I like to spot shifts in the discussion, and sometimes I stumble across something that ends up being bigger than I first thought.
About 18 months ago, I started to see that there was a fundamental structural problem in how organizations were managing information.
IT had the mandate and the resources to manage information, but the business wasn't fully engaged in the discussion around essential information management policy tradeoffs: balancing costs, risks and value.
And I suggested that we'd see a growing interest in what I dubbed "information governance" -- a cross-functional, executive-level approach to managing the information portfolio in largely the same way that the CFO thinks about managing the financial portfolio.
I thought it wrong to characterize it as solely an IT problem: it's going to be a business problem. Or put differently: if we're going to thrive in the information economy, we're going to have to start thinking about information as money.
And I believe that this particular topic is getting more attention in the boardroom.
Basic Ideas
Rather than think about the big picture, let's start small.
Imagine an arbitrary piece of information -- perhaps an email.
That email represents a cost to the business -- especially if it's backed up, kept around a long time, made searchable by others, etc. How do you decide what's valuable, and what's safe to delete?
That same email may represent a risk to the business -- there may be a sensitive topic involved, or perhaps it's a business record that's subject to retention and compliance regulations. Who makes the call that a given email might be important to keep around for retention purposes?
Finally, that same email might have useful information that might create value to the business. Maybe there's a useful discussion or idea. Or it came from a customer and is part of the overall customer relationship. And who gets to make that particular call?
From a technology perspective, all these things are possible -- and in use today -- but it begs the fundamental question: what business function gets to decide where the interesting tradeoffs lie between cost, risk and value?
We usually gloss over this discussion and toss around the "policy" word to describe this, but I believe it's a fundamental strategic issue on how these policies will be formed, refined, measured and improved.
Today, I think it's getting tossed in IT's lap more often than not to go figure out. And -- despite IT's best efforts -- I would argue that the business will have to be more directly engaged in these discussions.
And, let's not forget that the information floodwaters are rising. EVery year, more information. Every year, more and more consequences for not handling it properly. And, of course, we're always looking for more ways to monetize our information.
Now It Gets Interesting
For the sake of discussion, let's assume there are three basic goals in mind: saving money, making money -- and staying out of trouble.
If the legal department (or other risk-sensitive function) sets policy, you may be reducing risk, but you could end up with an expensive solution, and it might not deliver any useful business value.
If the finance department (or other cost-sensitive function) sets policy, they'd be interesting in saving big bucks by deleting just about everything as quickly as possible.
And if business users ever get a say (you know, the people trying to make money for the company), they'd want it keep it all online, and make it searchable, retrievable, mashable, etc. -- simply to extract more value from what they already have.
Some entity will have to decide -- what's the ongoing tradeoff between cost, risk and value?
Now, let's broaden the discussion to other kinds of information.
Consider all those files. Or transactional database records. Or information that's gathered about customers and partners. Or maybe information about our employees. Heck, let's throw in all those security cameras just to make it interesting. Or maybe the log files from the phone system.
And, if you're up for even more punishment, what happens when information starts flowing between partners and suppliers? As an example, if I outsource billing to a service provider, whose fault is it if something bad happens?
When you really drill down and ask the question "which function sets the information management policy for the organization, and how?" -- well, let's just say it's becoming an increasingly interesting strategic question.
Have You Been The Victim Of Poor Information Governance?
Sure, I could share all sorts of bad things that have happened to companies that could be roughly categorized as "poor information governance", but let's take it out of the corporate world, and make it a bit more personal.
Ever feel like your personal information was disclosed (or sold!) without your permission? Or been the recipient of one of those "we have to disclose to you" letters?
Ever get bounced around a large corporation, and spending the first few minutes of every conversation once again sharing details about name, account number, etc. -- over and over again?
Or had incorrect information in a credit report or other database, and had no easy way to fix the problem?
Or maybe you're on the infamous No-Fly List in the USA -- and can't find a way to get your name off that list?
[recent update, just came across this little gem to prove the point yet again]
Frankly speaking, we as individuals are increasingly becoming the victims of poor information governance. And that's not good for either consumers or the businesses that serve them.
Other Interpretations
Like any phrase in this industry, there are other interpretations of "information governance" out there that are subsets of how I think the concept ought to be discussed.
One strong flavor is the GRC (Governance, Risk, Compliance) interpretation. More than a few vendors and consultants equate the entire information governance discussion with risk avoidance.
Now, there's no arguing that staying out of trouble is a major concern (and a major motivator!), but this framing leaves the cost aspects -- and the value-generation aspects -- as secondary concerns. I believe the interesting discussion lies with the tradeoffs -- and not the absolutes.
I see the goal as more broad: understanding all three -- costs, risks and value.
Another interpretation of "information governance" that I've seen has to do with making your data dictionaries better, having standardized metadata, and using better data definitions to improve your business processes.
Nothing wrong with any of that, either -- it's just an entirely different discussion.
What To Do?
I see the same basic pattern playing out more often with the customers I talk to:
- IT leaders make the case that there's a problem. IT can do all sort of wonderful things with technology, but need guidance from the business as to what's important, what's not -- and it's pretty clear that no one function speaks for all the interests of the business.
- Exec management agrees, and forms an ad-hoc committee on information governance. Representation is usually IT, finance, legal as well as business stakeholders. Yes, it's another meeting.
- After some grounding and creating a common context (usually with real-world problems IT is facing today), the team starts to tackle individual issues as examples of the tradeoffs involved. Email policy (while outwardly boring) is a good starting place. Business units that routinely handle sensitive information (e.g. health care, insurance, finance, legal) are also a logical starting place. The idea is to pick a place and start.
- Over time, general principles and guidelines emerge around how to handle different kinds of information. These are codified and formalized into policies that are communicated.
- Measurement systems are put into place to ensure that mandates are followed, and the results (risk reduction, cost avoidance, value generation) are captured as part of the feedback process.
- A general cadence is established, and -- yes -- it seems that information governance policies need to be reviewed on a fairly regular basis.
I have met at least two dozen large organizations who told me they were doing some flavor of this process. Yes, there's a strong industry focus (the stakes are obviously higher in some industries than others), but the trend is there, and I see this starting to expand into other, less-obvious industries.
So, What Do You Think?
If you work in IT, are there reasonably sophisticated policies in place surrounding the inherent tradeoffs involved? Or does it seem that mandates come down, and you wonder if anyone really understands what's going on here?
Or, if you've got decent policies in place (and the resources to execute on them), is it working well? Does having an exec-level forum for debating the tradeoffs improve the situation for IT, and the business?
And -- finally -- do you think this will be an increasingly important issue in the future?
Hi Chuck,
I have read with great interest your white paper on your journey in social networking (http://chucksblog.typepad.com/a_journey_in_social_media/). In your estimation, how does social networking further impact the governance issue? I am particularly interested in how your legal and compliance areas approach this matter as you've begun to move social networking outside the four walls of EMC.
Best regards,
Lee Allgood
Posted by: leeallgood.myvidoop.com | January 22, 2009 at 10:52 AM
Great question, Lee
There was a moment of insight where we realized that handling information was important regardless of the form it took, or mechanism used.
As a corporation, EMC has a decent internal framework and governance for handling information in a variety of contexts. More can be done, but we have a decent starting point.
As a result, there was nothing specific we really had to do for our social environments -- it was a simple extension of the principles we use for email, files, etc.
A parallel discussion emerged in conduct -- how do we handle conduct situations in a social environment? Once again, our HR team had a pretty decent framework established for general conduct guidelines, and mechanisms to resolve particular issues.
We simply extended what was already in place, and did not treat the social environment any differently.
I think this internal experience goes to the point that an internal framework -- be it for information governance, or HR conduct, or whatever -- can pay substantial benefits across the business, sometimes in unanticipated ways.
As a result of the two frameworks we had in place, we could move very fast on our internal social efforts.
Thanks!
Posted by: Chuck Hollis | January 22, 2009 at 12:04 PM