« I'm Starting To Really Like These Guys ... | Main | Which NGDC Do You Want? »

March 25, 2008

Information Governance -- An Update

Like many of you, I tend to be on the lookout for interesting trends in this industry.

No surprise, but trends come and go.  Some start out strong, but may lose steam or morph into another discussion entirely.

Others continue to gather steam until the concept becomes part of our overall fabric of thoughts and ideas.

And I think I owe you an update on "information governance". 

The Background

About a year ago, I wrote a number of posts around this topic.

My case was pretty simple.

I observed that many organizations were finding themselves with ever-growing stores of information that was the lifeblood of their enterprise.

Risks, costs and potential opportunities associated with all this information was steadily rising as well.  As a result, many IT organizations found themselves in the uncomfortable position of having to both define and enforce information management policy for the entire organization.

This was not ideal, I argued. 

First, information is becoming a business thing, and less of an IT thing.  We don't ask IT to figure out financial governance, or other important areas to the enterprise.

Second, there needed to be a forum where the business could continually weigh the tradeoffs between risks, costs and business opportunities.  It's a dynamic world, no static policy will suffice.

Third, IT would benefit by having a forum where tradeoffs could be evaluation, policy could be established, priorities identified -- and IT could get on with their work; hopefully with funding provided.

I started asking the customers I met whether they had any sort of information governance board or committee that met regularly.  I found a few promising examples, but mostly I got negative answers.

So what's happened in a year?

On The Upswing

Whereas a year ago I probably could have counted all the customers with some sort of information governance function on two hands, today I'd run out of fingers and toes pretty quickly.  I'd offer that most organizations who have taken on this issue are very pleased with the results.

The risk-mitigators are pleased that there's an organized approach to identifying and remediating new forms of information risk.  The cost-reducers are pleased that organizational costs are identified as part of any discussion.  The value-generators enjoy the fact that there's a forum where they can point to the enormous value created through new uses of existing information.

And, generally speaking, IT is pretty happy that they've got some clear mandates to go execute towards.

But it's not happening everywhere, and not always for the same reasons.

Risk-Driven Information Governance

The first -- and, by far, the largest -- group are those that formed these functions primarily to identify risks associated with information.

In this group, you'll find all sorts of financial services firms (not surprisingly), a growing number of retailers who handle transactional data, and other quasi-regulated industries.

Not to accuse anyone of anything, but there are more than a few industries with nominal information management regulations that don't take the topic as seriously as you might think.  I believe this is because the consequences (e.g. enforcement, fines, bad PR, etc.) aren't that severe.

No surprise, the stronger the consequences, the more seriously a given organization or industry approaches risk-based information governance.

The very first step these groups usually take is some form of enterprise-wide information risk assessment, simply because you can't manage what you don't know about. 

Some will take a process-oriented view of information; identifying key business processes, understanding how information is captured, stored, used and retained.  There's value in this.

But, at the same time, not all information lives in well-understood business processes.  Think file shares, emails, reports that people run, and so on.  More and more of this crowd wants to complement their business-process-oriented view of information management with a horizontal take to understand where else this stuff goes.

The more interesting discussion seems to be around what to do about risks that are found.  Information-related risks vary considerably in terms of probability, severity and consequences. 

And, of course, any risk-remediation effort comes at a cost, both in terms of IT investment, but potentially in terms of lost productivity or alternative uses for information.

I've seen a number of "tiering"-style charts that we've developed with our customers that create different conceptual buckets around how distinct classes of information are governed and managed -- and also try to capture some of the implied costs associated with a given level of anxiety.

They look a lot like the charts we create around storage service levels, and RTO/RPO service levels, and ... well, I guess it's an extensible approach.

From what I can gather, this crowd has been successful with this approach.  Risk mitigation is the forcing function; balanced by cost and value concerns.  And, generally speaking, IT knows what it has to do (and how to pay for it!) when this flavor of information governance is working.

Cost-Driven Information Governance

Not every industry has a preponderance of risky information. 

A few organizations I've met have come to the information governance table via a very different road -- they're literally drowning in information, and the costs associated with storing, protecting, managing, etc. are in danger consuming all of IT's resources.

Maybe it's an SAP instance where the business insists on keeping every potential transaction around forever, or every data cube, or every extraction, or so on.

Maybe it's a "keep email forever" policy.  Or users get to use as much file space as they want with few restrictions.  Or a business process that generates enormous amounts of rich content: scanned documents, videos, etc.

Or, just perhaps, all of the above.

For whatever reason, the business has just been accustomed to storing as much information as it wants, usually at a very high service level, and costs are starting to get a lot of attention outside of IT.

Fortunately, there are good tools at hand for wrestling with this style of information governance.

For years, we've constructed service level catalogs for storing and retaining different information types, and offered up "best case" costs associatd with each.  We've also been able to provide guidance on best practices for archiving, retention, optimized backup, and so forth.

Along the way, there are healthy discussions about potential risks introduced in consideration of specific proposed policies, as well as a value-generation discussion from business stakeholders.

For many organizations, a cost-reduction mandate is as good as any other to bring the respective stakeholders to the table, and have the honest discussion about balancing costs against risk and value.

Value-Generation Information Governance

There are certain industries that find themselves with a preponderance of extremely high-value information. 

And, usually, there are clever business people who realize that the potential is there to do far more with the information they already have, but organizational boundaries get in the way.

By far, I find this category the most interesting.

Very often, this presents itself as an end-to-end business process, e.g. finding new drugs, exploring for energy, providing better health care, and so on. 

As an example, EMC's BusinessEdge consulting unit does a lot of work with business owners to understand the information flow around these core processes, and use value-generation as the primary metric for information governance thinking.

More recently, new challenges have arisen as more and more processes span organizational boundaries, and include partners, subcontractors and other non-corporate entities.

Information governance is hard enough to get right when everyone works for the same company; add the need for a flexible information partnering model while balancing risk concerns is thorny work indeed.

But I think it's inevitable that this sort of value-generating information governance that transcends organization boundaries is exactly where the high-value work will be in coming years.

Want to outsource part of your business process who can do it better?  Want to collaborate openly with others in your industry?  You'll have an interesting information governance discussion that balances business value against (primarily) risks.

Where Does This Leave Us?

From a technology vendor perspective, there are clear technology investment tracks for each of these.

For risk management information governance, tools that assess the "threat potential" of different kinds of information, "containerize" sensitive information appropriately, authenticate who wants it, and can audit how and where it's used.

For cost reduction, tools that assess how information is actually being used (as opposed to how people think it might be used), and can seamlessly move information back and forth between different service levels (and cost structures) as needed.

For value generation, repositories that tag information appropriately, and can provide the scaffolding for seamless movement and re-use not only within the enterprise, but outside as well.

Not surprisingly, EMC is investing very heavily in each of these areas.

One thing's clear though.

If information is going to be an organization's most important asset, more and more people are going to be viewing their CIO as the "CFO of information".

And in a world where information is more important than technology, we'll be seeing far more people who describe themselves as "informationists".

Posted at 09:32 AM in Being An Informationist, Big Ideas (hopefully ...), Customer Engagements, EMC Viewpoint, Information Infrastructure |

Digg This | Save to del.icio.us

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/1106103/27434482

Listed below are links to weblogs that reference Information Governance -- An Update:

Comments

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

If you have a TypeKey or TypePad account, please Sign In

Chuck Hollis


  • Chuck Hollis has been with EMC for 12 years, and is Vice President of Technology Alliances at EMC. He frequently speaks to customer audiences about a variety of technology topics, and can usually be counted on for an interesting point of view. He lives in Holliston, MA with his wife, three kids and two dogs when he's not travelling. Chuck enjoys piano, mountain bking and skiing -- in that order.

Categories

Archives

More...

Subscribe to this blog's feed

General Housekeeping

  • Frequency of Updates
    I try and write something new 1-2 times per week; less if I'm travelling, more if I'm in the office. Hopefully you'll find the frequency about right!
  • Comments and Feedback
    I'm going to be approving comments before they get posted here. Any information you can share about who you are, how to contact you, what you do for a living, etc. would very much be appreciated.

Interesting books for the cognescenti

Regular Reads