Securing a sponsor at the executive management level is always crucial to projects and programs, and this is especially true of any strategic planning effort. An executive must be on board and supporting the effort in order to garner the resources needed to develop and execute the strategic plan, and that executive must be held accountable for the development and execution of the plan. These axioms apply to the development of an information governance (IG) strategic plan.

Also, resources are needed—time, human capital, and budget money. The first is a critical element: It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict and consistent follow up, support, and communication. Executive sponsorship is a best practice and supports the key principle of accountability of the Generally Accepted Recordkeeping Principles® (The Principles)¹ (see Chapter 3 for more detail). And, of course, without an allocated budget, no program can proceed.

The higher your executive sponsor is in the organization, the better.² The implementation of an IG program may be driven by the chief compliance officer, chief information officer (CIO), or, ideally, the chief executive officer (CEO). With CEO sponsorship come many of the key elements needed to complete a successful project, including allocated management time, budget money, and management focus.

It is important to bear in mind that this IG effort is truly a change management effort, in that it aims to change the structure, guidelines, and rules within which employees operate. The change must occur at the very core of the organization's culture. It must be embedded permanently, and for it to be, the message must be constantly and consistently reinforced. Achieving this kind of change requires commitment from the very highest levels of the organization.

If the CEO is not the sponsor, then another high-level executive must lead the effort and be accountable for meeting milestones as the program progresses. Programs with no executive sponsor can lose momentum and focus, especially as competing projects and programs are evaluated and implemented. Program failure is a great risk without an executive sponsor. Such a program likely will fade or fizzle out or be relegated to the back burner. Without strong high-level leadership, when things go awry, finger pointing and political games may take over, impeding progress and cooperation.

The executive sponsor must be actively involved, tracking program objectives and milestones on a regular, scheduled basis and ensuring they are aligned with business objectives. He or she must be aware of any obstacles or disputes that arise, take an active role in resolving them, and push the program forward.

Crucial Executive Sponsor Role

The role of an executive sponsor is high level, requiring periodic and regular attention to the status of the program, particularly with budget issues, staff resources, and milestone progress. The role of a program or project manager (PM) is more detailed and day to day, tracking specific tasks that must be executed to make progress toward milestones. Both roles are essential. The savvy PM brings in the executive sponsor to push things along when more authority is needed but reserves such project capital for those issues that absolutely cannot be resolved without executive intervention. It is best for the PM to keep the executive sponsor fully informed but to ask for assistance only when absolutely needed.

At the same time, the PM must manage the relationship with the executive sponsor, perhaps with some gentle reminders, coaxing, or prodding, to ensure that the role and tasks of executive sponsorship are being fulfilled. “[T]he successful Project Manager knows that if those duties are not being fulfilled, it's time to call a timeout and have a serious conversation with the Executive Sponsor about the viability of the project.”³

The executive sponsor serves six key purposes on a project:

1. Budget. The executive sponsor ensures an adequate financial commitment is made to see the project through and lobbies for additional expenditures when change orders are made or cost overruns occur.
2. Planning and control. The executive sponsor sets direction and tracks accomplishment of specific, measureable business objectives.
3. Decision making. The executive sponsor makes or approves crucial decisions and resolves issues that are escalated for resolution.
4. Expectation Management. The executive sponsor must manage expectation, since success is quite often a stakeholder perception.
5. Anticipation. Every project that is competing for resources can run into unforeseen blockages and objections. Executive sponsors run interference and provide political might for the PM to lead the project to completion, through a series of milestones.
6. Approval. The executive sponsor signs off when all milestones and objectives have been met.

An eager and effective executive sponsor makes all the difference to a project—if the role is properly managed by the PM. It is a tricky relationship, since the PM is always below the executive sponsor in the organization's hierarchy, yet the PM must coax the superior into tackling certain high-level tasks. Sometimes a third-party consultant who is an expert in the specific project can instigate and support requests made of the sponsor and provide a solid business rationale.

Evolving Role of the Executive Sponsor

The role of the executive sponsor necessarily evolves and changes over the life of the initial IG program launch, during the implementation phases, and on through the continued IG program.

To get the program off the ground, the executive sponsor must make the business case and get adequate budgetary funding. But an effort such as this takes more than money; it takes time—not just time to develop new policies and implement new technologies, but the time of the designated PM, program leaders, and needed program team members.

In order to get this time set aside, the IG program must be made a top priority of the organization. It must be recognized, formalized, and aligned with organizational objectives. All this up-front work is the responsibility of the executive sponsor.

Once the IG program team is formed, team members must clearly understand why the new program is important and how it will help the organization meet its business objectives. This message must be regularly reinforced by the executive sponsor; he or she must not only paint the vision of the future state of the organization but articulate the steps in the path to get there.

When the formal program effort commences, the executive sponsor must remain visible and accessible. He or she cannot disappear into everyday duties and expect the program team to carry the effort through. The executive sponsor must be there to help the team confront and overcome business obstacles as they arise and must praise the successes along the way. This requires active involvement and a willingness to spend the time to keep the program on track and focused.

The executive sponsor must be the lighthouse that shows the way even through cloudy skies and rough waters. This person is the captain who must steer the ship, even if the first mate (PM) is seasick and the deckhands (program team) are drenched and tired.

After the program is implemented, the executive sponsor is responsible for maintaining its effectiveness and relevance. This is done through periodic compliance audits, testing and sampling, and scheduled meetings with the ongoing PM.

Building Your IG Team

Who should make up the IG team? Although there are no set requirements or formulas, the complex nature of IG and the fact that it touches upon a number of specialized disciplines and functional areas dictates that a cross-functional approach be taken. So you will need representatives from several departments. There are some absolutes: you must have a representative from your legal staff or outside counsel, your information technology (IT) department, a senior records officer (SRO) or the equivalent, a risk management specialist or manager, an executive sponsor, and the IG program manager. In addition, there may be a need for input from managers of human resources, company communications, and certain business units. Depending on the scope of the effort, other possible IG team members might include an IT security expert, the corporate or agency archivist, business analysts, chief knowledge officer or knowledge management (KM) professional, litigation support head, financial analyst, business process specialist, project management professional, and other professionals in functions related to these areas.

Assigning IG Team Roles and Responsibilities

The executive sponsor will need to designate an IG PM. Depending on the focus of the IG effort, that person could come from several areas, including legal, compliance, risk management, records management, or IT.

In terms of breaking down the roles and responsibilities of the remainder of the IG team, the easy decision is to have IG team representatives take responsibility for the functional areas of their expertise. But there will be overlap, and it is best to have some pairs or small work groups teamed up to gain the broadest amount of input and optimum results. This will also facilitate cross training. For instance, inside legal counsel may be responsible for rendering the final legal opinions, but because they are not expert in records, document management, or risk management, they could benefit from input of others in specialized functional areas, which will inform them and help narrow and focus their legal research. Basic research into which regulations and laws apply to the organization regarding security, retention, and preservation of e-mail, e-records, and personally identifiable information (PII) could be conducted by the SRO or records management head, in consultation with the corporate archivist and CIO, with the results of their findings and recommendations drafted and sent to the legal counsel. The draft report may offer up several alternative approaches that need legal input and decisions. Then the legal team lead can conduct its own, focused research and make final recommendations regarding the organization's legal strategy, business objectives, financial position, and applicable laws and regulations.

The result of the research, consultation, and collaboration of the IG team should result in a final draft of the IG strategic plan. It will still need more input and development to align the plan with business objectives, an analysis of internal and external drivers, applicable best practices, competitive analysis, applicable IT trends, an analysis and inclusion of the organization's culture, and other factors.

Align Your IG Plan with Organizational Strategic Plans

The IG plan must support the achievement of the organization's business objectives and therefore must be melded into the organization's overall strategic plan. Integration with the strategic plan means that the business objectives in the IG plan are consistent with, and in support of, the enterprise strategic plan.

So, for example, if the corporate strategy includes plans for acquiring smaller competitors and folding them into the organization's structure as operating divisions, then the IG plan must assist and contribute to this effort. Plans for standardizing operating policies and procedures must include a consistent, systematized approach to the components of IG, including stakeholder consultation, user training and communications, and compliance audits. The IG plan should bring a standard approach across the spectrum of information use and management within the organization and it must be forged to accommodate the new technology acquisitions. This means that e-mail policies, e-discovery policies, mobile device policies, social media policies, cloud collaboration and storage use, and even nitty-gritty details like report formats, data structures, document taxonomies, and metadata must be consistent and aligned with the overall strategic plan. In other words, the goal is to get all employees on the same page and working to support the business objectives of the strategic plan in everyday small steps within the IG plan.

The organization will also have an IT plan that must be aligned with the strategic plan to support overall business objectives. The IT strategy may be to convert new acquisitions to the internal financial and accounting systems of the organization and to train new employees to use the existing software applications under the umbrella of the IG plan. Again, the IG plan needs to be integrated with the IT strategy and must consider the organization's approach to IT.

The result of the process of aligning the IG effort with the IT strategy and the organization's overall strategic plan will mean, ideally, that employee efforts are more efficient and productive since they are consistently moving toward the achievement of the organization's overall strategic goals. The organization will be healthier and will have less dissent and confusion with clear IG policies that leverage the IT strategy and help employees pursue overall business objectives.

Further considerations must be folded into the IG plan. As every corporate culture is different and has a real impact on decision-making and operational approaches, corporate culture must be included in the plan. Corporate culture includes the organization's appetite for risk, its use of IT (e.g., forward-thinking first adopter), its capital investment strategies, and other management actions.

So, if the organization is conservative and risk averse, it may want to hold off on implementing some emerging e-discovery technologies that can cut costs but also induce greater risk. Or if it is an aggressive, progressive, risk-taking organization, it may opt to test and adopt newer e-discovery technologies under the IT strategy and umbrella of IG policies. An example may be the use of predictive coding technology in early case assessment (ECA). Predictive coding uses text auto-classification technology and neural technology with the assistance of human input to “learn” which e-documents might be relevant in a particular legal matter and which may not be. Through a series of steps of testing and checking subsets of the documents, humans can provide input to improve the document sorting and selection process. The software uses machine learning (artificial intelligence whereby the software can change and improve on a particular task, as its decision engine is shaped and “trained” by input) to improve its ability to cull through and sort documents.

Predictive coding can reduce e-discovery costs, yet there are risks that the approach can be challenged in court and could, in fact, affect the case adversely. Thus, a decision on a technology like predictive coding can involve and include elements of the IG plan, IT strategy, and overall organizational strategic plan.

And there are resource issues to consider: How much management time, or bandwidth, is available to pursue the IG plan development and execution? Is there a budget item to allow for software acquisitions and training and communications to support the execution of the IG plan? Obviously, without the allocated management time and budget money, the IG plan cannot be executed.

Survey and Evaluate External Factors

The IG plan is now harmonized and aligned with your organization's strategic plan and IT strategy, but you are not finished yet, because the plan cannot survive in a vacuum: Organizations must analyze and consider the external business, legal, and technological environment and fold their analysis into their plans.

Analyze IT Trends

IG requires IT to support and monitor implementation of polices, so it matters what is developing and trending in the IT space. What new technologies are coming online? Why are they being developed and becoming popular? How do these changes in the business environment that created opportunities for new technologies to be developed affect your organization and its ability execute its IG plan? How can new technologies assist? Which ones are immature and too risky? These are some of the questions that must be addressed in regard to the changing IT landscape.

Some changes in information and communications technology (ICT) are rather obvious, such as the trends toward mobile computing, tablet and smartphone devices, cloud storage, and social media use. Each one of these major trends that may affect or assist in implementing IG needs to be considered within the framework of the organization's strategic plan and IT strategy. If the corporate culture is progressive and supportive of remote work and telecommuting, and if the organizational strategy aims to lower fixed costs by reducing the amount of office space for employees and moving to a more mobile workforce, then trends in tablet and smartphone computing that are relevant to your organization must be analyzed and considered. Is the organization going to provide mobile devices or support a bring-your-own-device (BYOD) environment? Which equipment will you support? Will you support iOS, Android, or both? What is your policy going to be on phone jacking? What is the IG policy regarding confidential documents on mobile devices? Will you use encryption? If so, which software? Is your enterprise moving to the cloud computing model? Utilizing social media? What about Big Data and analytics? Are you going to consider deploying auto-classification and predictive coding technologies? What are the trends that might affect your organization?

Many, many questions must be addressed, but the evaluation must be narrowed down to those technology trends that specifically might impact the execution of your IG plan and rollout of new technology.

On a more granular level, you must evaluate even supported file and document formats. It gets that detailed, when you are crafting IG policy. For instance, PDF/A is the standard format for archiving electronic documents. So your plans must include long-term digital preservation (LTDP) standards and best practices.

Survey Business Conditions and the Economic Environment

If the economy is on a down cycle, and particularly if your business sector has been negatively affected, resources may be scarcer than in better times. Hence, it may be more difficult to get budget approval for necessary program expenses, such as new technologies, staff, training materials, communications, and so forth. This means your IG plan may need to be scaled back or its scope reduced. Implementing the plan in a key division rather than attempting an enterprise rollout may be the best tactic in tough economic times.

But if things are booming and the business is growing fast, budget money for investments in the IG program may be easier to secure, and the goals may be expanded.

IG should be an ongoing program, but it takes time to implement, and it takes resources to execute, audit, and continue to refine. So an executive looking for a quick and calculable payback on the investment may want to focus on narrower areas. For instance, the initial focus may be entirely on the legal hold and e-discovery process, with business objectives that include reducing pretrial costs and attorney fees by a certain percentage or amount. It is much easier to see concrete results when focusing on e-discovery, since legal costs are real, and always will be there. The business case may be more difficult to make if the IG effort is broader and improves the ability to organize and search for information faster and to execute more complete searches to improve the basis for management decision making. Improved management decision making will improve the organization's competitiveness long-term, but it may be difficult to cite specific examples where costs were saved or revenues were increased as a result of the “better decisions” that should come about through better IG.

Analyze Relevant Legal, Regulatory, and Political Factors

In consultation with your legal team or lead, the laws and regulations that affect your industry should be identified. Narrowing the scope of your analysis, those that specifically could impact your governance of information should be considered and analyzed. What absolute requirements do they impose? Where there is room for interpretation, where, legally, does your organization want to position itself? How much legal risk is acceptable? These are the types of questions you will have to look to your legal and risk management professionals to make. Again, legal requirements trump all others.

Your decision process must include considerations for the future and anticipated future changes. Changes in the legal and regulatory environment happen based on the political leaders who are in place and any pending legislation. So you must go further and analyze the current political environment and make some judgments based on the best information you can gather, the organization's culture and appetite for risk, management style, available resources, and other factors. Generally, a more conservative environment means less regulation, and this analysis must also be folded into your IG strategic plan.

Survey and Determine Industry Best Practices

IG is a developing hybrid discipline. In a sense, it is a superset of records management and a subset of governance, risk management, and compliance (GRC), that emerged to help manage the explosion in the amount of records, documents, and data that must be managed in today's increasingly high-volume and velocity business environment and highly regulated compliance and litigation environment. As such, best practices are still being formed and added to. This process of testing, proving, and sharing best practices will continue for some time as the practices are expanded, revised, and refined.

The most relevant study of IG best practices is one that is conducted for your organization and surveys your industry and what some of your more progressive competitors are doing in regard to IG. Often the best way to accomplish such a study is by engaging a third-party consultant, who can more easily contact, study, and interview your competitors in regard to their practices. Business peer groups and trade associations also can provide some consensus as to emerging best practices.

Twenty-five IG best practices covering a number of areas in which IG has an impact or should be a major consideration are listed next.

1. IG is a key underpinning for a successful RM program. Practicing good IG is the essential foundation for building a legally defensible RM program; it provides the basis for consistent, reliable methods for managing documents and records. Having trusted and reliable records, reports, and databases allows managers to make key decisions with confidence.⁴ And accessing that information and business intelligence in a timely fashion can yield a long-term sustainable competitive advantage, creating more agile enterprises.

   To implement a successful IG program, enterprises must standardize and systematize their handling of information, in particular their formal business records. They must analyze and optimize how information is accessed, controlled, managed, shared, stored, preserved, and audited. They must have complete, current, and relevant policies, processes, and technologies to manage and control information, including who is able to access what information, and when, to meet external legal and regulatory demands and internal governance requirements. This, in short, is IG.

2. IG is not a project but rather an ongoing program that provides an umbrella of rules and policies, monitored and enforced with the support of IT to manage and control information output and communications. Since technologies change so quickly, it is necessary to have overarching technology-agnostic policies that can manage the various IT platforms that an organization may use.

   Compare the IG program to a workplace safety program; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program should dictate how that is handled. If it does not, the workplace safety policies/procedures/training that are part of the workplace safety program need to be updated. Regular reviews are conducted to ensure the program is being followed, and adjustments are made based on the findings. The effort never ends.⁵

3. Using an IG framework or maturity model is helpful in assessing and guiding IG programs. Various models are offered, such as The Principles from ARMA International; the Information Governance Reference Model, which grew out of the Electronic Discovery Reference Model (found at EDRM.net);⁶ or MIKE2.0, which was developed by the consulting firm Bearing Point and released to the public domain. Another tool that is particularly used in the Australian market for records management projects is Designing and Implementing Recordkeeping Systems (DIRKS).
4. Defensible deletion of data debris and information that no longer has value is critical in the era of Big Data. You must have IG polices in place and be able to prove that you follow them consistently and systematically in order to justify, to the courts and regulators, deletion of information. With a smaller information footprint, organizations can more easily find what they need and derive business value from it.⁷ Data debris must be eliminated regularly and consistently, and to do this, processes and systems must be in place to cull out valuable information and discard the data debris. An IG program sets the framework to accomplish this.
5. IG policies must be developed before enabling technologies are deployed to assist in enforcement. After the policy-making effort, seek out the proper technology tools to assist in monitoring, auditing, and enforcement.
6. To provide comprehensive e-document security throughout a document's life cycle, documents must be secured upon creation using highly sophisticated technologies, such as information rights management (IRM) technology. IRM acts as a sort of “security wrapper” that denies access without proper credentials. Document access and use by individuals having proper and current credentials is also tightly monitored IRM software controls the access, copying, editing, forwarding, and printing of documents using a policy engine that manages the rights to view and work on an e-document. Access rights are set by levels or “roles” that employees are responsible for within an organization.
7. A records retention schedule and legal hold notification (LHN) process are the two primary elements of a fundamental IG program. These are the basics. Implementation will require records inventorying, taxonomy development, metadata normalization and standardization, and a survey of LHN best practices.
8. A cross-functional team is required to implement IG. Since IG contains and requires elements of a number of established disciplines, representatives from the key areas must be included in the planning and implantation effort. At a minimum, you will need team leaders from legal, IT, records management, compliance and risk management, human resources, and executive management. Members from corporate communications, knowledge management, systems security, finance and accounting, and other functional areas also may be needed. Depending on the circumstances, you may need representatives from major business units within the organization.
9. The first step in information risk planning is to consider the applicable laws and regulations that apply to your organization in the jurisdictions in which it conducts business. Federal, provincial, state, and even municipal laws and regulations may apply to the retention of data, documents, and records. Organizations operating in multiple jurisdictions must be compliant with laws and regulations that may cross national, state, or provincial boundaries. Legally required privacy requirements and retention periods must be researched for each jurisdiction (state, country) in which the business operates, so that all applicable laws are complied with.
10. Developing a risk profile is a basic building block in enterprise risk management, which assists executives in understanding the risks associated with stated business objectives and in allocating resources within a structured evaluation approach or framework. There are multiple ways to create a risk profile, and the frequency with which it is created, the external sources consulted, and stakeholders who have input will vary from organization to organization.⁸ A key tenet to bear in mind is that simpler is better and that sophisticated tools and techniques should not make the process overly complex.
11. An information risk mitigation plan is a critical part of the IG planning process. An information risk mitigation plan helps in developing risk mitigation options and tasks to reduce the specified risks and improve the odds of achieving business objectives.⁹
12. Proper metrics are required to measure the conformance and performance of your IG program. You must have an objective way to measure how you are doing, which means numbers and metrics. Assigning some quantitative measures that are meaningful before rolling out the IG program is essential.
13. IG programs must be audited for effectiveness. Periodic audits will tell you how your organization is doing and where to fine-tune your efforts. To keep an IG program healthy, relevant, and effective, changes and fine-tuning will always be required.
14. An enterprise wide retention schedule is preferable because it eliminates the possibility that different business units will have conflicting records retention periods. For example, if one business unit discards a group of records after 5 years, it would not make sense for another business unit to keep the same records for 10 years. Where enterprise-wide retention schedules are not possible, smaller business units, such as divisions or regions, should operate under a consistent retention schedule.
15. Senior management must set the tone and lead sponsorship for vital records program governance and compliance. Although e-records are easier to protect and backup, most vital records today are e-records. These are an organization's most essential records. Without them, an organization cannot continue operations.
16. Business processes must be redesigned to improve and optimize the management and security of information and especially the most critical of information, electronic records, before implementing enabling technologies. For instance, using electronic records management (ERM) software fundamentally changes the way people work, and greater efficiencies can be gained with business process redesign (versus simply using ERM systems as electronic filing cabinets to speed up poor processes).
17. E-mail messages, both inbound and outbound, should be archived automatically and (preferably) in real time. This ensures that spoliation (i.e., the loss of proven authenticity of an e-mail) does not occur. Archiving preserves legal validity and forensic compliance. By policy, most messages will be deleted in a short timeframe. Additionally, e-mail should be indexed to facilitate the searching process, and all messages should be secured in a single location (with backups). With these measures, the authenticity and reliability of e-mail records can be ensured.
18. Personal archiving of e-mail messages should be disallowed. Although users will want to save certain e-mail messages for their own reasons, control and management of e-mail archiving must be at the organization level or as high of a level as is practical, such as division or region.
19. Destructive retention of e-mail helps to reduce storage costs and legal risk while improving “findability” of critical records. It makes good business sense to have a policy to, say, destroy all e-mail messages after 90 or 120 days that are not flagged as potential records (which, e.g., help document a transaction or a situation that may come into dispute in the future) or those that have a legal hold.
20. Take a practical approach and limit cloud use to documents that do not have long retention periods and carry a low litigation risk. Doing this will reduce the risk of compromising or losing critical documents and e-records. Some duplicate copies of vital records may be stored securely in the cloud to help the organization recover in the event of a disaster.
21. Manage social media content by IG policies and monitor it with controls that ensure protection of critical information assets and preservation of business records. Your organization must state clearly what content and tone is acceptable in social media use, and it must retain records of that use, which should be captured in real time.
22. International and national standards provide effective guidance for implementing IG. Although there are no absolutes, researching and referencing International Organization for Standardization (ISO) and other standards must be a part of any IG effort.
23. Creating standardized metadata terms should be part of an IG effort that enables faster, more complete, and more accurate searches and retrieval of records. This is important not only in everyday business operations but also when delving through potentially millions of records during the discovery phase of litigation. Good metadata management also assists in the maintenance of corporate memory and in improving accountability in business operations.¹⁰ Using a standardized format and controlled vocabulary provides a “precise and comprehensible description of content, location, and value.”¹¹ Using a controlled vocabulary means your organization has standardized a set of terms used for metadata elements that describe records. This ensures consistency across a collection and helps with optimizing search and retrieval functions and records research as well as with meeting e-discovery requests, compliance demands, and other legal and regulatory requirements.
24. Some digital information assets must be preserved permanently as part of an organization's documentary heritage.¹² It is critical to identify records that must be kept long term as early in the process as possible; ideally, these records should be identified prior to or upon creation. LTDP applies to content that is born digital as well as content that is converted to digital form. Digital preservation is defined as long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span that the information is required to be retained. Dedicated repositories for historical and cultural memory, such as libraries, archives, and museums, need to move forward to put in place trustworthy digital repositories that can match the security, environmental controls, and wealth of descriptive metadata that these institutions have created for analog assets (such as books and paper records). Digital challenges associated with records management affect all sectors of society—academic, government, private, and not-for-profit enterprises—and ultimately citizens of all developed nations.
25. Executive sponsorship is crucial. Securing an executive sponsor at the senior management level is key to successful IG programs. It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict. It is a best practice across industry sectors and technology sets and supports the Accountability principle of The Principles.¹³

Formulating the IG Strategic Plan

Now comes the time to make sense of all the data and input your IG team has gathered and hammer it into a workable IG strategic plan. Doing this will involve some give-and-take among IG team members, each having their own perspective and priorities. Everyone will be lobbying for the view of their functional groups. It is the job of the executive sponsor to set the tone and to emphasize organizational business objectives so that the effort does not drag out or turn into a competition but is a well-informed consensus development process that results in a clear, workable IG strategic plan.

Synthesize Gathered Information and Fuse It into IG Strategy

Your IG team will have gathered a great deal of information, which needs to be analyzed and distilled into actionable strategies. This process will depend on the expertise and input of the specialized knowledge your team brings to the table within your organizational culture. Team members must be able to make decisions and establish priorities that reflect organizational business objectives and consider a number of influencing factors.

Do not prolong the strategy development process. The longer it lasts, the more key factors influencing it can change. You want to develop a strategic plan that is durable enough to withstand changes in technology, legislation, and other key influencing factors, but it should be relevant to that snapshot of information that was collected early on. When all the parts and pieces start changing and require reconsideration, a dated IG plan does not serve the organization well.

Develop IG strategies for each of the critical areas, including the legal hold process, e-discovery action plans, e-mail policy, mobile computing policy, IT acquisition strategy, confidential document handling, vital records and disaster planning, social media policy, and other areas that are important to your organization. To maintain focus, do this first without regard to the prioritization of these areas.

Then you must go through the hard process of prioritizing your strategies and aligning them to your organizational goal and objectives. This may not be difficult in the beginning—for instance, your IG strategies for legal holds and e-discovery readiness are likely going to take higher priority than your social media policy, and protecting vital records is paramount to any organization. As the process progresses, it will become more challenging to make trade-offs and establish priorities. Then you must tie these strategies to overall organizational goals and business objectives.

A good technique to keep goals and objectives in mind may be to post them prominently in the meeting room where these strategy sessions take place. This will help to keep the IG team focused.

Develop Actionable Plans to Support Organizational Goals and Objectives

Plans and policies to support your IG efforts must be developed that identify specific tasks and steps and define roles and responsibilities for those who will be held accountable for their implementation. This is where the rubber meets the road. But you cannot simply create the plan and marching orders: You must build in periodic checks and audits to test that new IG policies are being followed and that they have hit their mark. Invariably, there will be adjustments made continually to craft the policies for maximum effectiveness and continued relevance in the face of changes in external factors, such as legislation and business competition, and internal changes in management style and structure.

Create New IG Driving Programs to Support Business Goals and Objectives

You have to get things moving and get employees motivated, and launching new sub-programs within the overall IG program is a good way to start. For instance, a new “e-discovery readiness” initiative can show almost immediate results if implemented properly, with the support of key legal and records management team members, driven by the executive sponsor. You may want to revamp the legal hold process to make it more complete and verifiable, assigning specific employees accountability for specific tasks. Part of that effort may be evaluating and implementing new technology-assisted review (TAR) processes and predictive coding technology. So you will need to bring in the IG team members responsible for IT and perhaps business analysis. Working cooperatively on smaller parts of the overall IG program is a way to show real results within defined time frames. Piecing together a series of program components is the best way to get started, and it breaks the overall IG program down into digestible, doable chunks. A small win early on is crucial to maintain momentum and executive sponsorship. And e-discovery has real costs: yet progress can be measured objectively in terms of reducing the cost of activities such as early case assessment (ECA). Benefits can be measured in terms of reduced attorney review hours, reduced costs, and reduced time to accomplish pretrial tasks.

To be clear, you will need to negotiate and agree on the success metrics the program will be measured on in advance.

There are other examples of supporting IG subprograms, such as e-mail management and archiving, where storage costs, search times, and information breaches can be measured in objective terms. Or you may choose to roll out new policies for the use of mobile devices within your organization, where adherence to policy can be measured by scanning mobile devices and monitoring their use.

Draft the IG Strategic Plan and Gain Input from a Broader Group of Stakeholders

Once you have the pieces of the plan drafted and the IG team is in agreement that it has been harmonized and aligned with overall organizational goals and objectives, you must test the waters to see if you have hit the mark. It is a good practice to expose a broader group of stakeholders to the plan to gain their input. Perhaps your IG team has become myopic or has passed over some points that are important to the broader stakeholder audience. Solicit and discuss their input, and to the degree that there is a consensus, refine the IG strategic plan one last time before finalizing it. But remember, it is a living document, a work in progress, which will require revisiting and updating to ensure it is in step with changing external and internal factors. Periodic auditing and review of the plan will reveal areas that need to be adjusted and revised to keep it relevant and effective.

Get Buy-in and Sign-off and Execute the Plan

Take the finalized plan to executive management, preferably including the CEO, and present the plan and its intended benefits to them. Field their questions and address any concerns to gain their buy-in and the appropriate signatures. You may have to make some minor adjustments if there are significant objections, but, if you have executed the stakeholder consultation process properly, you should be very close to the mark. Then begin the process of implementing your IG strategic plan, including regular status meetings and updates, steady communication and reassurance of your executive sponsor, and planned audits of activities.

Notes

1. ARMA International, “How to Cite GARP,” www.arma.org/garp/copyright.cfm (accessed October 9, 2013).

2. Roger Kastner, “Why Projects Succeed—Executive Sponsorship,” February 15, 2011, http://blog.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/

3. Ibid.

4. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership/business-view/future-information-governance.htm (accessed October 9, 2013).

5. Monica Crocker, e-mail to author, June 21, 2012.

6. EDRM, “Information Governance Reference Model (IGRM) Guide,” www.edrm.net/resources/guides/igrm (accessed November 30, 2012).

7. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, Nov. 28, 2012.

8. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171.

9. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 4th ed. (Newtown Square, PA Project Management Institute, 2008), ANSI/PMI 99–001–2008, pp. 273–312.

10. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records, p. 34 (London: Facet, 2005).

11. Minnesota State Archives, Electronic Records Management Guidelines, “Metadata,” March 12, 2012, www.mnhs.org/preserve/records/electronicrecords/ermetadata.html.

12. Charles Dollar and Lori Ashley, e-mail to author, August 10, 2012.

13. ARMA International, “How to Cite GARP.”