Analyze IT Trends

IG requires IT to support and monitor implementation of polices, so it matters what is developing and trending in the IT space. What new technologies are coming online? Are you tracking developments in AI, blockchain, and the Internet of Things (IoT)? Why are they being developed and becoming popular? How do these changes in the business environment that created opportunities for new technologies to be developed affect your organization and its ability execute its IG plan? How can new technologies assist? Which ones are immature and too risky? These are some of the questions that must be addressed in regard to the changing IT landscape.

Some changes in information and communications technology (ICT) are rather obvious, such as the trends toward mobile computing, tablet and smartphone devices, cloud storage, and social media use. Each one of these major trends that may affect or assist in implementing IG needs to be considered within the framework of the organization's strategic plan and IT strategy. If the corporate culture is progressive and supportive of remote work and telecommuting, and if the organizational strategy aims to lower fixed costs by reducing the amount of office space for employees and moving to a more mobile workforce, then trends in collaborative software, and in tablet and smartphone computing that are relevant to your organization, must be analyzed and considered. Is the organization going to provide mobile devices or support a bring-your-own-device environment? Which equipment will you support? Will you support iOS, Android, or both? What is your policy going to be on phone jacking (changing communications carrier settings)? What is the IG policy regarding confidential documents on mobile devices? Will you use encryption? If so, which software? Is your enterprise moving to the cloud computing model? Utilizing social media? What about Big Data? Are you going to consider deploying auto-classification and predictive coding technologies? What are the trends that might affect your organization?

Many, many questions must be addressed, but the evaluation must be narrowed down to those technology trends that specifically might impact the execution of your IG plan and rollout of new technology.

On a more granular level, you must evaluate even supported file and document formats. It gets that detailed when you are crafting IG policy. For instance, PDF/A-1 is the standard format for archiving electronic documents. So your plans must include long-term digital preservation (LTDP) standards and best practices for those records that must be stored to document the heritage of the organization.

Survey Business Conditions and the Economic Environment

If the economy is on a down cycle, and particularly if your business sector has been negatively affected, resources may be scarcer than in better times. Hence, it may be more difficult to get budget approval for necessary program expenses, such as new technologies, staff, training materials, communications, and so forth. This means your IG plan may need to be scaled back or its scope reduced. Implementing the plan in a key division rather than attempting an enterprise rollout may be the best tactic in tough economic times. Also, there are a number of activities that can be executed at a relatively low cost to move the IG program along, such as policy development, taxonomy development, updating departmental file plans, and so forth.

But if things are booming and the business is growing fast, budget money for investments in the IG program may be easier to secure, and the goals may be expanded.

IG must be an ongoing program, but it takes time to implement, and it takes temporal, human, and financial resources to execute, audit, and continue to refine. So an executive looking for a quick and calculable payback on the investment may want to focus on narrower areas. For instance, the initial focus may be entirely on shared drive cleanup of redundant, obsolete, and trivial (ROT) information. Or providing security awareness training (SAT) to employees who handle information to lower risk. Or it could focus on the legal hold and e-discovery process, with business objectives that include reducing pretrial costs and attorney fees by a certain percentage, ratio, or amount. Concrete results can be seen when focusing on e-discovery, since legal costs are real, and always will be there. The business case may be more difficult to make if the IG effort is broader in focus. If the focus is on improving search capabilities, for faster and more accurate retrieval, the organization will benefit as a whole, but it will take time to see results. When the results are evident, management decision making, as well as compliance capabilities, will be improved. Improved management decision making will improve the organization's competitiveness in the long term, but it may be difficult to cite specific examples where costs were saved or revenues were increased as a result of the “better decisions” that should come about through better IG.

Analyze Relevant Legal, Regulatory, and Political Factors

In consultation with your legal team or lead, the laws and regulations that affect your industry should be identified. Narrowing the scope of your analysis, those that specifically could impact your governance of information should be considered and analyzed. What absolute requirements do they impose? Where there is room for interpretation, where, legally, does your organization want to position itself? How much legal risk is acceptable? For instance, practical organizations may focus on those regulations that regulators are focusing on for that particular cycle. These are the types of questions you will have to look to your legal and risk management professionals to make. Again, legal requirements take priority over all others.

Your decision process must include considerations for the future and anticipated future changes. Changes in the legal and regulatory environment happen based on the political leaders who are in place and any pending legislation. So you must go further and analyze the current political environment and make some judgments based on the best information you can gather, the organization's culture and appetite for risk, management style, available resources, and other factors. Generally, a more conservative environment means less regulation, and this analysis must also be folded into your IG strategic plan.

Survey and Determine Industry Best Practices

IG is a developing hybrid discipline. In a sense, it's a superset of records and information management (RIM) and a subset of governance, risk management, and compliance (GRC), a discipline that emerged to help executives manage risk and compliance at a high level.

IG developed due to the explosion in the amount of e-mail, records, documents, and data that must be managed in today's increasingly high-volume and velocity business environment and highly regulated and litigious compliance environment. As such, best practices are still being formed and added to. This process of testing, proving, and sharing IG best practices will continue for the next decade as the practices are expanded, revised, and refined.

The most relevant study of IG best practices is one that is conducted for your organization and surveys your industry and what some of your more progressive competitors are doing in regard to IG. Often the best way to accomplish such a study is by engaging a third-party consultant, who can more easily contact, study, and interview your competitors in regard to their practices. Business peer groups and trade associations also can provide some consensus as to emerging best practices.

Twenty-one examples of IG best practices covering a number of areas in which IG has an impact or should be a major consideration are listed next.

1. Executive sponsorship is crucial. Securing a committed, engaged executive sponsor at the senior management level is key to successful IG programs. It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict. The executive sponsor must own the business case for the IG program, and have a long-term vested interest in its success. It is advisable to also have a deputy executive sponsor to help support the program and assure the durability of IG program leadership.
2. Establish a cross-functional IG council or steering committee. There must be a holistic view of information use in the organization, which seeks to leverage it as an asset, and to reduce its risks and costs. At a minimum, there must be representation from Legal, IT, Privacy, Information Security, RIM, and possibly Finance, and Human Resources, and, depending on the organization and its focus, perhaps other key groups such as Risk Management, Data Governance, Analytics, Knowledge Management, and more.
3. Create a formal IG Program Charter for guidance. It should include the overall mission and goals of the IG program, and should list IG committee members and their basic responsibilities, as well as the meeting schedule. It also should show the reporting structure of the IG committee members and delineate their basic program responsibilities. It is advisable to form a small, top-tier “decision committee” to facilitate decisions and recommendations made to the executive sponsor, otherwise, decision making can become slowed and ineffective. The IG Program Charter should be signed off on by the executive sponsor.
4. Develop an overall organizational strategy for the IG program. This will ensure there is agreement on the aims and foci of the program, and help the various functional groups involved to collaborate and cooperate to execute the IG program strategy. “An overarching strategy is needed—including … organizational performance and risk mitigation—to establish organization's goals and priorities, and consistently drive these through information systems and business processes.”³
5. IG is not a project, but rather an ongoing program. IG programs are “evergreen” and should eventually become embedded into routine operations. True, there must be discrete projects executed under the overall IG program, which provides an umbrella of guidelines and policies. Performance is then monitored and enforced with the support of metrics, information technologies, and audit tools.

   Compare the IG program to a workplace safety program which is continuously improved, reinforced, and expanded; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program dictates how that is handled and, if it doesn't, workplace safety policies/procedures/training need to be updated. The program must be monitored and audited to ensure the program is followed and to make adjustments. The effort never ends.⁴

6. Using an IG framework or maturity model is helpful in assessing and guiding IG programs. Various models are offered. The Information Governance Reference Model, which grew out of the Electronic Discovery Reference Model (both found at EDRM.net),⁵ can be used early on in developing IG programs to communicate the need for cross-functional collaboration, and to develop the core team. The Information Governance Process Maturity Model (IGPMM), from the Compliance, Governance, and Oversight Council (CGOC), is a comprehensive assessment tool that measures IG program maturity in 22 core IG processes. The IGPMM was released in 2012 and updated and expanded in 2017 to include privacy and data protection obligations, a new data security cost lever, cloud computing safeguards, a greater focus on data governance, and other considerations. For analyzing records management program functions, the Generally Accepted Recordkeeping Principles® from ARMA International are useful and widely used (hence “recordkeeping” in its title).
7. Business processes must be redesigned when implementing new technologies to streamline operations and maximize impact. Implementing new technologies without redesigning processes will not provide the maximum benefit and impact to the organization.
8. Leverage analytics to improve decision making and possibly find new value. The entire range of analytics, from descriptive to diagnostic to predictive to prescriptive analytics, must be deployed to fully exploit data value.⁶ It is crucial to have a robust data governance program in place to assure data quality so the analytics are accurate. Beyond that, the organization should look for ways to monetize data, either directly or indirectly.
9. Focus data governance efforts heavily on data quality. Improved data quality and availability will help reduce errors, improve decision making, improve customer satisfaction, improve the professional environment, and improve financial performance.
10. Creating standardized metadata terms should be part of an IG effort that enables faster, more complete, and more accurate searches and retrieval of records. This is important not only in everyday operations, but also for conducting analysis of content for new insights. Good metadata management also assists in the maintenance of corporate memory and improving accountability in business operations.⁷ Using a standardized format and controlled vocabulary provides a “precise and comprehensible description of content, location, and value.”⁸ Using a controlled vocabulary means the organization has standardized a set of terms used for metadata elements describing records. This ensures consistency and helps with optimizing search and retrieval functions, as well as meeting e-discovery requests, compliance demands, and other legal and regulatory requirements.
11. Defensible deletion of data debris and information that no longer has value is critical in the era of Big Data. You must have IG polices in place and be able to prove that you follow them consistently and systematically in order to justify, to the courts and regulators, deletion of information. With a smaller information footprint, organizations can more easily find what they need and derive business value from it.⁹ Data debris must be eliminated regularly and consistently, and to do this, processes and systems must be in place to cull out valuable information and discard the data debris. An IG program sets the framework to accomplish this.
12. IG policies must be developed before enabling technologies are deployed to assist in enforcement. After the policy-making effort, seek out the proper technology tools to assist in monitoring, auditing, and enforcement.
13. To provide comprehensive e-document security throughout a document's life cycle, documents must be secured upon creation using highly sophisticated technologies, such as information rights management (IRM) technology. IRM acts as a sort of “security wrapper” that denies access without proper credentials. Document access and use by individuals having proper and current credentials is also tightly monitored. IRM software controls the access, copying, editing, forwarding, and printing of documents using a policy engine that manages the rights to view and work on an e-document. Access rights are set by levels or “roles” that employees are responsible for within an organization.
14. A records retention schedule and legal hold notification (LHN) process are two foundational elements of a fundamental IG program. These are the basics. Implementation will require records inventorying, taxonomy development, metadata normalization and standardization, and a survey of LHN best practices.
15. An information risk mitigation plan is a critical part of the IG planning process. An information risk mitigation plan helps in developing risk mitigation options and tasks to reduce the specified risks and improve the odds of achieving business objectives.¹⁰
16. Proper metrics are required to measure the conformance and performance of your IG program. You must have an objective way to measure how you are doing, which means numbers and metrics. Assigning some quantitative measures that are meaningful before rolling out the IG program is essential.
17. IG programs must be audited for effectiveness. Periodic audits will tell you how your organization is doing and where to fine-tune your efforts. To keep an IG program healthy, relevant, and effective, changes and fine-tuning will always be required.
18. Business processes must be redesigned to improve and optimize the management and security of information and especially the most critical information, electronic records, before implementing enabling technologies. For instance, using electronic records management (ERM) and workflow software fundamentally changes the way people work, and greater efficiencies can be gained with business process redesign (versus simply using ERM systems as electronic filing cabinets to speed up poor processes).
19. Personal archiving of e-mail messages should be disallowed. Although users will want to save certain e-mail messages for their own reasons, control and management of e-mail archiving must be at the organization level or as high a level as is practical, such as division or region.
20. Destructive retention of e-mail helps to reduce storage costs and legal risk while improving “findability” of critical records. It makes good business sense to have a policy to, say, destroy all e-mail messages after 90 or 120 days that are not flagged as potential records (which, e.g., help document a transaction or a situation that may come into dispute in the future) or those that have a legal hold.
21. Some digital information assets must be preserved permanently as part of an organization's documentary heritage.¹¹ It is critical to identify records that must be kept for the long term as early in the process as possible; ideally, these records should be identified prior to or upon creation. LTDP applies to content that is born digital as well as content that is converted to digital form. Digital preservation is defined as long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span that the information is required to be retained. Dedicated repositories for historical and cultural memory, such as libraries, archives, and museums, need to move forward to put in place trustworthy digital repositories that can match the security, environmental controls, and wealth of descriptive metadata that these institutions have created for analog assets (such as books and paper records). Digital challenges associated with records management affect all sectors of society—academic, government, private, and not-for-profit enterprises—and ultimately citizens of all developed nations.

Synthesize Gathered Information and Fuse It into IG Strategy

At this point your IG team will have gathered a great deal of information that needs to be analyzed and distilled into actionable strategies. This process will depend on the expertise and input of the specialized knowledge your team brings to the table within your organizational culture. Team members must be able to make decisions and establish priorities that reflect organizational business objectives and consider a number of influencing factors.

Do not prolong the strategy development process—the longer it lasts, the more key factors influencing it can change. You want to develop a strategic plan that is durable enough to withstand changes in technology, legislation, and other key influencing factors, but it should be relevant to that snapshot of information that was collected early on. When all the parts and pieces start changing and require reconsideration, a dated IG plan does not serve the organization well.

Develop IG strategies for each of the critical areas, including the legal hold process, e-discovery action plans, e-mail policy, mobile computing policy, IT acquisition strategy, confidential document handling, vital records and disaster planning, social media policy, and other areas that are important to your organization. To maintain focus, do this first without regard to the prioritization of these areas.

Then you must go through the hard process of prioritizing your strategies and aligning them to your organizational goal and objectives. This may not be difficult in the beginning—for instance, your IG strategies for legal holds and e-discovery readiness are likely going to take higher priority than your social media policy, and protecting vital records is paramount to any organization. As the process progresses, it will become more challenging to make trade-offs and establish priorities. Then you must tie these strategies to overall organizational goals and business objectives.

A good technique to keep goals and objectives in mind may be to post them prominently in the meeting room where these strategy sessions take place. This will help to keep the IG team focused.

Develop Actionable Plans to Support Organizational Goals and Objectives

Plans and policies to support your IG efforts must be developed that identify specific tasks and steps and define roles and responsibilities for those who will be held accountable for their implementation. This is where the rubber meets the road. But you cannot simply create the plan and marching orders: You must build in periodic checks and audits to test that new IG policies are being followed and that they have hit their mark. Invariably, there will be adjustments made continually to craft the policies for maximum effectiveness and continued relevance in the face of changes in external factors, such as legislation and business competition, and internal changes in management style and structure.

Create New IG Driving Programs to Support Business Goals and Objectives

You have got to get things moving, get employees motivated, and launching new subprograms within the overall IG program is a good way to start. For instance, a new security awareness training (SAT) program for knowledge workers which is fun, engaging, and gamified can energize the IG program and immediately reduce information risk, while demonstrating that senior management is prudent and proactive.

An “e-discovery readiness” initiative can show almost immediate results if implemented properly, with the support of key legal and records management team members, driven by the executive sponsor. You may want to revamp the legal hold process to make it more complete and verifiable, assigning specific employees specific tasks to be accountable for. Part of that effort may be evaluating and implementing new technology-assisted review (TAR) processes and predictive coding technology. So you will need to bring in the IG team members responsible for IT and perhaps business analysis. Working cooperatively on smaller parts of the overall IG program is a way to show real results within defined time frames. Piecing together a series of program components is the best way to get started, and it breaks the overall IG program down into digestible, doable chunks. A small win early on is crucial to maintain momentum and executive sponsorship. E-discovery has real costs, yet progress can be measured objectively in terms of reducing the cost of activities such as early case assessment (ECA). Benefits can be measured in terms of reduced attorney review hours, reduced costs, and reduced time to accomplish pretrial tasks.

To be clear, you will need to negotiate and agree on the success metrics by which the program will be measured in advance.

There are other examples of supporting IG subprograms, such as shared drive ROT cleanup and remediation; updating departmental file plans and the records retention schedule (RRS); or e-mail management and archiving, where storage costs, search times, and information breaches can be measured in objective terms. Or you may choose to roll out new policies for the use of mobile devices within your organization, where adherence to policy can be measured by scanning mobile devices and monitoring their use.

Draft the IG Strategic Plan and Gain Input from a Broader Group of Stakeholders

Once you have the pieces of the plan drafted and the IG team is in agreement that it has been harmonized and aligned with overall organizational goals and objectives, you must test the waters to see if you have hit the mark. It is a good practice to expose a broader group of stakeholders to the plan to gain their input. Perhaps your IG team has become myopic or has passed over some points that are important to the broader stakeholder audience. Solicit and discuss their input, and to the degree that there is a consensus, refine the IG strategic plan one last time before finalizing it. But remember, it is a living document, a work in progress, which will require revisiting and updating to ensure it is in step with changing external and internal factors. Periodic auditing and review of the plan will reveal areas that need to be adjusted and revised to keep it relevant and effective.

Get Buy-in and Sign-off and Execute the Plan

Take the finalized plan to executive management, preferably including the CEO, and present the plan and its intended benefits to them. Field their questions and address any concerns to gain their buy-in and the appropriate signatures. You may have to make some minor adjustments if there are significant objections, but, if you have executed the stakeholder consultation process properly, you should be very close to the mark. Then begin the process of implementing your IG strategic plan, including regular status meetings and updates, steady communication with and reassurance of your executive sponsor, and planned audits of activities.