What’s the Plan?
This is the third article in our blog series looking at the practicalities of making Information Governance (IG) stick. Having introduced our take on IG in our overview article, ‘Living on the Left of the EDRM’, we then covered the leadership and vision needed to get an IG program started. So, with you as a reader ready at the starting line, this article explores the plan required to actually start work. Drawn from experience across a range of organizations, both enterprise and government, our aim here is to lay out the key parts of a working plan from which you can draw inspiration and ideas to apply to make your own. One size, of course, does not fit all, but best practice is always a great place to start.
Organize for Success
First and foremost, work out who will spearhead the program. This individual needs to set a vision and answer the crucial question ‘why?’. We addressed the ‘why’ in our last article on leadership and vision and here we’ll ask ‘who?’, generalizing the most appropriate role or position in the organization.
It’s hard to generalize about organizational roles, but one constant pretty much everywhere is Information Technology or IT. From the outset we want to be clear that, in general, IT is exactly the wrong place right place to seek sustained leadership for an IG program. This is because it is rare to find IT leadership actively seeking responsibility for the information it facilitates, stores, and protects and because its ownership of the supporting technology architecture creates an unnecessary conflict of interest. What’s more, and maybe most importantly, IT is unlikely to have the skills required for success. That’s not to say that IT cannot lead; rather, it’s our experience that IT often ends up with the problem at its feet when it’s too hard to find anyone else. In our view, that means the program is set for failure. Of course, a powered-up IT lead who has sought the role rather than been handed it can be a good thing so long as conflicts of interest can be addressed.
In general, we would recommend that an IG program be led by some combination (or equivalent) of Compliance or Legal. Where it exists, we usually see a dedicated IG team reporting into one of these two but it’s unusual to see that team with sufficiently senior representation to be effective in the lead role. Elsewhere we have seen Records teams acting as proxies for IG but, again, it’s unusual to see such a team with senior representation. There are circumstances when others are more appropriate; often, a specific event might trigger an entirely different approach where a different leader makes obvious sense – for example, in response to a data breach might be led by the CISO.
A working program committee is a must. It brings together stakeholders to, among other things, drive program cadence, direct communications, be accountable for performance and the business case, and provide authority to act. In providing authority to act, it’s important to underline the need for an appropriate risk appetite – since IG programs inevitably involve the disposal of data, a committee that cannot set the necessary risk appetite will find itself forever mired in resolving escalations rather that directing the wider effort.
In many cases we find that a suitable function is already in place (for example, an IT investment committee, executive operations group or an information and records management committee). The important point is that it brings together stakeholders and program leadership in a deliberate effort to deliver beneficial change.
The program committee can consist of a range of members according to need but we generally see the following core membership:
- While we would recommend against an IT lead, IT engagement is crucial. Nothing moves unless the appropriate technology can be bought to bear through established change management.
- Compliance and the central records function are required to advise on the regulatory drivers and constraints for the program.
- With Information Security at the table, change control can be expedited, a key requirement since IG programs universally require the establishment specific or elevated rights to information.
- Should the organization have an established Information Architecture team, their involvement promotes the alignment of current and future information and data standards.
- Notwithstanding our expectation that legal could potentially be involved in program leadership (directly or indirectly), representation is required at committee level to advise on and authorize retention as it relates to pending litigation or extant legal holds.
- Of course, where an IG team has been established, it should be central to this committee effort since it brings together a unique blend of skills which will maximize the likelihood of success.
In addition, we recommend that a non-core membership be established – these members take part when the focus is in their area of responsibility. Most commonly this would be information stakeholders from lines of business or business unit functions as the program progresses. See more later when we discuss ‘program shape’.
The Right Data
IG programs can fail in the starting blocks if program scope isn’t properly managed. To oversimplify, program leadership -advised by the program committee, needs to reign in its desire to boil the information ocean. Instead, it must identify and prioritize the right data with a risk appetite driven by the criticality of that data. In general, the greatest IG risks lie in the wilderness of uncontrolled unstructured (and semi-structured) data where a combination of user and machine processes continually create, combine, and forget about huge volumes of information relating to just about any business function. The committee needs to build a roadmap which enables this data to be addressed methodically and programmatically, piece-by-piece, repository-by-repository, and function-by-function. This roadmap needs to account for the following real-world constraints:
- Data Volume. It is almost inevitable that potential data scope will outstrip the organization’s ability to consume it. Taking on too much, too quickly will lead to program stalling or failure.
- Technology. An IG program needs technology to scale up its people and processes. However, technology has its limits, and a well-functioning committee will not allow technology to drive the program.
- Risk. The roadmap should align business risk with program drivers. It is common to find that users place a premium on data that is inappropriate when compared to its value, risk, and provenance. Having a roadmap that anticipates this problem will arm the team with the tools needed to address any roadblocks.
Maverick Pilot OptionIts good practice to undertake pilots in business areas that are strongly supportive of the program. We have, however, seen great results when resistant parts of the business can be convinced (coerced?) into supporting a pilot. Winning in a resistant business function often breeds strong advocacy for change and can accelerate the program.
With leadership and an enabling committee in place, what might an IG program actually look like? Unsurprisingly, its structure is much like any enterprise information or technology project – a phased roll out kicked off by technology evaluations and one or more pilots, followed by a transition to business as usual. The emphasis in all phases is to bring together the people, technology, and processes necessary to deliver outcomes and a minimum set of information standards across all business functions.
- Production Pilot. A pilot road tests the people, technology and processes in a production environment. That is, on real data with real stakeholders seeking to deliver real program outcomes. Pilots should be conducted with a lead business function where the leadership is supportive (rather than resistant) and should produce a documented and repeatable playbook along with proof of outcomes (aka early wins). A well-run pilot delivers advocacy for the program as well as a committee conversant with common obstacles.
- Phased Implementation. With a production playbook in hand, the committee must direct implementation across each business function in turn. Depending on resources the program may run several functions in parallel to improve program pace. Each phase brings stakeholders from the target business function into the committee as non-core members and focusses on delivering the playbook, adjusted for the business function’s specific context. It’s important to prepare each business function in advance to ensure that the necessary preparations are in place; failure of a function to meet those requirements should lead to postponement and should be reportable to program leadership.
- Transition to Business as Usual. There is little to no value in implementing IG as a one-off project. Continual innovation and activity across the organization leads to continual changes in its information estate which drives a steady drift from compliance. Further, in the event of a significant information event such as a breach, a legal discovery or an acquisition, a functioning IG program enables the organization to respond quickly and effectively. As each business function progresses through implementation the program needs to leave behind a cadence which continually evaluates and triages data as records for disposition, to resolve sensitive data leakage or spillage and reduce stale or redundant data.
Implicitly, the Committee must also plan to transition into a business-as-usual state. This should involve integrating the monitoring of standards across the business alongside any other standing responsibilities the committee might hold. Exceptions should be addressed within the committees’ established authority and, ideally, an ongoing dialog with the business will enable it to develop new IG capabilities which progress from compliance and efficiency to a more value-driven outcomes.
Discover, Decide, Sustain
Minimum Viable Governance (MVG)?We’ve seen this idea come up in a few of our customers’ projects. In effect, MVG is the price of entry into the IG program for any given business function. It requires that function to commit to implementing certain practices before initial implementation, and then maintaining them in business as usual. Check our later articles for more on MVG.
Sustaining an IG program can be a significant challenge for any organization, most often because first, leadership lacks the understanding that initial program gains will be lost without follow-on investment and, second, because the program fails to identify areas of additional value that might be delivered. We’ll therefore complete this article with a brief exploration of continual IG built around developing core capabilities of data discovery and data decision making, capabilities that define the core skillset for any IG team.
An initial implementation program can be built around a set of information standards which might be termed ‘minimum viable governance’ or MVG, which will vary by industry and jurisdiction. This typically requires a discovery and inventory of the target data estate; assignment of ownership/stewardship to business units; triage of data to be maintained, deleted, and archived; the classification of spilled sensitive data; and potentially the identification and capture of critical records and/or the production of a data map or record of processing activities to meet privacy or industry regulations. Meeting these requirements across the business gets IG moving but should be followed by additional value.
The most successful sustainment implementations we’ve seen establish a core team (the IG team or even, in one case, the Information Architecture team) which offers a menu of services to which the business can subscribe. Such a use case menu allows business functions to plan the development of their own information estate but also advertises what the team can offer in response to a particular risk or event. Example use cases might be:
- Data Discovery or Audit. A discovery of the shape and size of the data estate, usually in response to some planning need such as a divesture or migration.
- Data Clean Up. The removal of low value data to reduce costs or increase efficiency.
- Records Identification. To meet an existing or emergent regulatory requirement.
- Sensitive Data Identification. In response to a client audit request or to prevent or resolve data spillage.
- Restructuring. To resolve repositories or labelling schemes which have become unmanageable.
- eDiscovery Assessment and Collection. Immediate data collection response to an e-discovery event.
- Breach Response and Clean Up. Determine the scope of data subject to breach and disposal of data post breach.
- Data Labelling. Classifying and labelling data for exploitation through a new technology platform or as part of a data value initiative.
- Divestiture, Merger and Acquisition. Scope and de-risk data to be divested; assess, onboard, and integrate acquired data.
This list, of course, is just an example. The potential range of use cases is virtually endless. The key point is that through the implementation of an IG program the organization and IG team grows a set of capabilities that can be repurposed to deliver new value and sustain the program and, in turn, continued information compliance.
In this article we’ve described our experience drawn from both successful and unsuccessful IG projects across a broad range of industries. We’ve presented potential approaches for leadership and what we think is a sound outline for a program committee and covered the shape of the program that committee will direct and the importance of managing and prioritizing the program’s data scope. We then finished with a discussion about program sustainment which, in our opinion, is the hallmark of a successful project. In our opinion, this is the crux. We see little point in investing in IG unless the organization and leadership expressly intend to resource and support its longevity and growth. This is because, with sustained investment, a successful program which leaves behind a functioning IG team and committee can deliver not only a minimum information compliance standard (described as MVG) but will and offer additional value and increased efficiencies as it grows and becomes embedded.