Maintaining your information governance (IG) program beyond an initial project effort is key to realizing continued and long-term benefits of IG. This means that the IG program must become an everyday part of an organization's operations and communications. It requires vigilant and consistent monitoring and auditing to ensure that IG policies and processes are effective and consistently followed and enforced. If proper controls are in place, IG-infused processes should become a regular part of the enterprise's operations. It also requires an ongoing training and communications program to keep employees apprised of approved processes and behaviors that support IG.

Monitoring and Accountability

Monitoring and accountability require a continuous tightening and expansion of protections and the implementation of newer, strategic technologies. Information technology (IT) developments and innovations that can foster the effort must be steadily monitored and evaluated, and those technology subsets that can assist in providing security need to be incorporated into the mix.

The IG policies themselves must be reviewed and updated periodically to accommodate changes in the business environment, laws, regulations, and technology. Program gaps and failures must be addressed, and the effort should continue to improve and adapt to new types of security threats.

That means accountability: Some individual must remain responsible for an IG policy's administration and results.¹ Perhaps the executive sponsor for the initial project becomes the chief information governance officer or IG czar of sorts; or the chief executive officer continues ownership of the program and drives its active improvement. The organization also may decide to form a standing IG board, steering committee, or team with specific responsibilities for monitoring, maintaining, and advancing the program.

However it takes shape, an IG program must be ongoing, dynamic, and aggressive in its execution in order to remain effective.

Staffing Continuity Plan

In today's work environment, employees are more mobile in their careers: people take new career opportunities outside of the organization and also change jobs and move to other positions within an organization, so it is critical to have a continuity plan for your IG program. Backup and supporting designates must be named and kept current on the administration of the program. So you must have a supporting sponsor or senior sponsor to fill the role of executive sponsor, should the need arise; likewise, there needs to be other human resource/staffing redundancies built in to ensure the smooth and continued operation of the IG program, in the event of an unplanned incident that threatens it.

The approach to an IG program is similar to that of a a vital records (those critical business records that an organization must have to continue operations) program. Backups of backups must be built in. In vital records, there must be backups of backup copies of vital records, and they must be safely stored and also there needs to be backup IT systems and processes in place to ensure that an organization can continue its operations. These redundancies must be considered, tested, and implemented. This may mean that when the formal program manager is unable to execute his or her duties, an assistant or designated backup can carry out those duties.

It is also a good idea to cross-train employees. With this approach, the legal team, for instance, will better understand the needs and requirements of the records management function, and vice versa. Cross-training improves overall organization acceptance and understanding of the IG program while building in safeguards to ensure that it keeps running.

Continuous Process Improvement

Maintaining IG program effectives requires implementing principles of continuous process improvement (CPI). CPI is a “never-ending effort to discover and eliminate the main causes of problems. It accomplishes this by using small-steps improvements, rather than implementing one huge improvement.” In Japan, the word kaizen reflects this gradual and constant process, as it is enacted throughout the organization, regardless of department, position, or level.² To remain effective, the program must continue using CPI methods and techniques.

Maintaining and improving the program will require monitoring tools, periodic audits, and regular meetings for discussion and approval of changes to improve the program. It will require a cross section of team leaders from IT, legal, records management, compliance, internal audit, and risk management as well as functional business units participating actively and discussing possible threats and sources of information leakage.

Why Continuous Improvement Is Needed

Although the specific drivers of change are always evolving, the reasons that organizations need to continuously improve their program for securing information assets are relatively constant. These reasons include:

• Changing technology. New technology capabilities need to be monitored and considered with an eye to improving, streamlining, or reducing the cost of IG. The IG program needs to anticipate new types of threats and also evaluate adding or replacing technologies to continue to improve it.
• Changing laws and regulations. Compliance with new or updated laws and regulations must be maintained.
• Internal IG requirements. As an organization updates and improves its overall IG, the program elements that concern critical information assets must be kept aligned and synchronized.
• Changing business plans. As the enterprise develops new business strategies and enters new markets, it must reconsider and update its IG program. If, for instance, a firm moves from being a domestic entity to a regional or global one, new laws and regulations will apply, and perhaps new threats will exist and new security strategies must be formed.
• Evolving industry best practices. Best practices change, and new best practices arise with the introduction of each successive wave of technology and with changes in the business environment. The program should consider and leverage new best practices.
• Fixing program shortcomings. Addressing flaws in the IG program that are discovered through testing, monitoring, and auditing; or addressing an actual breach of confidential information; or a legal sanction imposed due to non-compliance are all reasons why a program must be revisited periodically and kept updated.³

Maintaining the IG program requires that a senior-level officer of the enterprise continues to sponsor it and pushes for enforcement, improvement, and expansion. This requires leadership and consistent and clear messages to employees. IG and the security of information assets must be on the minds of all members of the enterprise; it must be something they are aware of and think about daily. They must be on the lookout for ways to improve it, and they should be rewarded for those contributions.

Gaining this level of mindshare in employees' heads will require follow-up messages in the form of personal speeches and presentations, newsletters, corporate announcements, e-mail messages, and even posters placed at strategic points (e.g., near the shared printing station advising about secure procedures). Employees must be reminded that information governance is everyone's job and meeting compliance and legal demands help contribute to achieving business objectives, and also that losing, misusing, or leaking confidential information harms the organization over the long term and erodes its value.

Notes

1. Mark Woeppel, “Is Your Continuous Improvement Organization a Profit Center?” June 15, 2009, www.processexcellencenetwork.com/process-management/articles/is-your-continuous-improvement-organization-a-prof/ (accessed September 12, 2011).

2. Donald Clark, “Continuous Process Improvement,” Big Dog and Little Dog's Performance Juxtaposition (blog), March 11, 2010, www.nwlink.com/∼donclark/perform/process.html (accessed September 12, 2011).

3. Randolph Kahn and Barclay T. Blair, Information Nation: Seven Keys to Information Management Compliance (New York: AIIM International, 2004), pp. 242–243.

* Portions of this chapter are adapted from Chapter 17, Robert F. Smallwood, Safeguarding Critical E-Documents: Implementing a Program for Securing Confidential Information Assets, © John Wiley & Sons, Inc., 2012. Reproduced with permission of John Wiley & Sons, Inc.