President Obama's joint memorandum, which I wrote about in my last column, clearly demonstrates a need for governance and accountability. Given this, information governance becomes the focus and, as a whole, covers a range of business and management objectives that ECM helps organizations achieve. The industry analyst firm Gartner was early to adopt the term “information governance” to describe a strategic approach to managing enterprise information and content. Information governance, in Gartner’s words, is “the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
An information governance program is used to communicate the roles, responsibilities and accountabilities needed to meet legal, regulatory and policy-driven compliance. This, in turn, reduces the risk of missing deadlines, submitting incomplete records or not delivering on commitments.
From the beginning when you start defining an information governance strategy for your organization, engage with business, legal and IT stakeholders. You need to let them know the importance and benefit of having a governance program in place. They are also the folks who will best serve in this effort by providing feedback on the way things are being done and how they could be improved to support the goals of your governance program.
You will need to identify the most essential internal and external compliance requirements faced by your organization. A manufacturing organization may need to follow strict information or data reporting processes to keep an ISO 9001 certification. Specific retention, sign-off, version control and categorization procedures may already exist. In the case of the Presidential Mandate, Federal agencies need to focus on records management, in particular, electronic records, to get better control in support of faster processing and greater sharing capabilities across agencies.
External compliance requirements will be specific to a jurisdiction—state, province, country and industry specific. For example, a global manufacturing organization may need to keep two sets of retention policies for staff in the United States vs. Australia. There may be additional health, safety or environmental laws specific to an industry or practice. Note which of these affect the content you are preparing to manage.
In addition, your strategy needs to identify the sources of this content. You need to find out who creates it and uses it, where it is stored today, who has authority over deletion, archiving and transfer offsite. A mapping of known content and records sources will be essential for a strong information management program.
- Laying down policies that will govern behaviors
- Defining processes for all stages of the information life cycle
- Setting standards that must be followed when carrying out a defined process
- Appointing specific people to be responsible for the information assets
- Providing tools and technology to enable staff to carry out the defined processes to the required standards
- Auditing the elements of the framework regularly to ensure that the guidelines are being followed
Using this as a guide, you can develop your governance strategies in a way that the user community can understand, and more importantly, adhere to. Think of it in the way you have to teach a young person. You set the policy in place and then you have to teach them how to do things that align to the policy. For example, when you say that something needs to be stored in the proper place, you need to demonstrate how and where this takes place.
ECM technologies offer several capabilities designed specifically to meet the obligations to organize, preserve, discover and dispose of content. These capabilities are needed to act in accordance with an information governance accountability framework. These core technologies include document management, records management, content and email archiving, search, taxonomies and metadata management. The needs of business, IT and records or legal users can be met by using tools that can be accessed through a variety of user interfaces, on a variety of devices.
Document and records management capabilities provide the version control, access controls and audit history to ensure electronic content can be authenticated. Life cycle management rules can be applied to ensure scheduled disposition and storage. Records management systems also provide legal hold capabilities and allow risk managers to flag content subject to disclosure. Search, metadata and taxonomy tools allow business users to find and retrieve content accurately and efficiently. IT managers can leverage the storage rules in most archiving systems for load balancing, storage management and migration of content for more cost efficient long-term storage devices.
In my view, a well-planned, documented, implemented and maintained governance policy will not only help your organization organize and maintain control over their content and records, it will provide strength and defensible ways to minimize risk related to compliance. Of course, like any other aspect of information management, once it has been defined and documented, you must also train the user community in the importance and adherence to the new way of working with content and records. As always, expect resistance from some, as they will perceive it as being yet another impediment to job performance, but rest assured that if you plan, communicate and train everyone properly, the moaning will quickly turn to gratitude, and your risk management team will be thankful that a new tool to help maintain regulatory and industry compliance and defensibility has been introduced.