business woman standing in front of a group of business people

Information Governance: How Exactly do you Govern Everything?

Summary

We share the most effective approach to information governance from our experience.

Read time: 11 minutes

Information can be thought of as the resolution of uncertainty…The concept of information has different meanings in different contexts. Thus, the concept becomes related to notions of constraint, communication, control, data, form, education, knowledge, meaning, understanding, mental stimuli, pattern, perception, representation, and entropy. —Wikipedia (emphasis added)

Governance: the way in which an organization is managed at the highest level, and the systems for doing this. —Cambridge Dictionary (business English)

It has been some time since the land, labor, capital triumvirate was displaced by information as the defining asset of business. In fact, Information (aka, data) has become so valuable an asset that there are concerns regarding emerging “data monopolies” and a “data industrial complex." Anti-trust actions to regulate control of information have even become a possibility, similar to those anti-trust actions that regulated control of physical assets in the early 20th century.

As Apple Senior Vice President of Software Engineering, Craig Federighi opined (in the context of data privacy):  Businesses “sell and hoard as much of your personal information as they can. The result is a data-industrial complex, where shadowy actors work to infiltrate the most intimate parts of your life and exploit whatever they can find.” (Lomas, 2020). The value of data is such that businesses don’t merely collect data, they “hoard” it.

The same is true of non-personal data (structured, unstructured, soft, and hardcopy). And as those in records management, risk and compliance, cybersecurity, and eDiscovery are all too aware, data (and the inclination to hoard it) is an asset that can come back to bite you.

The challenges facing businesses

Information and its use concern almost every area of business: regulatory compliance, security, privacy, IT infrastructure, finance, accounting, human resources, marketing, sales, legal and legal operations, contract management, supply chain management, product and service development, records management, workforce management, business planning, and strategy. 

Information is intellectual capital and a vital source of competitive differentiation. And today, we create and collect ever-increasing amounts of information. It is parsed, aggregated, analyzed, and monetized. It is not a stretch to say that, in the information age, data is everything - including a source of risk.

Certainly then, given the value and risks associated with information, it is the first order of business to govern this asset well. But how exactly – in some single programmatic way – do you govern everything?

Who’s on Top?

Who should be in charge of this vast enterprise? Most, if not all, advice suggests that it takes a "top-down" approach to establish an information governance program effectively.

For example, The Sedona Conference Commentary on Information Governance states: “Information Governance should involve a top-down, overarching framework guided by the requirements and goals of all stakeholders that enable an organization to make decisions about information for the good of the overall organization and consistent with senior management’s strategic directions” (The Sedona Conference Journal Volume 20, 2019).

Given this excellent characterization of information governance, who exactly should be at the “top” of an information governance program? Who is that executive sponsor?

Ricoh proffers that the answer to this is a function of a specific company’s culture, industry, available resources, and structure. Certainly, given the diversity of stakeholders, information governance requires a cross-functional team comprising, for example, representatives from the OGC, CIO, CTO, and the business unit. The exact makeup of this "information governance committee" and who should lead this team – the executive sponsor – may best be determined by the particular challenge(s) a business needs to address.

Triggers

In Ricoh’s experience, companies (from SMBs to the largest multinationals) that have successfully implemented information governance programs have done so as a reaction to a set of circumstances. Not executive edict. Not top-down.

Sometimes the cause may be as simple as an office relocation that presented an opportunity to clean up. Infrastructure-focused changes, like a planned migration to a new system, may prompt the effort. Other triggers can include a cloud migration and strategy or a paper-to-digital project that began in response to employees now working from home or other distributed workforce challenges.

Examples include:

  • Becoming compliant with the GDPR, CCPA/CPRA.

  • Discovery issues or DSAR response challenges.

  • Becoming compliant with new regulations.

  • A merger, acquisition, or divestiture.

  • A data breach, misuse of PII, or exposure.

In short, any one of these events can be a trigger that surfaces systemic challenges and presents an opportunity to improve the organization's information governance maturity.

This “bottom-up” approach to information governance – working from the perspective of the individual challenge as starting point and analyzing root causes – attacks information governance in strides rather than attempting the leaps and bounds so often stymied by budget and resource constraints.

Immediate needs determine the priorities with this approach, which comes with benefits. For example, it mitigates risks (whether compliance and legal-related or competitive risks to the business). When structured well, it also delivers sustainable value.The alternative – approaching "information governance" holistically as a single project – has too many inherent risks of failure, not the least of which is the failure to launch.Tackling information governance as a singular unified object would be nothing short of quixotic.

Information Governance as Workstreams

It can be difficult to comprehend executing a strategic cloud migration, a records location and classification project, a consumer communications project, and a digitization program all under a single remit with the same committee of stakeholders and the same executive sponsor.

  • Each has its own required policies and procedures, compliance requirements, risks, values, and governing principles. 

  • Each requires very specific areas of experience and know-how. 

  • The technologies deployed and infrastructure requirements are often specific to the challenge as well.

Yet, underlying information used, intersecting processes, and business requirements and constraints may suggest an interconnectedness between all of these projects. Even so, we should remember that this interconnectedness does not de facto demand approaching these disparate processes and all the things they touch as one program.

In our experience, it demands the opposite.

The most effective strategy approaches information governance as multiple workstreams – prioritized by an organization's most pressing need or opportune circumstance.

With this approach, you can govern “everything.”

In fact, for many of our clients, we execute against multiple concurrent workstreams. Each positively contributes to the others and to the organization's overall information governance posture. The results are improved performance, lower costs, enhanced sustained value, and risk mitigation. These results are not confined to the individual workstream(s) but accrue to the organization as a whole.This is not to say that an individual workstream is simple. A workstream can range from a "quick win" project essential to gaining executive buy-in to large – and complex in their own right – programs that extend over multiple years. So, while not necessarily simple, taken individually rather than as a whole, information governance improvements are no longer overwhelming.

Each workstream is an upward step on the stairs leading to a robust information governance maturity.

We stress here that information governance projects and programs often not only pay for themselves but achieve very attractive ROI in real terms - read improved productivity and lower infrastructure costs, to name only two. Others prevent potential losses, such as the harms of regulatory non-compliance or poor customer responsiveness.

Information Governance is Root Cause

Business has an interest in information proportional to its value. Once that value expires, the business quickly loses interest in managing it, cleaning it up, or paying for it to be stored. —The Information Governance Reference Model

While the workstreams are focused, the assessment necessary to finding the optimum solution is programmatically information governance. The difference is a crucial one.

The focus may be improving a specific process (e.g., legal holds) or executing a specific transformational program (e.g., cloud migrations or RIM program). But individual workstreams share upstream dependencies, and of course, downstream and cross-stream effects.

It is difficult to imagine any process or endeavor that does not ultimately rely on an organization's information assets in all their manifestations: records, documents, policies & procedures, intellectual property, employee knowledge, and more. Ultimately, every process' and every endeavor's value or risk is a function of information governance.

This recognition is why the EDRM (electronic discovery reference model) evolved from the original eDiscovery model to include the now robust IGRM (information governance reference model). Everything flows back to information governance.

Govern information well, and you extract more value. Mismanage, and you extract more risk.

This Approach Creates Sustainable Value

When you address individual challenges with an information governance purview, the result is sustained value. Conversely, if the approach is as narrow as the scope, you may not achieve sustainable value; you may create new problems.

Consider what might be viewed as a "simple" project: scanning to digitize hardcopy.

Despite promises of a paperless office stretching back 30 years, offices still have an abundance of hardcopy documents for:

  • Client work

  • Product, employee, and customer records

  • Records necessary for regulatory compliance

  • Documents containing intellectual capital

  • And more.

Managing paper documents is unwieldy. It requires significant storage space. And search and retrieval can be difficult. (This is to say nothing of the mountains of paper at offsite storage locations.)

To tackle this problem, many enterprises scan those documents to a file location (often a SharePoint site), successfully turning a hardcopy mess into…well…a digital mess. In practice, these resultant PDFs may be even more difficult to search and retrieve than their hardcopy predecessors.

The wider purview of information governance corrects for this and ensures that a proper assessment is made. When executed, the project delivers its intended value, often preventing new (sometimes hidden) problems that surface later on.

Consider:

  • For whom are the documents useful?

  • How are the documents you are scanning going to be classified?

  • How will different groups search these documents?

  • What taxonomies or metadata and tagging needs to be considered for efficient search and retrieval?

  • Is there ROT? Are there unneeded copies or documents that no longer have relevance?

A proper assessment premised on information governance principles makes all the difference between a limited or temporary benefit (or worse, even more risk) and outcomes optimized for enhanced value and reduced risk. After all, you want to fix a problem once and not have to fix it again and again.

Information governance maturity assessment survey

Take this quick information governance maturity assessment survey to see your current state, and what you can do to achieve long-term success.

Start the survey

Information Governance: Assessment and Readiness

Unsurprisingly, when our consultants perform assessments focused on a single challenge, clients recognize that many of its root causes exist in other areas throughout the organization. And often, the path to improvement made in a particular workstream is appropriate to those other areas. After all, the proper governance or mismanagement of information assets is a common denominator and systemic root cause.

As a result, we often do a broader base-line assessment. This approach helps an organization understand their current state and better position themselves to continue information governance improvements.

The Information Assessment

The adage "if you can't measure it, you can't manage it" remains a popular truism. But if you can't account for the whereabouts or even the very existence of some of your information assets, you can't begin to measure it in terms of value or risk, let alone manage it.

Organizations are increasingly implementing data mapping strategies to:

  • Enable cost-effective and efficient data discovery and classification,

  • Understand what data assets are owned (especially PII and sensitive information)

  • Know where that data resides, and 

  • See how data flows between systems. 

For businesses that lack data mapping solutions, our consultants deploy methodologies and tools that both map and analyze information at the individual record level.

Data discovery and classification assessments are foundational to any information governance workstream and increasing overall information governance maturity. But perhaps more important is establishing an information governance management framework to support individual workstreams and larger initiatives.

The most effective strategy approaches information governance as multiple workstreams – prioritized by an organization's most pressing need or opportune circumstance.

Establishing a Governing Framework

At a top-level, our 4S IG Framework – Strategy, Structure, Systems, and Skills — positions organizations for excellent project outcomes and the ability to take on more complex long-term information governance programs. The 4S IG Framework is structured to engender insights, leverage the firm's culture, align with organizational structure and resources, and deploy technology and processes to their best effect.This framework helps organizations:

  • Develop useful information governance strategies that align with corporate vision and better assess priorities; 

  • Provide a means for choosing committee members, executive sponsors, and organize stakeholder involvement; 

  • Ensure appropriately skilled resources are available; and,

  • Deploy communications about awareness, education, and training programs.

The path to successful information governance

The challenge with all enterprise-wide initiatives has always been the specter of "boiling the ocean" futility. They are too complex, drain resources, and expensive. For example, when enterprise content management (ECM) appeared on the scene, the failure rate of ECM initiatives was estimated at 60%.

Companies are dynamic entities. As such company-wide initiatives have a complex web of dependencies, reinforcing loops, counter-balancing loops, interactions, and constraints (many unknown) that also change over time.

The approach to information governance presented here recognizes these dynamics and is designed to neutralize them:

  • Self-prioritizing "Bottom-up" approach vs. "Top-down" edict

  • Relevant leadership defined by the challenge instead of a "standing committee" and executive sponsor

  • Simplification via a focused workstream

  • Assessments to drive sustained value (not big bills for big studies and reports that quickly become obsolete)

  • An IG Framework to rationalize resources, ensure business alignment, extract and deliver insights, and position for success

This approach is the way information governance change happens.

It unites critical processes where you're operating, and business functions are occurring. It's where everyone is invested in the outcome.

It is information governance that doesn't get lost in the vastness of everything.

Get started building your information governance plan with our guide “3 Steps to Advancing Your Information Governance Plan."

See how we can help

Learn about our information governance services.

View the service

Kedar Thakkar is a Principal Consultant within the Governance, Risk and Compliance practice of Ricoh Enterprise Consulting Services. Kedar joined the Ricoh team in 2017 as an industry-recognized records and information management practitioner with over 9+ years of experience in a variety of non-regulated and regulated industries. Additionally, he brings in about 10 years of IT experience at various levels within the organization and across various industries.

Kedar specializes in developing robust information governance (IG) programs to identify, protect and leverage the information assets of organizations. His strong IT (development, administrative and architectural) skills brings a unique perspective to this field as we move into an era where majority of information is digital in nature.

As a records and information governance practitioner in the Oil and Gas industry, Kedar has developed, implemented and promoted the growth of IG programs, record retention schedule administration and governance committees that sustain both departmental objectives and corporate initiatives. He has experience addressing IG compliance concerns throughout corporate transitions, including acquisitions, facility closures and information technology transformation.

Areas of expertise include the creation and improvement of essential elements for comprehensive records and information governance programs including:

  • Creating and sustaining IG Committees within organizations

  • Strategic approach to IG encompassing all aspects of People, Process and Technology

  • Proactive propagation of IG awareness throughout the organization

  • Consolidation and Implementation of enterprise-wide IT systems related to IG

Kedar has experience in working as an in-house practitioner as well as working as an independent consultant in the field of Information Governance. This allows him to understand and implement principles of IG from both perspectives.

Kedar is both an IGP (Information Governance Professional) accredited from ARMA and a CIP (Certified Information Professional) accredited from AIIM. He has been asked to speak at various local and national level conferences organized by ARMA, Info-coalition, etc. to share his experiences in the field of Information Governance. In addition to this he continues to educate himself in the field of IG and develops new methodologies to implement IG within organizations. He publishes blogs and actively participates in various other forums to discuss IG related issues that organizations face in this current day and age.

Recommended for you

Information governance maturity assessment survey
Information governance maturity assessment survey

Information governance maturity assessment survey

Take this quick information governance maturity assessment survey to see your current state, and what you can do to achieve long-term success.

What is Your Most Pressing InfoGov Issue?
What is Your Most Pressing InfoGov Issue?

What is Your Most Pressing InfoGov Issue?

What is your biggest Information Governance issue? Check out this infographic to see if you're on the right path, or maybe have a little work to do.

Ricoh helps law firm drive digital transformation
Ricoh helps law firm drive digital transformation

Ricoh helps law firm drive digital transformation

See how Ricoh listened, understood and worked with a law firm to gain insight to help them transform paper processes into a digitized workflow.