Securing a sponsor at the executive management level is always crucial to projects and programs, and this is especially true of any strategic planning effort. An executive must be on board and supporting the effort in order to garner the resources needed to develop and execute the strategic plan, and that executive must be held accountable for the development and execution of the plan. These axioms apply to the development of an information governance (IG) strategic plan.
Also, resources are needed—time, human capital, and budget money. The first is a critical element: It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict and consistent follow up, support, and communication. Executive sponsorship is a best practice and supports the key principle of accountability of the Generally Accepted Recordkeeping Principles® (The Principles)1 (see Chapter 3 for more detail). And, of course, without an allocated budget, no program can proceed.
The higher your executive sponsor is in the organization, the better.2 The implementation of an IG program may be driven by the chief compliance officer, chief information officer (CIO), or, ideally, the chief executive officer (CEO). With CEO sponsorship come many of the key elements needed to complete a successful project, including allocated management time, budget money, and management focus.
It is important to bear in mind that this IG effort is truly a change management effort, in that it aims to change the structure, guidelines, and rules within which employees operate. The change must occur at the very core of the organization's culture. It must be embedded permanently, and for it to be, the message must be constantly and consistently reinforced. Achieving this kind of change requires commitment from the very highest levels of the organization.
Executive sponsorship is critical to project success. There is no substitute. Without it, a project is at risk of failure.
If the CEO is not the sponsor, then another high-level executive must lead the effort and be accountable for meeting milestones as the program progresses. Programs with no executive sponsor can lose momentum and focus, especially as competing projects and programs are evaluated and implemented. Program failure is a great risk without an executive sponsor. Such a program likely will fade or fizzle out or be relegated to the back burner. Without strong high-level leadership, when things go awry, finger pointing and political games may take over, impeding progress and cooperation.
The executive sponsor must be actively involved, tracking program objectives and milestones on a regular, scheduled basis and ensuring they are aligned with business objectives. He or she must be aware of any obstacles or disputes that arise, take an active role in resolving them, and push the program forward.
The role of an executive sponsor is high level, requiring periodic and regular attention to the status of the program, particularly with budget issues, staff resources, and milestone progress. The role of a program or project manager (PM) is more detailed and day to day, tracking specific tasks that must be executed to make progress toward milestones. Both roles are essential. The savvy PM brings in the executive sponsor to push things along when more authority is needed but reserves such project capital for those issues that absolutely cannot be resolved without executive intervention. It is best for the PM to keep the executive sponsor fully informed but to ask for assistance only when absolutely needed.
At the same time, the PM must manage the relationship with the executive sponsor, perhaps with some gentle reminders, coaxing, or prodding, to ensure that the role and tasks of executive sponsorship are being fulfilled. “[T]he successful Project Manager knows that if those duties are not being fulfilled, it's time to call a timeout and have a serious conversation with the Executive Sponsor about the viability of the project.”3
The executive sponsor serves six key purposes on a project:
While the executive sponsor role is high level, the PM's role and tasks are more detailed and involve day-to-day management.
An eager and effective executive sponsor makes all the difference to a project—if the role is properly managed by the PM. It is a tricky relationship, since the PM is always below the executive sponsor in the organization's hierarchy, yet the PM must coax the superior into tackling certain high-level tasks. Sometimes a third-party consultant who is an expert in the specific project can instigate and support requests made of the sponsor and provide a solid business rationale.
The role of the executive sponsor necessarily evolves and changes over the life of the initial IG program launch, during the implementation phases, and on through the continued IG program.
To get the program off the ground, the executive sponsor must make the business case and get adequate budgetary funding. But an effort such as this takes more than money; it takes time—not just time to develop new policies and implement new technologies, but the time of the designated PM, program leaders, and needed program team members.
In order to get this time set aside, the IG program must be made a top priority of the organization. It must be recognized, formalized, and aligned with organizational objectives. All this up-front work is the responsibility of the executive sponsor.
Once the IG program team is formed, team members must clearly understand why the new program is important and how it will help the organization meet its business objectives. This message must be regularly reinforced by the executive sponsor; he or she must not only paint the vision of the future state of the organization but articulate the steps in the path to get there.
When the formal program effort commences, the executive sponsor must remain visible and accessible. He or she cannot disappear into everyday duties and expect the program team to carry the effort through. The executive sponsor must be there to help the team confront and overcome business obstacles as they arise and must praise the successes along the way. This requires active involvement and a willingness to spend the time to keep the program on track and focused.
The executive sponsor must be the lighthouse that shows the way even through cloudy skies and rough waters. This person is the captain who must steer the ship, even if the first mate (PM) is seasick and the deckhands (program team) are drenched and tired.
After the program is implemented, the executive sponsor is responsible for maintaining its effectiveness and relevance. This is done through periodic compliance audits, testing and sampling, and scheduled meetings with the ongoing PM.
The role of the executive sponsor changes during the inception, planning, and execution of the IG program.
Who should make up the IG team? Although there are no set requirements or formulas, the complex nature of IG and the fact that it touches upon a number of specialized disciplines and functional areas dictates that a cross-functional approach be taken. So you will need representatives from several departments. There are some absolutes: you must have a representative from your legal staff or outside counsel, your information technology (IT) department, a senior records officer (SRO) or the equivalent, a risk management specialist or manager, an executive sponsor, and the IG program manager. In addition, there may be a need for input from managers of human resources, company communications, and certain business units. Depending on the scope of the effort, other possible IG team members might include an IT security expert, the corporate or agency archivist, business analysts, chief knowledge officer or knowledge management (KM) professional, litigation support head, financial analyst, business process specialist, project management professional, and other professionals in functions related to these areas.
The executive sponsor will need to designate an IG PM. Depending on the focus of the IG effort, that person could come from several areas, including legal, compliance, risk management, records management, or IT.
In terms of breaking down the roles and responsibilities of the remainder of the IG team, the easy decision is to have IG team representatives take responsibility for the functional areas of their expertise. But there will be overlap, and it is best to have some pairs or small work groups teamed up to gain the broadest amount of input and optimum results. This will also facilitate cross training. For instance, inside legal counsel may be responsible for rendering the final legal opinions, but because they are not expert in records, document management, or risk management, they could benefit from input of others in specialized functional areas, which will inform them and help narrow and focus their legal research. Basic research into which regulations and laws apply to the organization regarding security, retention, and preservation of e-mail, e-records, and personally identifiable information (PII) could be conducted by the SRO or records management head, in consultation with the corporate archivist and CIO, with the results of their findings and recommendations drafted and sent to the legal counsel. The draft report may offer up several alternative approaches that need legal input and decisions. Then the legal team lead can conduct its own, focused research and make final recommendations regarding the organization's legal strategy, business objectives, financial position, and applicable laws and regulations.
The risk mitigation plan develops risk reduction options and tasks to reduce specified risks and improve the odds for achieving business objectives.
The IG team must include a cross-functional group of stakeholders from various departments, including legal, records management, IT, and risk management.
The result of the research, consultation, and collaboration of the IG team should result in a final draft of the IG strategic plan. It will still need more input and development to align the plan with business objectives, an analysis of internal and external drivers, applicable best practices, competitive analysis, applicable IT trends, an analysis and inclusion of the organization's culture, and other factors.
The IG plan must support the achievement of the organization's business objectives and therefore must be melded into the organization's overall strategic plan. Integration with the strategic plan means that the business objectives in the IG plan are consistent with, and in support of, the enterprise strategic plan.
So, for example, if the corporate strategy includes plans for acquiring smaller competitors and folding them into the organization's structure as operating divisions, then the IG plan must assist and contribute to this effort. Plans for standardizing operating policies and procedures must include a consistent, systematized approach to the components of IG, including stakeholder consultation, user training and communications, and compliance audits. The IG plan should bring a standard approach across the spectrum of information use and management within the organization and it must be forged to accommodate the new technology acquisitions. This means that e-mail policies, e-discovery policies, mobile device policies, social media policies, cloud collaboration and storage use, and even nitty-gritty details like report formats, data structures, document taxonomies, and metadata must be consistent and aligned with the overall strategic plan. In other words, the goal is to get all employees on the same page and working to support the business objectives of the strategic plan in everyday small steps within the IG plan.
The IG strategic plan must be aligned and synchronized with the organization's overall strategic plans, goals, and business objectives.
The organization will also have an IT plan that must be aligned with the strategic plan to support overall business objectives. The IT strategy may be to convert new acquisitions to the internal financial and accounting systems of the organization and to train new employees to use the existing software applications under the umbrella of the IG plan. Again, the IG plan needs to be integrated with the IT strategy and must consider the organization's approach to IT.
The result of the process of aligning the IG effort with the IT strategy and the organization's overall strategic plan will mean, ideally, that employee efforts are more efficient and productive since they are consistently moving toward the achievement of the organization's overall strategic goals. The organization will be healthier and will have less dissent and confusion with clear IG policies that leverage the IT strategy and help employees pursue overall business objectives.
Further considerations must be folded into the IG plan. As every corporate culture is different and has a real impact on decision-making and operational approaches, corporate culture must be included in the plan. Corporate culture includes the organization's appetite for risk, its use of IT (e.g., forward-thinking first adopter), its capital investment strategies, and other management actions.
So, if the organization is conservative and risk averse, it may want to hold off on implementing some emerging e-discovery technologies that can cut costs but also induce greater risk. Or if it is an aggressive, progressive, risk-taking organization, it may opt to test and adopt newer e-discovery technologies under the IT strategy and umbrella of IG policies. An example may be the use of predictive coding technology in early case assessment (ECA). Predictive coding uses text auto-classification technology and neural technology with the assistance of human input to “learn” which e-documents might be relevant in a particular legal matter and which may not be. Through a series of steps of testing and checking subsets of the documents, humans can provide input to improve the document sorting and selection process. The software uses machine learning (artificial intelligence whereby the software can change and improve on a particular task, as its decision engine is shaped and “trained” by input) to improve its ability to cull through and sort documents.
Predictive coding can reduce e-discovery costs, yet there are risks that the approach can be challenged in court and could, in fact, affect the case adversely. Thus, a decision on a technology like predictive coding can involve and include elements of the IG plan, IT strategy, and overall organizational strategic plan.
And there are resource issues to consider: How much management time, or bandwidth, is available to pursue the IG plan development and execution? Is there a budget item to allow for software acquisitions and training and communications to support the execution of the IG plan? Obviously, without the allocated management time and budget money, the IG plan cannot be executed.
The IG plan is now harmonized and aligned with your organization's strategic plan and IT strategy, but you are not finished yet, because the plan cannot survive in a vacuum: Organizations must analyze and consider the external business, legal, and technological environment and fold their analysis into their plans.
IG requires IT to support and monitor implementation of polices, so it matters what is developing and trending in the IT space. What new technologies are coming online? Why are they being developed and becoming popular? How do these changes in the business environment that created opportunities for new technologies to be developed affect your organization and its ability execute its IG plan? How can new technologies assist? Which ones are immature and too risky? These are some of the questions that must be addressed in regard to the changing IT landscape.
Some changes in information and communications technology (ICT) are rather obvious, such as the trends toward mobile computing, tablet and smartphone devices, cloud storage, and social media use. Each one of these major trends that may affect or assist in implementing IG needs to be considered within the framework of the organization's strategic plan and IT strategy. If the corporate culture is progressive and supportive of remote work and telecommuting, and if the organizational strategy aims to lower fixed costs by reducing the amount of office space for employees and moving to a more mobile workforce, then trends in tablet and smartphone computing that are relevant to your organization must be analyzed and considered. Is the organization going to provide mobile devices or support a bring-your-own-device (BYOD) environment? Which equipment will you support? Will you support iOS, Android, or both? What is your policy going to be on phone jacking? What is the IG policy regarding confidential documents on mobile devices? Will you use encryption? If so, which software? Is your enterprise moving to the cloud computing model? Utilizing social media? What about Big Data and analytics? Are you going to consider deploying auto-classification and predictive coding technologies? What are the trends that might affect your organization?
Many, many questions must be addressed, but the evaluation must be narrowed down to those technology trends that specifically might impact the execution of your IG plan and rollout of new technology.
On a more granular level, you must evaluate even supported file and document formats. It gets that detailed, when you are crafting IG policy. For instance, PDF/A is the standard format for archiving electronic documents. So your plans must include long-term digital preservation (LTDP) standards and best practices.
If the economy is on a down cycle, and particularly if your business sector has been negatively affected, resources may be scarcer than in better times. Hence, it may be more difficult to get budget approval for necessary program expenses, such as new technologies, staff, training materials, communications, and so forth. This means your IG plan may need to be scaled back or its scope reduced. Implementing the plan in a key division rather than attempting an enterprise rollout may be the best tactic in tough economic times.
Trends and conditions in the internal and external business environment must be included in the IG strategic plan.
But if things are booming and the business is growing fast, budget money for investments in the IG program may be easier to secure, and the goals may be expanded.
IG should be an ongoing program, but it takes time to implement, and it takes resources to execute, audit, and continue to refine. So an executive looking for a quick and calculable payback on the investment may want to focus on narrower areas. For instance, the initial focus may be entirely on the legal hold and e-discovery process, with business objectives that include reducing pretrial costs and attorney fees by a certain percentage or amount. It is much easier to see concrete results when focusing on e-discovery, since legal costs are real, and always will be there. The business case may be more difficult to make if the IG effort is broader and improves the ability to organize and search for information faster and to execute more complete searches to improve the basis for management decision making. Improved management decision making will improve the organization's competitiveness long-term, but it may be difficult to cite specific examples where costs were saved or revenues were increased as a result of the “better decisions” that should come about through better IG.
In consultation with your legal team or lead, the laws and regulations that affect your industry should be identified. Narrowing the scope of your analysis, those that specifically could impact your governance of information should be considered and analyzed. What absolute requirements do they impose? Where there is room for interpretation, where, legally, does your organization want to position itself? How much legal risk is acceptable? These are the types of questions you will have to look to your legal and risk management professionals to make. Again, legal requirements trump all others.
Your decision process must include considerations for the future and anticipated future changes. Changes in the legal and regulatory environment happen based on the political leaders who are in place and any pending legislation. So you must go further and analyze the current political environment and make some judgments based on the best information you can gather, the organization's culture and appetite for risk, management style, available resources, and other factors. Generally, a more conservative environment means less regulation, and this analysis must also be folded into your IG strategic plan.
Laws and regulations relevant to your organization's management and distribution of information in all jurisdictions must be considered and included in the IG strategic plan. Legal requirements trump all others.
Include a best practices review in your IG strategic plan. The most relevant best practices in IG are those in your industry proven by peers and competitors.
IG is a developing hybrid discipline. In a sense, it is a superset of records management and a subset of governance, risk management, and compliance (GRC), that emerged to help manage the explosion in the amount of records, documents, and data that must be managed in today's increasingly high-volume and velocity business environment and highly regulated compliance and litigation environment. As such, best practices are still being formed and added to. This process of testing, proving, and sharing best practices will continue for some time as the practices are expanded, revised, and refined.
The most relevant study of IG best practices is one that is conducted for your organization and surveys your industry and what some of your more progressive competitors are doing in regard to IG. Often the best way to accomplish such a study is by engaging a third-party consultant, who can more easily contact, study, and interview your competitors in regard to their practices. Business peer groups and trade associations also can provide some consensus as to emerging best practices.
Twenty-five IG best practices covering a number of areas in which IG has an impact or should be a major consideration are listed next.
To implement a successful IG program, enterprises must standardize and systematize their handling of information, in particular their formal business records. They must analyze and optimize how information is accessed, controlled, managed, shared, stored, preserved, and audited. They must have complete, current, and relevant policies, processes, and technologies to manage and control information, including who is able to access what information, and when, to meet external legal and regulatory demands and internal governance requirements. This, in short, is IG.
Compare the IG program to a workplace safety program; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program should dictate how that is handled. If it does not, the workplace safety policies/procedures/training that are part of the workplace safety program need to be updated. Regular reviews are conducted to ensure the program is being followed, and adjustments are made based on the findings. The effort never ends.5
Now comes the time to make sense of all the data and input your IG team has gathered and hammer it into a workable IG strategic plan. Doing this will involve some give-and-take among IG team members, each having their own perspective and priorities. Everyone will be lobbying for the view of their functional groups. It is the job of the executive sponsor to set the tone and to emphasize organizational business objectives so that the effort does not drag out or turn into a competition but is a well-informed consensus development process that results in a clear, workable IG strategic plan.
Your IG team will have gathered a great deal of information, which needs to be analyzed and distilled into actionable strategies. This process will depend on the expertise and input of the specialized knowledge your team brings to the table within your organizational culture. Team members must be able to make decisions and establish priorities that reflect organizational business objectives and consider a number of influencing factors.
Do not prolong the strategy development process. The longer it lasts, the more key factors influencing it can change. You want to develop a strategic plan that is durable enough to withstand changes in technology, legislation, and other key influencing factors, but it should be relevant to that snapshot of information that was collected early on. When all the parts and pieces start changing and require reconsideration, a dated IG plan does not serve the organization well.
Develop IG strategies for each of the critical areas, including the legal hold process, e-discovery action plans, e-mail policy, mobile computing policy, IT acquisition strategy, confidential document handling, vital records and disaster planning, social media policy, and other areas that are important to your organization. To maintain focus, do this first without regard to the prioritization of these areas.
Fuse the findings of all your analyses of external and internal factors into your IG strategic plan. Develop strategies and then prioritize them.
Then you must go through the hard process of prioritizing your strategies and aligning them to your organizational goal and objectives. This may not be difficult in the beginning—for instance, your IG strategies for legal holds and e-discovery readiness are likely going to take higher priority than your social media policy, and protecting vital records is paramount to any organization. As the process progresses, it will become more challenging to make trade-offs and establish priorities. Then you must tie these strategies to overall organizational goals and business objectives.
A good technique to keep goals and objectives in mind may be to post them prominently in the meeting room where these strategy sessions take place. This will help to keep the IG team focused.
Plans and policies to support your IG efforts must be developed that identify specific tasks and steps and define roles and responsibilities for those who will be held accountable for their implementation. This is where the rubber meets the road. But you cannot simply create the plan and marching orders: You must build in periodic checks and audits to test that new IG policies are being followed and that they have hit their mark. Invariably, there will be adjustments made continually to craft the policies for maximum effectiveness and continued relevance in the face of changes in external factors, such as legislation and business competition, and internal changes in management style and structure.
You have to get things moving and get employees motivated, and launching new sub-programs within the overall IG program is a good way to start. For instance, a new “e-discovery readiness” initiative can show almost immediate results if implemented properly, with the support of key legal and records management team members, driven by the executive sponsor. You may want to revamp the legal hold process to make it more complete and verifiable, assigning specific employees accountability for specific tasks. Part of that effort may be evaluating and implementing new technology-assisted review (TAR) processes and predictive coding technology. So you will need to bring in the IG team members responsible for IT and perhaps business analysis. Working cooperatively on smaller parts of the overall IG program is a way to show real results within defined time frames. Piecing together a series of program components is the best way to get started, and it breaks the overall IG program down into digestible, doable chunks. A small win early on is crucial to maintain momentum and executive sponsorship. And e-discovery has real costs: yet progress can be measured objectively in terms of reducing the cost of activities such as early case assessment (ECA). Benefits can be measured in terms of reduced attorney review hours, reduced costs, and reduced time to accomplish pretrial tasks.
Create supporting subprograms to jump-start your IG program effort. Smaller programs should be able to measure real results based on metrics that are agreed on in advance.
To be clear, you will need to negotiate and agree on the success metrics the program will be measured on in advance.
There are other examples of supporting IG subprograms, such as e-mail management and archiving, where storage costs, search times, and information breaches can be measured in objective terms. Or you may choose to roll out new policies for the use of mobile devices within your organization, where adherence to policy can be measured by scanning mobile devices and monitoring their use.
Once you have the pieces of the plan drafted and the IG team is in agreement that it has been harmonized and aligned with overall organizational goals and objectives, you must test the waters to see if you have hit the mark. It is a good practice to expose a broader group of stakeholders to the plan to gain their input. Perhaps your IG team has become myopic or has passed over some points that are important to the broader stakeholder audience. Solicit and discuss their input, and to the degree that there is a consensus, refine the IG strategic plan one last time before finalizing it. But remember, it is a living document, a work in progress, which will require revisiting and updating to ensure it is in step with changing external and internal factors. Periodic auditing and review of the plan will reveal areas that need to be adjusted and revised to keep it relevant and effective.
Take the finalized plan to executive management, preferably including the CEO, and present the plan and its intended benefits to them. Field their questions and address any concerns to gain their buy-in and the appropriate signatures. You may have to make some minor adjustments if there are significant objections, but, if you have executed the stakeholder consultation process properly, you should be very close to the mark. Then begin the process of implementing your IG strategic plan, including regular status meetings and updates, steady communication and reassurance of your executive sponsor, and planned audits of activities.
1. ARMA International, “How to Cite GARP,” www.arma.org/garp/copyright.cfm (accessed October 9, 2013).
2. Roger Kastner, “Why Projects Succeed—Executive Sponsorship,” February 15, 2011, http://blog.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/
4. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership/business-view/future-information-governance.htm (accessed October 9, 2013).
5. Monica Crocker, e-mail to author, June 21, 2012.
6. EDRM, “Information Governance Reference Model (IGRM) Guide,” www.edrm.net/resources/guides/igrm (accessed November 30, 2012).
7. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, Nov. 28, 2012.
8. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171.
9. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 4th ed. (Newtown Square, PA Project Management Institute, 2008), ANSI/PMI 99–001–2008, pp. 273–312.
10. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records, p. 34 (London: Facet, 2005).
11. Minnesota State Archives, Electronic Records Management Guidelines, “Metadata,” March 12, 2012, www.mnhs.org/preserve/records/electronicrecords/ermetadata.html.
12. Charles Dollar and Lori Ashley, e-mail to author, August 10, 2012.
3.143.239.234