What does good information governance look like? How can organizations achieve it? Especially for businesses today, where technology and data are at the heart of what they are and do, information governance is critically important. Not only for compliance and legal reasons, but to maintain data security and to benefit from digital transformation, encouraged globally, and to unleash data’s full potential for continued business success.
Information governance during the pandemic
Presently, during the COVID-19 pandemic, organizations have to deal with things rapidly evolving on the digital front over a very short period. However, an area that has lagged, in some cases, is information governance. It seems that the primary reason for this was that at the start of the pandemic, the team of people who took responsibility for moving everyone from the office to their homes, and to the new way of working as well as getting the cloud systems plumbed in were the same team or part of the information governance team. Priorities shifted to make the necessary changes at pace.
During the pandemic, many discussions have been around the urgency for technical controls, required to solve the challenges that organizations have had to solve at haste, due to the quickly evolving circumstances. The administrative bits have seemed to fall by the wayside as a result — there was just not enough time for both aspects.
Organizations that find themselves in this position may find it necessary to catch up on information governance as well as to align the new way of working with the set of policies and procedures to help with the management and control of the organization’s information assets.
Information governance is not a document that is produced or a tool that can be purchased and used from time to time. It’s a journey that results in a change to the organization’s previous habits to aid and improve on the way that information is handled and managed.
The information governance team
- The records manager: This is the owner of the program in your organization. This person is responsible for the running of the program and, more than likely, will report to a board member who sponsors the program. Involving a board member is important as it ensures visibility, budget, and acceptance at a senior level for the initiative. Information governance is often it brought to the board’s attention due to the compliance requirement.
- Information technology committee: It’s advised that the committee be formed of the IT manager, system administrator, database administrator, and stakeholders that currently govern the data. It’s easier to form a small team and grow it from there if needed. The more members, the more opinions, and the slower the process will be. So, first, establish the process and then layer in the various stakeholders as needed. This approach helps to get the program moving at a faster pace.
- HR representative: Several interactions will require support from HR. Training and change to work habits will need to be considered, as well as the skill for getting employees into the mindset for the new discipline. The HR team can assist with this aspect too. It’s a good idea to involve HR as a key stakeholder in this program from the start. HR typically needs to be involved due to the high level of end-user involvement as well as cybersecurity policy requirements.
- The CISO: Having the chief information security officer on your side during this journey is helpful. As the officer, this person will have the influence and many of the security policies and disciplines on their radar. In some cases, the CISO runs the program in smaller organizations, but if possible, it’s recommended that this be a dedicated role as many aspects will require attention.
- Project managers: A good project manager is recommended. These professionals should link up to the department heads to ensure that the project gets executed. It all depends on the budget and availability of human resources for this initiative. However, a good PM is worth including to ensure that the initiative sustains momentum and gets delivered as per the roadmap.
- Legal counsel: Having a legal counsel at the disposal of the team is useful as there is a legal element to this initiative. The team will need to be aware of the compliance requirements and legal obligations of the company. It differs from sector to sector, and the council will have a reasonable understanding of what to consider or at least know what advice will be required to move things forward. Especially in a situation such as now, where systems are cloud-based, and people are working from remote locations. HR and legal will have to be consulted when these types of initiatives are progressed.
- Additional resources: It’s advantageous to employ or get council from subject matter experts and business analysts on this initiative. These professionals come at a cost, but they often ensure that you do the job well without having to spend too much time learning new aspects and contemplating aspects you might not have considered. Not everyone can afford them. So, as an alternative, it might be a good idea to advertise within your organization for skilled people. Let them know that the program will be launched, and those within the organization with the relevant experience could be of assistance.
What to govern from an information perspective
The first step is to know what you have. Mapping out information using a tool or even a spreadsheet is a good starting point as this helps you establish what information the organization holds, where it is and who has access to it. Moreover, what platforms exist and how the information is generated and stored along with the movement of information within the organization and the transfer of information to third parties.
This data map does not have to be fully complete, as previously mentioned. It’s a journey of discovery, and over time the bigger picture will be revealed. However, making a start is more important than being perfect. Thereafter, a plan can be devised to improve upon what’s already been achieved, and as more information is gathered, the data picture will become more comprehensive and effective.
The core of information governance
- Create a record of the data
- Store and protect the data
- Use the data securely
- Share the data securely
- Archive the data properly
- Destroy the data properly
Governing the data assets comprises, but is not limited to, security, continuity assurance (data availability), access controls, metadata, retention schedules, audit and monitoring requirements, content repositories, as well as disaster recovery procedures.
An essential discipline as our digital footprint increases
With the right team and a fit-for-purpose plan, you are able to fulfill the process. It’s about creating a habit that is repeatable, and that can intrinsically improve upon each step, at every meeting, and throughout the journey.
Document the actions, followed by the critical audit points, and then start on the maturity of the information governance initiative. By doing this, you can report and improve on the elements that can be optimized. Ensuring the data manager is part of a public forum that deals in information governance often helps as a point for collaboration and a means to obtain external support when required.
Featured image: Designed by Starline / Freepik