No, not IT governance. Information governance.
OK, if you're a regular reader of this blog, you know my rant.
- information is becoming the most important business asset in the world.
- someone's going to have be the "CFO of information".
- and you're going to need new tools -- information infrastructure -- to do this.
At most companies, there's pretty good governance around something else that's important -- financials.
What about information governance?
The need is clear -- at least to me!
Let's start with a simple question -- who defines your information retention policy?
Or, more importantly, how was it defined?
If you're like most organizations, at some point did some people got together, put their heads together, and made a recommendation?
The answer is probably "yes".
Were the right voices at the table? Was there some sort of balanced scorecard evaluation that took into account risk avoidance, cost reduction and value generation? Were the results measured and reported on?
And did the team reconvene periodically to review the situation, take light of recent developments, and suggest new recommendations?
The answer is probably "no".
Now, repeat the question for email archiving. Or how you manage customer information. Or employee information. Or financial information. Or, if you're Google, how you manage search records. How long you keep backups. Do we need audit trails?
Or ... well, you get the idea.
If it's information, and it's being captured, at some point there will be really gnarly questions around how comapnies balance risk, cost and value.
The traditional answer is that the application owner (or business unit) owns that problem. Well, we've learned not to do that with money, right? Financial management and governance is a corporate issue, because the stakes are so high.
Bottom line: these questions of "how do we manage information at a corporate level?" are all over the place if you look around, and more are coming every day.
And, rather than try and address them individually in an ad-hoc manner -- with limited participation, measurement and evolution, the idea is to create a role of information governance function within the organization.
Some people think this is a great place to use consultants. I'd offer that consultants can help, but the problem needs to be owned by some part of the business -- hence the need for information governance.
Interest is growing -- from what I can see.
I've mentioned before that I get to spend a lot of time with customers. This also is a very valuable resource for trying out new ideas and thoughts, and seeing how they resonate.
When I'm talking to my traditional audience of technology people who are hip-deep in issues around running IT, they tend to agree -- life would be easier if someone would just tell them how they'd like the information managed.
But asking an operational IT person to figure all of this stuff out is asking a lot of someone.
Occasionally, I get to meet more senior people who've spent time on the business side of IT. And, for them, this is a very powerful and meaty topic. They really want to talk about it.
They have an appreciation that there's a new concern. They know that there's a lot at stake. And they know how good governance functions can help manage risk and create good outcomes for painful, cross-functional problems where there's no simple and obvious answer.
And they really like the idea. Some have even started moving down the road.
Organizational and evolutionary models
The first step seems to be a "working group" at a relatively senior level. Ideally, there are three roles that need be present.
- One role (person or people) can speak to the risk side of the equation. Think legal, or finance, or a security officer if you have one.
- One role can speak to the cost side of the equation. Think IT, usually.
- One role can speak to the value generation side of the business, e.g. we keep this information around because we think we can use it to make more money for the company.
If there are only one or two of these roles at the table, it's not a complete discussion. As an example, in pursuit of risk reduction, costs escalate and value-generation opportunities are missed. Or, if it's all about value generation, the company can be exposed to new forms of risk. Lots of good examples here.
From what I've heard, the initial steps of the working group are to (a) validate that this is a problem, (b) make sure the right voices are at the table, and (c) gain the commitment from team participants to be involved for the long haul.
The next step seems to be contextual education.
Put the existing situation on the table so everyone can see what's being done today -- warts and all. Have people present on new regulations, best practices outside the company, etc. Spend whatever weeks or months are needed to create a common context around the problem and what's going on around it.
The step after that seems to be hashing out some guiding principles.
Yes, I know that's boring stuff, but you'd be amazed how often you come back to the guiding principles when you're wrestling with a specific issue. Consider it up-front investment work.
After those first three activities, it seems to get into high gear.
There's an agenda of problem areas, working teams are assigned, they go off, study the problem, and come back with recommendations, which are reviewed by the governance team. Once the recommendations are implemented, there are periodic report-backs as to the results, or if something new is learned.
Maybe a workstream on email. Or another on user file systems. Maybe 7-12 workstreams. And someone to help organize and schedule the team's activities.
The team is now equipped to conduct a regular cadence on these issues: identifying the challenge, assigning the team, getting recommendations, approving policy, measuring results and revisiting when necessary.
Yep, it sounds like a lot of work. Hard things usually are ...
Impact and outcome
I have met some (but not many) organizations that have had information governance teams up and running for a number of months, and have started to see the effects.
First, everyone's a bit less anxious about information issues. The IT guys know there's a policy function that they're represented on, and it makes their life easier. The legal guys feel better. The finance guys feel better.
The business unit guys may or not feel better, but they're not big fans of corporate governance to begin with. Such is life.
Secondly, (from a selfish EMC perspective) important information management projects move ahead. They get after email archiving, and information security, and file system mgmt, and ECM, and ... all those darn cross-functional projects that don't have clear ownership outside IT.
They're now "owned" by the information governance team.
I think most importantly, there's a new appreciation outside of IT of just how important information is, and how businesses need to start looking at it the same way they've looked at money in the past.
Just about every business person I've met is pretty smart about managing money, budgets, finances, etc. And I think that, over time, they'll be just as smart about managing information.
So, where are you on this?
Do you have some sort of information governance function at your company? If so, what does it look like, and what have the experiences been?
If not, do you agree with the need for one? And are the conditions right to bring up the topic?
Let me know ... thanks!
Chuck, why wouldn't this fall under the domain of the CIO? C-level roles are almost always cross-functional. It may be that some CIOs view their roles strictly as IT czars, but I suspect most of them see information governance as their primary job responsibility (even though they might have other words for it).
Posted by: Marc Farley | August 01, 2007 at 05:34 PM
Well, I've met more than a few in my travels, and how they view their job varies widely. If you go buy the book on Enterprise Architectures that I like so much, there's a cogent explanation as to why that might be.
But there's something else that's important here. Governance implies cross-functional representation outside of any one function.
Put differently, if the CIO thinks it's IT's job, that's what it will be, and it won't be viewed as a business problem.
The few companies that I've met that are doing this well have made sure that -- even though IT is fully engaged -- it's positioned as a corporate issue, and not an IT one ...
Thanks for reading!
Posted by: Chuck Hollis | August 01, 2007 at 06:35 PM
Hello Chuck.
Do you have a good definition of what Information Governance is?
The best single paper I've collected yet is the IBM Dtata Governance Council's maturity model paper called "Building a roadmap for effective data governance".
Can you or EMC provide me with something of equal substance?
Grateful for your help.
Posted by: Joe Otway | November 09, 2008 at 11:14 PM
Hi Joe
The best (short) definition is "a cross-functional management team empowered to create policies that balance cost, value and risk in regards to corporate information management".
I guess I could put that in a white paper, but I think the EIU's paper pretty much says it all:
http://www.emc.com/leadership/business-view/future-information-governance.htm?CMP=ILC-carHP&panel=the+future+of+information+governance
IBM's defintion (and deliverables) I believe focus more on the traditional definitions of "data governance", e.g. ensuring proper semantics and usefulness of particular data elements.
Nothing wrong with that -- but I think the phrase "information governance" is thought of in the same way "financial governance" has been thought of in the past.
More than willing to discuss further, if you're interested?
-- Chuck
Posted by: Chuck Hollis | November 10, 2008 at 08:00 AM
Chuck,
I am involved in a company wide project regarding email management and records retention. While we have a paper retention schedule we do not have one for electronic records.
To make things more interesting legal documents have been and still are retained in individual mail file accounts (Lotus Notes). Because of this there has been a no delete mentality for a number of years.
This is not only expensive but potentially risky if litigation comes into play. Not to mention there is a massive amount of unnecessary email taking up valuable space.
We ran a voluntary email reduction awareness campaign with surprisingly good results. Company wide we reduced our overall size by over 30%. This is a good start but there is much more to be done. Legal is in the process of crafting an electronic record policy.
Funding is limited for 2009 so a defined technical architecture has been deferred until 2010. There's been a lot of talk around information governance but I'm not sure if it's truly represented.
Any suggestions or ideas?
Thanks
Posted by: Kris Thorstenson | March 06, 2009 at 04:21 PM
Hi Kris -- thanks for writing.
Any thorough discussion is well beyond the limits of a blog comment, so bear with me.
The first step is just having an agreed policy that represents the balance between risk, cost and value.
As an example, if just the legal guys are involved, I'm sure the policy will be very risk-adverse, but not necessarily cost-effective or user-friendly.
The trick is to get all three voices at the table.
Second, acknowledge that this will be an ongoing discussion. The team will make some recommendations, try some things, get some results, and want to adjust. Be prepared to have periodic discussions on this topic.
And be very clear with people that this challenge isn't going to go away in a meeting or two.
Third, technology can only work if it's clear what you're trying to get done -- and everyone is willing to help.
The user outreach program is a good start, but the best organizations keep that dialogue up with their users, since their behaviors can be either part of the problem, or the solution, depending.
Finally, the technology that does this stuff just keeps getting better and better, IMHO. The fact that you're not funded until 2010 isn't the worst thing -- it means you're encouraged (forced!) to have the business and policy discussion in 2009, which -- when you think about it -- is sort of the way things should happen, no?
Again -- thanks for writing!
Posted by: Chuck Hollis | March 06, 2009 at 05:26 PM
Hi Chuck,
Thanks for responding to my previous post. One more question for you.
How would you go about creating a file plan without going to the business for input?
I know that sounds crazy, but unfortunately we don't have the funding (or at least that's what I'm told).
I'm also pushing for a specific legal definition as to what constitues an electronic legal document so at the very least we can use this when determining what is and is not retained.
Thanks again Chuck
Posted by: Kris Thorstenson | March 09, 2009 at 02:12 PM
Hi Kris
What I usually do in these situations is to guess what a business user might want (as opposed to IT, legal, CFO), and clearly label it as "not validated yet".
That way, you can proceed without their input, or send it over for their comment.
Either way, you move ahead :-)
-- Chuck
Posted by: Chuck Hollis | March 09, 2009 at 02:15 PM