Information governance - Florida Gulf Coast ARMA Chapter

1
INFORMATION
GOVERNANCE (IG)
What Does That Really Mean?
Donna Read, CRM, CDIA+
November 18, 2014
Florida Gulf Coast ARMA Chapter
2
Agenda
• Defining Information Governance
• Why is it difficult to implement?
• People – Processes - Technology
• Wrap your arms around the beast.
3
Difference Between RIM & IG
• Records Management is tactical
• Information Governance is strategic
To be strategic, you need partners, sponsors, and a
network
• Tactical - Designed to achieve a particular effect or goal.
adj.tactical, expedient, schematic, strategic.
• Strategic - or a strategy - A method worked out for
accomplishing something : plan, blueprint, design, course
of action, plan of action, game plan, master plan, project,
scheme, strategy, format, stratagem, procedure.
4
IG – What Does It Mean?
• “..a holistic approach to managing and leveraging
information for business benefits encompassing
information quality, protection and lifecycle
management.” AIIM
• “..multi-disciplinary structures, policies,
procedures, processes and controls implemented
to manage information at an enterprise level,
supporting an organization’s immediate and
future regulatory, legal, risk, environmental and
operational requirements.” WikiPedia
5
From The Sedona Conference
“Information governance means an organization’s
coordinated, interdisciplinary approach to satisfying
compliance requirements and managing information risks
while optimizing information value.
As such, Information Governance encompasses and
reconciles the various legal and compliance requirements
and risks addressed by different information-focused
disciplines, such as records and information
management, data privacy, information security, and ediscovery.”
 Source: The Sedona Conference®
Commentary on Information Governance (Dec. 2013)
6
No – Really What Does It Mean?
• “…enterprise-wide program that incorporates
multiple organizational disciplines and that
contemplates policies, procedures, processes,
and controls designed and implemented to
management information.” AIIM
• “...a vehicle to ensure compliance to regulation,
encompassing people, processes and
technologies to support the best practices of the
organization.” KM World
7
Key Words
• Holistic ----- the parts of something as intimately
interconnected and explicable only by reference to
the whole
• Managing – Leveraging – Controlling
• Policies - Procedures - Processes
• Ensure Compliance
• Encompassing:
Information quality & protection
Immediate and future operational requirements
People, processes, & technologies
8
Information
Security
(PII)
Non-Records
Holds
Official Records
Duplicates
Reference and
Convenience
Information
Trash
9
10
11
What Does ARMA Have To Say?
• The Principles!!!!
• Information Governance Maturity Model
“Information is one of the most vital, strategic assets organizations
possess. They depend on information to develop products and services,
make critical strategic decisions, protect property rights, propel
marketing, manage projects, process transactions, service customers,
and generate revenues. This critical information is contained in the
organizations' business records.
• It has not always been easy to describe what "good information
governance" looks like.”
www.arma.org
12
Beginning to Look A Little Confusing –
Like Herding Cats?
13
Why Is IG So Difficult?
• Confusion Terminology
• Frustration - inability to focus on positive side of cost
avoidance and managing risk
• Why is adoption rate low?
 Perceived to have no direct business benefit
 Challenges in business buy-in and funding
 Seen as critical but highly political, complex, long-term and multi-year
initiative
 Currently a “on size fit all” approach
 Lack of metrics-driven measurement of benefit
 Total cost of IT ownership (TCO) rarely measured or tracked
14
Status Quo Not Working
• “The one thing that everyone can agree
upon is that the status quo is not working.
Symptoms are everywhere with comments
like ‘we need help to govern the data in
these warehouses since the date is always
wrong, incomplete or erroneous’ are the
norm rather than the exception.”
• Thornton May, Futurist & Executive Director, IT Leadership Academy
15
TMI
• IDC (International Data Corporation) Report: 1800 new
exabytes this year -- (1 exabyte = data equivalent to
50,000 years of continuous movies)
• Information governance is needed in a world where . . .
1. 80% of enterprise data is unstructured
2. 60% of documents are obsolete
3. 50% of documents are duplicate
4. 80% documents are not retrieved by traditional search
16
What Is Needed For IG
• Organizational Mindshare
• Senior Level Support
• Awareness of need for change
• Willingness to change
• Resources
17
Who Are The Stakeholders?
• Senior level management
• IT
• Legal
• Records Management
• Accounting
• The Users
18
Getting Buy-In
• Not an easy job
• What does everyone care about? WIIFM
“You have to align with what your organization cares about
– figure out what that is - to use as a lever for embedding
Information Governance.” Monica Crocker
19
IG and Social Media
• New trends constantly emerging
Today – SMC – Social/Mobile/Cloud
• Requires updating IG program and it’s deployment
• BYOD (bring your own device) muddies the water
Does your organization have polices in place for BYOD?
• Content generated from company account or…
• Content generated using personal account for business
purposes…..
• Must be governed under same policies as rest of information
20
IG and Big Data
21
The Meeting of IG and BD
• BD – “data lake” stores unlimited amounts of data, in any format,
scheme and type
• Theoretically could hold all of an organization’s data
• 1000’s of regulations impacting management of information
• Balance – information value with information risk
• Must know what you have – starting point for IG
• As data gets older, value diminishes – never really useless
• Risks in keeping include – increased storage
costs, litigation, & regulatory sanctions
• Saving everything is unsustainable
22
Archives Must Include
• Ingesting & retaining all types of information – both structured
and unstructured
• Auditing and preserving data and content to meet regulatory
and governance mandates
• Require no dependence on originating applications to manage
or reference information and records
• Maintain clear, defensible chain of custody
• Deliver records and retention capabilities
with audit trails
• Preserve information in an immutable form
23
Three-Phased Approach
• Current State Assessment
 Review all relevant policies and procedures
 Stakeholder interviews and focus groups to define current state of information
management practices
 Identify RIM vulnerabilities and develop key observations of “as is” state
• Analysis and Recommendations
 Identify best practice standards and benchmarking targets
 Evaluate current information management processes against standards and industry
best practices including “The Principles”
 Assign maturity rating and develop recommendations for the enhancement of
information management practices
• Strategy and Roadmap
 Summarize assessment, methodology and recommendations
 Validate with sponsors
 Develop strategies
 Develop tactical project plans for each strategy
 Develop implementation roadmap
Huron Consulting Group
24
Information Governance Infrastructure
Huron Consulting Group
25
Assess Current Situation – not an easy job
• Are your retention policies being applied to both structured and
unstructured data?
• Are your shared drives/hard drive used as a dumping ground
with no structure?
• Do you have an EDMS/RMA etc. in place but it not being fully
utilized?
• Do you have an ESI Data Map, or a Data Source Catalogue?
• Are there workarounds for system limitations that set, i.e. size
of email box?
• Can your employees find the correct and relevant
data they need to perform their work?
26
Huron Consulting Group
Three Buckets
1.
The stuff you know enough about to keep
2.
The stuff you know enough about to throw away
3.
Outliers & anomalies: the stuff you don’t have enough
information on to make a reasonable decision
Taking slices of the data: looking at a minimum amount of
information (logs, dates, times, domains, custodians) to make
the remediation call.
27
Structured Data Remediation Plan
For each identified system: (do you know your critical systems)
• Does the system contain “records” and how does this
relate to the retention schedule
Issue of relational databases, transactional systems, etc.
• Risk / cost analysis of over-retention
• Remediation options
• Manual
• Systematic
Huron Consulting Group
28
Potential “To Do” List
1. Does your RIM program need refinement?
2. Are your retention schedules and legal compliance rules
3.
4.
5.
6.
7.
up to date?
Do you need to update policies and procedures?
Should training be enhanced or include more staff?
Is there a strategy for dealing with unstructured content?
Do you have a structured Data System remediation plan?
Who is responsible for constructing the ESI Data Map?
29
Summary
• Need to define IG for stakeholders
• Convince them why they should care
• Assess current situation
• Create plan for remediation
30
The End
Donna Read, CRM, CDIA+
Florida Gulf Coast ARMA Chapter
[email protected]