickly become obsolete)
• An IG Framework to rationalize resources, ensure business alignment, extract and deliver insights, and position for success

This approach is the way information governance change happens. 

It unites critical processes where you're operating and business functions are occurring. It's where everyone is invested in the outcome. 

It is information governance that doesn't get lost in the vastness of everything.