The following is a guest article from Aaron Bryant, chief information governance officer at Washington State Department of Health and CGOC Faculty Member.
Most organizations understand successful information governance (IG) depends on close coordination among stakeholders, including security, compliance, privacy, legal, records, IT and lines of business.
However, operationalizing this can be challenging, and I have had very different experiences and successes depending on my management role, previously as a mid-level manager and now as a C-level executive.
Over the last 14 years, I have run IG programs and designed, implemented and maintained information management systems to support them.
While I have always focused on aligning IG stakeholder requirements to ensure a mature, organization-wide IG program, all too often, the C-suite introduced an unavoidable obstacle to success, naming an executive program "sponsor" who left program implementation to a mid-level manager.
This is a recipe for failure, leaving organizations saddled with siloed, ad hoc IG processes, poor data quality and increasing vulnerability to data theft, regulatory violations and uncontrolled information management and legal costs.
A lack of hands-on executive leadership also explains this finding in the CGOC Information Governance Benchmark Report 2018: While 72% of organizations believe they have appropriate executive support and leadership for their IG program, only 33% can defensibly dispose of data and only 7% have tools in place to categorize data and automate retention schedules — critical elements of IG program maturity.
Based on my experiences as a mid-level manager and an executive, I offer the following four management keys to successfully operationalizing and maturing an IG program.
1. A C-level executive, not a manager, must run the IG steering committee
An effective IG program requires close coordination among all information stakeholders.
In every organization I have been associated with, this coordination required a cultural evolution of people, processes and technology spanning multiple departments. Mid-level managers rarely have the authority to effect such changes.
A records manager, even an IG program development expert, is typically excluded from leadership meetings about the technologies, policies, personnel or budgets directly impacting the IG program.
A few years ago, as a law firm records manager, I controlled client data flow and processing, but I could not impose best practices on the firm’s administrative data, managed by IT. This disconnect prevented me from making any real progress on moving the firm toward a comprehensive IG program.
Today, as the chief information governance officer (CIGO) of a government agency, I have the authority and influence to effect cultural change, and I created an IG steering committee with the power to impose IG best practices on people, processes and technology across the agency.
The only real difference between the two situations was my title. And while having the right title doesn’t guarantee success, it removes the single biggest hurdle to maturing an IG program.
2. Build an IG steering committee with stakeholders who fully embrace their responsibilities
The IG steering committee comprises the multi-stakeholder group charged with developing IG program strategy and implementing the necessary processes and controls throughout the organization. As such, an IG program leader must carefully select the group’s members.
In my various roles as a mid-level manager, I could not do this and found many steering committee members lacked the knowledge, experience and commitment to implement our IG strategy at the tactical level.
Further, my attempts to impose IG best practices usually fell on deaf ears.
Today, as an executive, I can now bring the right people to the table, and I have the authority and flexibility to attend operational and strategic meetings across the organization, enabling me to identify the best people to accomplish my IG goals.
3. Frame IG as an essential core business function, not a problem-focused project
A few years back, as a hotel chain's records and information governance director, I was a member of the legal team.
Despite my title, a lawyer who understood only the IG issues related to e-discovery assumed responsibility for the entire IG program, ignoring the much broader experience and perspective I could have brought to our IG strategy.
As a result, I had no input at the executive level, and while we had a robust e-discovery program, a true IG program never got off the ground.
When charged from on high with managing an IG program, a mid-level manager (or a lawyer) has little choice but to treat the effort as multiple, narrowly-focused projects, that is, the next best steps for solving a specific IG challenge.
Often, these managers will also limit their projects to their immediate needs, such as the lawyer reducing e-discovery risks or a compliance manager satisfying new privacy regulations.
As an executive, I have framed IG as a core business function, as critical to business operations as human resources or finance. Armed with the right authority, knowledge and experience, I can impose IG best practices throughout the information lifecycle across all departments.
4. Align the IG function with other organization-wide strategic initiatives
Without an executive running the IG program, an organization has no top-down coordination among the various IG stakeholders, resulting in fragmented implementations and immature IG processes.
Today, as the CIGO, I regularly meet with the CIO, CISO, CTO and other executives, learning about their roles, responsibilities, requirements and concerns, while coordinating our efforts and aligning them with IG best practices.
Through this effort, for example, I recently discovered the information security team was about to deal with an issue on a particular file share. Since the IG team was also looking at a project related to file shares, we were able to coordinate our activities and develop a project roadmap that delivered strategic, process and cost synergies.
At the executive level, I see far more opportunities to achieve these benefits throughout the agency than a mid-level manager could. As a result, we are making faster and more significant progress toward IG maturity.
We know that information is now an organization’s most vital asset, but "having it" is not the same as effectively using it and protecting it in a compliant way.
Only a mature IG program can optimize information access while minimizing compliance and security risks. And the only way to ensure steady progress toward IG program maturity is with a focused, hands-on executive at the helm.