Information Governance is a tech-era update of the old corporate term, "document retention policies," so I'll use both terms below. It's not great cocktail party conversation (remember cocktail parties?!) but it's crucially important.
Each Function Has an Important Role to Play
We've previously written that there are three main types of stakeholders:
- Business Leaders who primarily create, and need, information to operate the organization
- Legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value
- IT departments who must implement the mechanics of information management
Revenue generation is informed by data. But data becomes less valuable over time. Quarter Over Quarter and Year Over Year comparisons are common for revenue-generating leaders in most industries. Over what time frame does your business typically measure trends, or at what point do they begin to feel it's outdated and/or less relevant to go-forward decisions? Anything data older than this becomes "dark data" that company is paying to host but not deriving value from - and it provides potential entry points for bad actors.
Titles/roles may include:
- President
- VP Business Development, Sales, or Marketing
- Director of Sales or Marketing
Legal and Risk Management are charged with ensuring compliance for industry-specific regulations, and for responding thoroughly and accurately to audits, investigations, or litigation. The less data they (or their vendors) have to sort through, the lower the costs will be. Typically, these are centers of influence for deciding where data will be stored, for how long, and who will have access to it - but it's important to be a consultative business partner during this process. Good relations forged by candor and trust during large projects will inevitably make turbulent times less painful.
Titles may include:
- Chief Financial Officer (CFO)
- Chief Legal Officer (CLO)
- Chief Information Security Officer (CISO)
- General Counsel
- Director/VP of Compliance
- Records Management
Finally, IT is charged with securely maintaining the policies, so it's critical they're involved in the conversations to ensure software and hardware needs are met. Be sure to obtain full participation from IT leadership. IT departments today are being stretched thin by supporting more software applications, "big data" mining teams, and have transformed overnight into supporting remote teams. Remote work often stresses IT teams as they have significantly less control over the security of the devices, but are still expected to provide the same seamless access and experience for the users. The hidden insights within IT teams is powerful, but they have to have a seat at the table for their knowledge to be heard. Because information governance is often thought of as heavily technical, it's viewed as a cost center instead of a strategic business decision. EDRM goes into considerably more detail about IT's viewpoint into Information Governance planning that's well worth the read.
Titles may include:
- Chief Information Officer (CIO)
- VP of IT
- Management Information Systems Director
Other key roles, such as the Head of HR, must be included - and, again, successful projects must be driven from the top (CEO, COO).
Side note: let's hear it for CIOs. It's often a thankless role, responsible for knowing the IT infrastructure like the back of their hand, but often without formal ownership (and in some cases, even without political backing of the C-suite, which is often indicative of data problems in the future).
It's Tough To Get Buy In for IG Engagements
Why?
- It's inherently an enterprise-wide undertaking
- So you're herding cats (usually high level, distracted cats who have other priorities that they view as more time-sensitive and critical to maintaining business operations)
- And no one is excited about budgeting for it on their P&L
And different areas of the organization have different priorities.
- Analytics teams want to mine through as much data as they can get their hands on
- HR wants everything locked down
- So do risk management and security leaders
- But sales teams scream that creating any restrictions on their access means they're being asked to run a marathon with a blindfold, both hands, and one leg tied behind their back
Don't forget about IT, compliance, treasury, and umpteen other departments.
Thus, the can is kicked down the road until a litigation event, data breach, or regulatory investigation means there is lots of expensive discovery to go through. Oops.
So, who takes charge?
Leadership has to come from the top. The C-suite must either lead the project, or if they lack the proper experience, they must delegate, communicate, and reiterate the importance of the project (usually to their CIO, general counsel, or retained counsel).
Is It Even Worth the Headache of Championing an IG Project?
Simply, yes.
Designing, implementing, and enforcing a document retention plan isn't why most people get out of bed in the morning, but it doesn't have to be a headache. An experienced consultant can take the reins and guide you through priorities, timelines, and messaging internally.
And, yes, it's worth undertaking because:
- The cost of a single data breach is 2-3 times the cost of an information governance program
- Almost every organization today has a historically high share of employees working remotely
- Which, by definition, increases the amount of data they're creating through collaborative platforms such as Teams, Slack, Zoom, etc.
- And that data is traveling on networks without the security standards of most office locations
All of this means your organization is more vulnerable to social engineering, phishing, hacking, or other untoward means of your data escaping.
How Do I Get Started?
If your organization is typical, data mapping, information governance, and document retention plans become hot topics after a data breach or expensive piece of litigation.
For more proactive organizations, it usually makes sense to build this into annual budgeting, strategic planning, or integrating a merger/acquisition. It doesn't usually rise to the level of board involvement or approval, but it's important to help everyone understand why this is important.
If you're looking for more information or want to talk through some questions, let me know. We can help.