Information Governance is a tech-era update of the old corporate term, "document retention policies," so I'll use both terms below. It's not great cocktail party conversation (remember cocktail parties?!) but it's crucially important.
We've previously written that there are three main types of stakeholders:
Revenue generation is informed by data. But data becomes less valuable over time. Quarter Over Quarter and Year Over Year comparisons are common for revenue-generating leaders in most industries. Over what time frame does your business typically measure trends, or at what point do they begin to feel it's outdated and/or less relevant to go-forward decisions? Anything data older than this becomes "dark data" that company is paying to host but not deriving value from - and it provides potential entry points for bad actors.
Titles/roles may include:
Legal and Risk Management are charged with ensuring compliance for industry-specific regulations, and for responding thoroughly and accurately to audits, investigations, or litigation. The less data they (or their vendors) have to sort through, the lower the costs will be. Typically, these are centers of influence for deciding where data will be stored, for how long, and who will have access to it - but it's important to be a consultative business partner during this process. Good relations forged by candor and trust during large projects will inevitably make turbulent times less painful.
Titles may include:
Finally, IT is charged with securely maintaining the policies, so it's critical they're involved in the conversations to ensure software and hardware needs are met. Be sure to obtain full participation from IT leadership. IT departments today are being stretched thin by supporting more software applications, "big data" mining teams, and have transformed overnight into supporting remote teams. Remote work often stresses IT teams as they have significantly less control over the security of the devices, but are still expected to provide the same seamless access and experience for the users. The hidden insights within IT teams is powerful, but they have to have a seat at the table for their knowledge to be heard. Because information governance is often thought of as heavily technical, it's viewed as a cost center instead of a strategic business decision. EDRM goes into considerably more detail about IT's viewpoint into Information Governance planning that's well worth the read.
Titles may include:
Other key roles, such as the Head of HR, must be included - and, again, successful projects must be driven from the top (CEO, COO).
Side note: let's hear it for CIOs. It's often a thankless role, responsible for knowing the IT infrastructure like the back of their hand, but often without formal ownership (and in some cases, even without political backing of the C-suite, which is often indicative of data problems in the future).
Why?
And different areas of the organization have different priorities.
Don't forget about IT, compliance, treasury, and umpteen other departments.
Thus, the can is kicked down the road until a litigation event, data breach, or regulatory investigation means there is lots of expensive discovery to go through. Oops.
So, who takes charge?
Leadership has to come from the top. The C-suite must either lead the project, or if they lack the proper experience, they must delegate, communicate, and reiterate the importance of the project (usually to their CIO, general counsel, or retained counsel).
Simply, yes.
Designing, implementing, and enforcing a document retention plan isn't why most people get out of bed in the morning, but it doesn't have to be a headache. An experienced consultant can take the reins and guide you through priorities, timelines, and messaging internally.
And, yes, it's worth undertaking because:
All of this means your organization is more vulnerable to social engineering, phishing, hacking, or other untoward means of your data escaping.
If your organization is typical, data mapping, information governance, and document retention plans become hot topics after a data breach or expensive piece of litigation.
For more proactive organizations, it usually makes sense to build this into annual budgeting, strategic planning, or integrating a merger/acquisition. It doesn't usually rise to the level of board involvement or approval, but it's important to help everyone understand why this is important.
If you're looking for more information or want to talk through some questions, let me know. We can help.