No, not IT governance. Information governance.
OK, if you're a regular reader of this blog, you know my rant.
- information is becoming the most important business asset in the world.
- someone's going to have be the "CFO of information".
- and you're going to need new tools -- information infrastructure -- to do this.
At most companies, there's pretty good governance around something else that's important -- financials.
What about information governance?
The need is clear -- at least to me!
Let's start with a simple question -- who defines your information retention policy?
Or, more importantly, how was it defined?
If you're like most organizations, at some point did some people got together, put their heads together, and made a recommendation?
The answer is probably "yes".
Were the right voices at the table? Was there some sort of balanced scorecard evaluation that took into account risk avoidance, cost reduction and value generation? Were the results measured and reported on?
And did the team reconvene periodically to review the situation, take light of recent developments, and suggest new recommendations?
The answer is probably "no".
Now, repeat the question for email archiving. Or how you manage customer information. Or employee information. Or financial information. Or, if you're Google, how you manage search records. How long you keep backups. Do we need audit trails?
Or ... well, you get the idea.
If it's information, and it's being captured, at some point there will be really gnarly questions around how comapnies balance risk, cost and value.
The traditional answer is that the application owner (or business unit) owns that problem. Well, we've learned not to do that with money, right? Financial management and governance is a corporate issue, because the stakes are so high.
Bottom line: these questions of "how do we manage information at a corporate level?" are all over the place if you look around, and more are coming every day.
And, rather than try and address them individually in an ad-hoc manner -- with limited participation, measurement and evolution, the idea is to create a role of information governance function within the organization.
Some people think this is a great place to use consultants. I'd offer that consultants can help, but the problem needs to be owned by some part of the business -- hence the need for information governance.
Interest is growing -- from what I can see.
I've mentioned before that I get to spend a lot of time with customers. This also is a very valuable resource for trying out new ideas and thoughts, and seeing how they resonate.
When I'm talking to my traditional audience of technology people who are hip-deep in issues around running IT, they tend to agree -- life would be easier if someone would just tell them how they'd like the information managed.
But asking an operational IT person to figure all of this stuff out is asking a lot of someone.
Occasionally, I get to meet more senior people who've spent time on the business side of IT. And, for them, this is a very powerful and meaty topic. They really want to talk about it.
They have an appreciation that there's a new concern. They know that there's a lot at stake. And they know how good governance functions can help manage risk and create good outcomes for painful, cross-functional problems where there's no simple and obvious answer.
And they really like the idea. Some have even started moving down the road.
Organizational and evolutionary models
The first step seems to be a "working group" at a relatively senior level. Ideally, there are three roles that need be present.
- One role (person or people) can speak to the risk side of the equation. Think legal, or finance, or a security officer if you have one.
- One role can speak to the cost side of the equation. Think IT, usually.
- One role can speak to the value generation side of the business, e.g. we keep this information around because we think we can use it to make more money for the company.
If there are only one or two of these roles at the table, it's not a complete discussion. As an example, in pursuit of risk reduction, costs escalate and value-generation opportunities are missed. Or, if it's all about value generation, the company can be exposed to new forms of risk. Lots of good examples here.
From what I've heard, the initial steps of the working group are to (a) validate that this is a problem, (b) make sure the right voices are at the table, and (c) gain the commitment from team participants to be involved for the long haul.
The next step seems to be contextual education.
Put the existing situation on the table so everyone can see what's being done today -- warts and all. Have people present on new regulations, best practices outside the company, etc. Spend whatever weeks or months are needed to create a common context around the problem and what's going on around it.
The step after that seems to be hashing out some guiding principles.
Yes, I know that's boring stuff, but you'd be amazed how often you come back to the guiding principles when you're wrestling with a specific issue. Consider it up-front investment work.
After those first three activities, it seems to get into high gear.
There's an agenda of problem areas, working teams are assigned, they go off, study the problem, and come back with recommendations, which are reviewed by the governance team. Once the recommendations are implemented, there are periodic report-backs as to the results, or if something new is learned.
Maybe a workstream on email. Or another on user file systems. Maybe 7-12 workstreams. And someone to help organize and schedule the team's activities.
The team is now equipped to conduct a regular cadence on these issues: identifying the challenge, assigning the team, getting recommendations, approving policy, measuring results and revisiting when necessary.
Yep, it sounds like a lot of work. Hard things usually are ...
Impact and outcome
I have met some (but not many) organizations that have had information governance teams up and running for a number of months, and have started to see the effects.
First, everyone's a bit less anxious about information issues. The IT guys know there's a policy function that they're represented on, and it makes their life easier. The legal guys feel better. The finance guys feel better.
The business unit guys may or not feel better, but they're not big fans of corporate governance to begin with. Such is life.
Secondly, (from a selfish EMC perspective) important information management projects move ahead. They get after email archiving, and information security, and file system mgmt, and ECM, and ... all those darn cross-functional projects that don't have clear ownership outside IT.
They're now "owned" by the information governance team.
I think most importantly, there's a new appreciation outside of IT of just how important information is, and how businesses need to start looking at it the same way they've looked at money in the past.
Just about every business person I've met is pretty smart about managing money, budgets, finances, etc. And I think that, over time, they'll be just as smart about managing information.
So, where are you on this?
Do you have some sort of information governance function at your company? If so, what does it look like, and what have the experiences been?
If not, do you agree with the need for one? And are the conditions right to bring up the topic?
Let me know ... thanks!