A strategic plan is the process of envisioning your organization's desired future state, developing business objectives that must be accomplished to progress toward it, and then determining the steps and milestones needed to achieve the desired future state. Your information governance (IG) strategic plan should support and be in alignment with the organization's overall strategic plan.
Securing a sponsor at the executive management level is always crucial to projects and programs, and this is especially true of any strategic planning effort. An executive must be on board and supporting the effort in order to garner the resources needed to develop and execute the strategic plan, and that executive must be held accountable for the development and execution of the plan. These axioms apply to the development of an IG strategic plan.
Also, resources are needed—time, human capital, and budget money. The first is a critical element: it is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict and consistent follow-up, support, and communication. Executive sponsorship is a best practice. And, of course, without an allocated budget, no program can proceed.
The higher your executive sponsor is in the organization, the better.1 The implementation of an IG program may be driven at a high level by the general counsel (GC), chief risk officer, chief compliance officer, chief information officer (CIO), or, ideally, the chief executive officer (CEO). With CEO sponsorship come many of the key elements needed to complete a successful project, including allocated management time, budget money, and management focus.
It is important to bear in mind that this IG effort is truly a change management effort, in that it aims to change the structure, guidelines, and rules within which employees operate. The change must occur at the very core of the organization's culture. It must be embedded permanently, and for it to be, the message must be constantly and consistently reinforced. Achieving this kind of change requires commitment from the very highest levels of the organization.
If the CEO is not the sponsor, then another high-level executive must lead the effort and be accountable for meeting milestones as the program progresses. Programs with no executive sponsor or an unenthusiastic one can lose momentum and focus, especially as competing projects and programs are evaluated and implemented. Program failure is a great risk without a strong executive sponsor. Such a program likely will fade or fizzle out or be relegated to the back burner. Without strong high-level leadership, when things go awry, finger pointing and political games may take over, impeding progress and cooperation.
The executive sponsor must be actively involved, tracking program objectives and milestones on a regular, scheduled basis and ensuring they are aligned with business objectives. He or she must be aware of any obstacles or disputes that arise, take an active role in resolving them, and push the program forward.
The role of an executive sponsor is high level, requiring periodic and regular attention to the status of the program, particularly with budget issues, staff resources, and milestone progress. The role of a program or project manager (PM) is more detailed and day-to-day, tracking specific tasks that must be executed to make progress toward milestones. Both roles are essential. The savvy PM brings in the executive sponsor to push things along when more authority is needed but reserves such project capital for those issues that absolutely cannot be resolved without executive intervention. It is best for the PM to keep the executive sponsor fully informed but to ask for assistance only when absolutely needed.
At the same time, the PM must manage the relationship with the executive sponsor, perhaps with some gentle reminders, coaxing, or prodding, to ensure that the role and tasks of executive sponsorship are being fulfilled. “[T]he successful Project Manager knows that if those duties are not being fulfilled, it's time to call a timeout and have a serious conversation with the Executive Sponsor about the viability of the project.”2
The executive sponsor serves six key purposes on a project:
An eager and effective executive sponsor makes all the difference to an IG program—if the role is properly managed by the PM. It is a tricky relationship, since the PM is always below the executive sponsor in the organization's hierarchy, yet the PM must coax the superior into tackling certain high-level tasks. Sometimes a third-party consultant who is an expert in the specific project can instigate and support requests made of the sponsor and provide a solid business rationale.
The role of the executive sponsor necessarily evolves and changes over the life of the initial IG program launch, during the implementation phases, and on through the continued IG program.
To get the program off the ground, the executive sponsor must make the business case and get adequate budgetary funding. But an effort such as this takes more than money; it takes time—not just time to develop new policies and implement new technologies, but the time of the designated PM, program leaders, and needed program team members.
In order to get this time set aside, the IG program must be made a top priority of the organization. It must be recognized, formalized, and aligned with organizational business objectives. All this up-front work is the responsibility of the executive sponsor.
Once the IG program team is formed, team members must clearly understand why the new program is important and how it will help the organization meet its business objectives. This message must be regularly reinforced by the executive sponsor; he or she must not only paint the vision of the future state of the organization but articulate the steps in the path to get there.
When the formal program effort commences, the executive sponsor must remain visible and accessible. He or she cannot disappear into everyday duties and expect the program team to carry the effort through. The executive sponsor must be there to help the team confront and overcome business obstacles as they arise and must praise the successes along the way. This requires active involvement and a willingness to spend the time to keep the program on track and focused.
The executive sponsor must be the lighthouse that shows the way, even through cloudy skies and rough waters. This person is the captain who must steer the ship, even if the first mate (PM) is seasick and the deckhands (program team) are drenched and tired.
After the program is implemented, the executive sponsor is responsible for maintaining its effectiveness and relevance. This is done through periodic compliance audits, testing and sampling, and scheduled meetings with the ongoing PM.
Who should make up the IG team? Although there are no set requirements or formulas, the complex nature of IG and the fact that it touches upon a number of specialized disciplines and functional areas dictates that a cross-functional approach be taken. Therefore you will need representatives from several departments. There are some absolutes: you must have an executive sponsor and an IG program manager, hopefully a chief IG officer. And based on the Information Governance Reference Model and empirical research, you'll need a representative from your legal staff or outside counsel, your information technology (IT) department, a senior records officer (SRO) or the equivalent, an information security professional, and hopefully a privacy professional, especially in this era of GDPR, California Consumer Privacy Act, and emerging privacy compliance legislation around the globe. In addition, there may be a need for input from your chief data officer (CDO), managers of compliance, risk management, human resources (for training and communications), and certain business units that could benefit most from IG. You also may want to recruit the CFO, based on the idea that preventing breaches and unauthorized access or misuse of information can damage the brand, and cause a loss in equity value, and also that the CFO can provide input into approaches to leveraging and monetizing information assets.
The most appropriate business units to participate are those with the most pressing IG issues. It could be the department with the most litigation, where litigation costs and risk could be substantially cut. Or the department where information is either inaccurate or not quickly found, which causes compliance violations, fines, or sanctions, or compromises in customer service. Or it could be the department with the greatest opportunities to monetize and leverage information as an asset.
Depending on the scope of the effort, other possible IG team members might include an analytics specialist; a change management specialist; an audit lead; the chief knowledge officer (CKO) for knowledge management (KM); the corporate or agency archivist, business analysts, litigation support head, business process specialist, project management professional, and other professionals in functions related to these areas.
The executive sponsor will need to designate an IG program manager (PM). Depending on the focus of the IG effort, that person could come from several areas, including legal, privacy, cybersecurity, compliance, risk management, records management, or IT.
In terms of breaking down the roles and responsibilities of the remainder of the IG team, the easy decision is to have IG team representatives take responsibility for the functional areas of their expertise. But there will be overlap, and it is best to have some pairs or small work groups teamed up to gain the broadest amount of input and optimum results. This will also facilitate cross training. For instance, inside legal counsel may be responsible for rendering the final legal opinions, but because they are not expert in records, document management, or risk management, they could benefit from input of others in specialized functional areas, which will inform them and help narrow and focus their legal research. Basic research into which regulations and laws apply to the organization regarding security, retention, and preservation of e-mail, e-records, and PII or PHI could be conducted by the SRO or records management head, in consultation with the corporate archivist and CIO, with the results of their findings and recommendations drafted and sent to the legal counsel. The draft report may offer up several alternative approaches that need legal input and decisions. Then the legal team lead can conduct its own focused research and make final recommendations regarding the organization's legal strategy, business objectives, financial position, and applicable laws and regulations.
The result of the research, consultation, and collaboration of the IG team should result in a final draft of the IG strategic plan. It will still need more input and development to align the plan with business objectives, an analysis of internal and external drivers, applicable best practices, competitive analysis, applicable IT trends, an analysis and inclusion of the organization's culture, and other factors.
The IG plan must support the achievement of the organization's business objectives and therefore must be melded into the organization's overall strategic plan. Integration with the strategic plan means that the business objectives in the IG plan are consistent with, and in support of, the enterprise strategic plan.
So, for example, if the corporate strategy includes plans for acquiring smaller competitors and folding them into the organization's structure as operating divisions, then the IG plan must assist and contribute to this effort. Plans for standardizing operating policies and procedures must include a consistent, systematized approach to the components of IG, including stakeholder consultation, user training and communications, and compliance audits. The IG plan should bring a standard approach across the spectrum of information use and management within the organization and it must be forged to accommodate the new technology acquisitions. This means that e-mail policies, e-discovery policies, mobile device policies, social media policies, cloud collaboration and storage use, and even nitty-gritty details like report formats, data structures, document taxonomies, and metadata must be consistent and aligned with the overall strategic plan. In other words, the goal is to get all employees on the same page and working to support the business objectives of the strategic plan in everyday small steps within the IG plan.
The organization will also have an IT plan that must be aligned with the strategic plan to support overall business objectives. The IT strategy may be moving to a cloud-based approach, which means that cloud-based solutions should be considered first, to align with the IT plan. Or, the IT strategy could be to convert new acquisitions to the internal financial and accounting systems of the organization and to train new employees to use the existing software applications under the umbrella of the IG plan. Again, the IG plan needs to be integrated with the IT strategy and must consider the organization's approach to IT.
The result of the process of aligning the IG effort with the IT strategy and the organization's overall strategic plan will mean, ideally, that employee efforts are more efficient and productive since they are consistently moving toward the achievement of the organization's overall strategic goals. The organization will be healthier and will have less dissent and confusion with clear IG policies that leverage the IT strategy and help employees pursue overall business objectives.
Further considerations must be folded into the IG plan. As every corporate culture is different and has a real impact on decision-making and operational approaches, corporate culture must be included in the plan. Corporate culture includes the organization's appetite for risk, its use of IT (e.g. forward-thinking first adopter versus laggard), its capital investment strategies, and other management actions, which may be characterized as conservative, progressive/aggressive, or somewhere in between.
So, if the organization is conservative and risk averse, it may want to hold off on implementing some emerging content analytics or e-discovery technologies that can cut costs but also induce greater risk. Or if it is an aggressive, progressive, risk-taking organization, it may opt to test and adopt newer e-discovery technologies under the IT strategy and umbrella of IG policies. An example may be the use of blockchain technology to develop new applications. Or implementing artificial intelligence (AI), such as predictive coding technology in early case assessment (ECA). Predictive coding uses text auto-classification technology and neural technology with the assistance of human input to “learn” which e-documents might be relevant in a particular legal matter and which may not be. Through a series of steps of testing and checking subsets of the documents, humans provide input to improve the document or e-mail sorting and selection process. The software uses machine learning (a form of artificial intelligence whereby the software can change and improve on a particular task, as its decision engine is shaped and “trained” by input) to improve its ability to cull through and sort documents.
Predictive coding can reduce e-discovery costs, yet there are risks that the approach can be challenged in court and could, in fact, affect the case adversely. Thus, a decision on a technology like predictive coding can involve and include elements of the IG plan, IT strategy, and overall organizational strategic plan.
And there are resource issues to consider: How much management time, or bandwidth, is available to pursue the IG plan development and execution? Is there a budget item to allow for software acquisitions and training and communications to support the execution of the IG plan? Obviously, without the allocated management time and budget money, the IG plan cannot be executed.
The IG plan is now harmonized and aligned with your organization's strategic plan and IT strategy, but you are not finished yet, because the plan cannot survive in a vacuum: organizations must analyze and consider the external business, legal, and technological environment and fold their analysis into their plans.
IG requires IT to support and monitor implementation of polices, so it matters what is developing and trending in the IT space. What new technologies are coming online? Are you tracking developments in AI, blockchain, and the Internet of Things (IoT)? Why are they being developed and becoming popular? How do these changes in the business environment that created opportunities for new technologies to be developed affect your organization and its ability execute its IG plan? How can new technologies assist? Which ones are immature and too risky? These are some of the questions that must be addressed in regard to the changing IT landscape.
Some changes in information and communications technology (ICT) are rather obvious, such as the trends toward mobile computing, tablet and smartphone devices, cloud storage, and social media use. Each one of these major trends that may affect or assist in implementing IG needs to be considered within the framework of the organization's strategic plan and IT strategy. If the corporate culture is progressive and supportive of remote work and telecommuting, and if the organizational strategy aims to lower fixed costs by reducing the amount of office space for employees and moving to a more mobile workforce, then trends in collaborative software, and in tablet and smartphone computing that are relevant to your organization, must be analyzed and considered. Is the organization going to provide mobile devices or support a bring-your-own-device environment? Which equipment will you support? Will you support iOS, Android, or both? What is your policy going to be on phone jacking (changing communications carrier settings)? What is the IG policy regarding confidential documents on mobile devices? Will you use encryption? If so, which software? Is your enterprise moving to the cloud computing model? Utilizing social media? What about Big Data? Are you going to consider deploying auto-classification and predictive coding technologies? What are the trends that might affect your organization?
Many, many questions must be addressed, but the evaluation must be narrowed down to those technology trends that specifically might impact the execution of your IG plan and rollout of new technology.
On a more granular level, you must evaluate even supported file and document formats. It gets that detailed when you are crafting IG policy. For instance, PDF/A-1 is the standard format for archiving electronic documents. So your plans must include long-term digital preservation (LTDP) standards and best practices for those records that must be stored to document the heritage of the organization.
If the economy is on a down cycle, and particularly if your business sector has been negatively affected, resources may be scarcer than in better times. Hence, it may be more difficult to get budget approval for necessary program expenses, such as new technologies, staff, training materials, communications, and so forth. This means your IG plan may need to be scaled back or its scope reduced. Implementing the plan in a key division rather than attempting an enterprise rollout may be the best tactic in tough economic times. Also, there are a number of activities that can be executed at a relatively low cost to move the IG program along, such as policy development, taxonomy development, updating departmental file plans, and so forth.
But if things are booming and the business is growing fast, budget money for investments in the IG program may be easier to secure, and the goals may be expanded.
IG must be an ongoing program, but it takes time to implement, and it takes temporal, human, and financial resources to execute, audit, and continue to refine. So an executive looking for a quick and calculable payback on the investment may want to focus on narrower areas. For instance, the initial focus may be entirely on shared drive cleanup of redundant, obsolete, and trivial (ROT) information. Or providing security awareness training (SAT) to employees who handle information to lower risk. Or it could focus on the legal hold and e-discovery process, with business objectives that include reducing pretrial costs and attorney fees by a certain percentage, ratio, or amount. Concrete results can be seen when focusing on e-discovery, since legal costs are real, and always will be there. The business case may be more difficult to make if the IG effort is broader in focus. If the focus is on improving search capabilities, for faster and more accurate retrieval, the organization will benefit as a whole, but it will take time to see results. When the results are evident, management decision making, as well as compliance capabilities, will be improved. Improved management decision making will improve the organization's competitiveness in the long term, but it may be difficult to cite specific examples where costs were saved or revenues were increased as a result of the “better decisions” that should come about through better IG.
In consultation with your legal team or lead, the laws and regulations that affect your industry should be identified. Narrowing the scope of your analysis, those that specifically could impact your governance of information should be considered and analyzed. What absolute requirements do they impose? Where there is room for interpretation, where, legally, does your organization want to position itself? How much legal risk is acceptable? For instance, practical organizations may focus on those regulations that regulators are focusing on for that particular cycle. These are the types of questions you will have to look to your legal and risk management professionals to make. Again, legal requirements take priority over all others.
Your decision process must include considerations for the future and anticipated future changes. Changes in the legal and regulatory environment happen based on the political leaders who are in place and any pending legislation. So you must go further and analyze the current political environment and make some judgments based on the best information you can gather, the organization's culture and appetite for risk, management style, available resources, and other factors. Generally, a more conservative environment means less regulation, and this analysis must also be folded into your IG strategic plan.
IG is a developing hybrid discipline. In a sense, it's a superset of records and information management (RIM) and a subset of governance, risk management, and compliance (GRC), a discipline that emerged to help executives manage risk and compliance at a high level.
IG developed due to the explosion in the amount of e-mail, records, documents, and data that must be managed in today's increasingly high-volume and velocity business environment and highly regulated and litigious compliance environment. As such, best practices are still being formed and added to. This process of testing, proving, and sharing IG best practices will continue for the next decade as the practices are expanded, revised, and refined.
The most relevant study of IG best practices is one that is conducted for your organization and surveys your industry and what some of your more progressive competitors are doing in regard to IG. Often the best way to accomplish such a study is by engaging a third-party consultant, who can more easily contact, study, and interview your competitors in regard to their practices. Business peer groups and trade associations also can provide some consensus as to emerging best practices.
Twenty-one examples of IG best practices covering a number of areas in which IG has an impact or should be a major consideration are listed next.
Compare the IG program to a workplace safety program which is continuously improved, reinforced, and expanded; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program dictates how that is handled and, if it doesn't, workplace safety policies/procedures/training need to be updated. The program must be monitored and audited to ensure the program is followed and to make adjustments. The effort never ends.4
Now comes the time to make sense of all the information and input your IG team has gathered and hammer it into a workable IG strategic plan. Doing this will involve some give-and-take among IG team members, each having their own perspective and priorities. Everyone will be lobbying for the view of their functional groups. It is the job of the executive sponsor to set the tone and to emphasize organizational business objectives so that the effort does not drag out or turn into a competition but is a well-informed consensus development process that results in a clear, workable IG strategic plan.
At this point your IG team will have gathered a great deal of information that needs to be analyzed and distilled into actionable strategies. This process will depend on the expertise and input of the specialized knowledge your team brings to the table within your organizational culture. Team members must be able to make decisions and establish priorities that reflect organizational business objectives and consider a number of influencing factors.
Do not prolong the strategy development process—the longer it lasts, the more key factors influencing it can change. You want to develop a strategic plan that is durable enough to withstand changes in technology, legislation, and other key influencing factors, but it should be relevant to that snapshot of information that was collected early on. When all the parts and pieces start changing and require reconsideration, a dated IG plan does not serve the organization well.
Develop IG strategies for each of the critical areas, including the legal hold process, e-discovery action plans, e-mail policy, mobile computing policy, IT acquisition strategy, confidential document handling, vital records and disaster planning, social media policy, and other areas that are important to your organization. To maintain focus, do this first without regard to the prioritization of these areas.
Then you must go through the hard process of prioritizing your strategies and aligning them to your organizational goal and objectives. This may not be difficult in the beginning—for instance, your IG strategies for legal holds and e-discovery readiness are likely going to take higher priority than your social media policy, and protecting vital records is paramount to any organization. As the process progresses, it will become more challenging to make trade-offs and establish priorities. Then you must tie these strategies to overall organizational goals and business objectives.
A good technique to keep goals and objectives in mind may be to post them prominently in the meeting room where these strategy sessions take place. This will help to keep the IG team focused.
Plans and policies to support your IG efforts must be developed that identify specific tasks and steps and define roles and responsibilities for those who will be held accountable for their implementation. This is where the rubber meets the road. But you cannot simply create the plan and marching orders: You must build in periodic checks and audits to test that new IG policies are being followed and that they have hit their mark. Invariably, there will be adjustments made continually to craft the policies for maximum effectiveness and continued relevance in the face of changes in external factors, such as legislation and business competition, and internal changes in management style and structure.
You have got to get things moving, get employees motivated, and launching new subprograms within the overall IG program is a good way to start. For instance, a new security awareness training (SAT) program for knowledge workers which is fun, engaging, and gamified can energize the IG program and immediately reduce information risk, while demonstrating that senior management is prudent and proactive.
An “e-discovery readiness” initiative can show almost immediate results if implemented properly, with the support of key legal and records management team members, driven by the executive sponsor. You may want to revamp the legal hold process to make it more complete and verifiable, assigning specific employees specific tasks to be accountable for. Part of that effort may be evaluating and implementing new technology-assisted review (TAR) processes and predictive coding technology. So you will need to bring in the IG team members responsible for IT and perhaps business analysis. Working cooperatively on smaller parts of the overall IG program is a way to show real results within defined time frames. Piecing together a series of program components is the best way to get started, and it breaks the overall IG program down into digestible, doable chunks. A small win early on is crucial to maintain momentum and executive sponsorship. E-discovery has real costs, yet progress can be measured objectively in terms of reducing the cost of activities such as early case assessment (ECA). Benefits can be measured in terms of reduced attorney review hours, reduced costs, and reduced time to accomplish pretrial tasks.
To be clear, you will need to negotiate and agree on the success metrics by which the program will be measured in advance.
There are other examples of supporting IG subprograms, such as shared drive ROT cleanup and remediation; updating departmental file plans and the records retention schedule (RRS); or e-mail management and archiving, where storage costs, search times, and information breaches can be measured in objective terms. Or you may choose to roll out new policies for the use of mobile devices within your organization, where adherence to policy can be measured by scanning mobile devices and monitoring their use.
Once you have the pieces of the plan drafted and the IG team is in agreement that it has been harmonized and aligned with overall organizational goals and objectives, you must test the waters to see if you have hit the mark. It is a good practice to expose a broader group of stakeholders to the plan to gain their input. Perhaps your IG team has become myopic or has passed over some points that are important to the broader stakeholder audience. Solicit and discuss their input, and to the degree that there is a consensus, refine the IG strategic plan one last time before finalizing it. But remember, it is a living document, a work in progress, which will require revisiting and updating to ensure it is in step with changing external and internal factors. Periodic auditing and review of the plan will reveal areas that need to be adjusted and revised to keep it relevant and effective.
Take the finalized plan to executive management, preferably including the CEO, and present the plan and its intended benefits to them. Field their questions and address any concerns to gain their buy-in and the appropriate signatures. You may have to make some minor adjustments if there are significant objections, but, if you have executed the stakeholder consultation process properly, you should be very close to the mark. Then begin the process of implementing your IG strategic plan, including regular status meetings and updates, steady communication with and reassurance of your executive sponsor, and planned audits of activities.
3.144.151.106