Many of the comments I hear from executives regarding information governance planning include: "We don’t want to boil the ocean." "There are too many conflicting definitions." "No one follows it today, so why do it tomorrow?" "With this pending lawsuit, we should have done it yesterday." "Can you help us develop one?"

    So, how should an organization approach information governance? I believe a Six Sigma approach (define, measure, analyze, improve and control)provides a framework.

    Define information governance
    Gartner defines information governance as: "The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals."

    Chris Walker, an information governance and management consultant, defines information governance as: "All the rules, regulations, legislation, standards and policies with which organizations need to comply when they create, share and use information."

    With respect to the above definitions, I believe an improved construct is to define information governance as the de jure, de facto and best practice “information governance standards” that an organization must meet to ensure government, regulatory, industry, customer and operational information compliance, as measured within an internal audit function, with a clear definition of priority if there is a conflict.

    Before we get too busy integrating, modifying or debating the definition of information governance, I think we should start by asking the following questions. For your organization, what are the required information governance standards that need to be complied with, or will provide benefit, in areas such as:
    • De jure (e.g., law, government, regulation, industry)
    • De facto (e.g., from fact, widespread use, association)
    • Best practice (e.g., experience, use)
    • Risk (audit, discovery, litigation)
    • Operations (service, quality, efficiency, knowledge)
    Of course, definition of internal best practice, risk and operation standards will require internal collaboration to define/agree. However, definition of external de jure, de facto, best practice, risk and operation standards may require an independent assessment, as those external standards may not be internally known. For all standards, it is important to identify the right level of granularity and to obtain the executive sponsorship required to establish and maintain information governance.

    Once information governance standards are established, we need to ask the question, "If there is a conflict between information governance standards (e.g., external vs. internal), is there a clear definition of prioritization?"

    If there is no clear prioritization of information governance standards, I believe organizations may get in trouble by incorrectly prioritizing standards, for example, putting efficiency over regulatory compliance, rapid production over quality and cost over service.

    Measure information governance performance
    Once defined, an organization needs to measure (benchmark) if areas, such as people, processes and systems, exceed, meet or fail information governance standards and to identify conflicts between standards. Maturity ratings can be a helpful way to measure.

    If you can’t measure it, you can’t improve it, and if you can’t prioritize conflicts between standards, you can’t standardize how the organization should react (e.g., each area/person in the organization may act to service their own beliefs or needs).

    Analyze issues with meeting information governance standards (defect), including failing to meet standards (underproduction) and, as applicable, exceeding standards (overprocessing). Identify the root cause of the problem. To illustrate, on the people side, analyze if there is an issue with awareness, culture, leadership, training or cooperation. For processes, is there an issue with silos, controls, quality, waste, risk, data/record quality, defects or measurement? In regard to the system, is there an issue with existing software, hardware, security and support?

    Improve information governance performance
    Develop a well-thought-out, effective and measurable information governance plan; train staff on the plan; define, improve and test required processes; and acquire required technology. For example, in regard to software, "Does an organization have in place software to support information governance standards, such as electronic content management (ECM), digital signature, workflow and electronic records management (ERM)?"

    Control information governance plan
    Identify an independent (accountability) process and reporting function to ensure ongoing compliance to information governance standards. I believe it is important to have the information governance function report to an independent internal audit committee to ensure an arm’s length distance between those creating, receiving, managing, utilizing or transforming information and those “measuring and reporting” on compliance to identified standards.

    Without an independent information governance reporting structure, reduplication of reporting challenges faced by records managers will occur for information governance professionals (e.g., records managers receiving different levels of guidance and support when reporting to information technology (IT), administration, facilities or legal departments).

    George Dunn is the founder and president of CRE8 Independent Consultants and is a worldwide recognized consultant, speaker, instructor, contributing editor and author on business process innovation and improvement, paperless technologies and complex computer system replacement planning. He has over 25 years of experience in the advanced technology and process improvement industry. Follow him on Twitter @CRE8consultants.

    *As planning for information governance must to be tailored to the specific need of each organization, the information provided in this blog should be treated as an introduction only and, as such, without a direct consultation of requirements, CRE8 Independent Consultants cannot assume responsibility for the use, implementation or results of information provided.