If you are in charge of a company or organisation or even a large department, then you will have heard the term “information governance”, and you will have probably asked yourself: “What is it I need to know about this new field?” You will want an answer that is not just theoretical but practically relates the definition of information governance with your organization’s or division’s core tasks and responsibilities.

Maybe one of the first things you did was to google ‘information governance” to see what it means and whether it applies to you? If you did then you may easily have become confused. “Information governance” is a buzzword in the industry nowadays and, rather than having a strict definition, it is often loosely co-opted to the ends of vendors and consultants who sell individual vertical products and services in the information governance space. It has become a catchall that each one wants to put their own spin on to meet their own ends.

If you ask your corporate records manager or archivist, then they will tell you that information governance is just a new term for records management. If you ask your legal team then they will tell you that eDiscovery is information governance. If you ask your IT manager then you will be told that file analysis and legacy clean-up of shared drives is information governance. And so on. No matter who you ask, be it the information security group, the Sharepoint team, the compliance manager, the data protection officer, nearly everyone will claim to be closely involved with information governance and they will all give you the benefit of their opinion.

Our advice: don’t worry about this apparent confusion but turn it to your advantage. It is much better if your middle managers do think they are stakeholders in a future information governance programme, rather than that they all think it doesn’t apply to them.

What is information governance?

In reality the core concepts of information governance are simple and straightforward. But beware! The theory is definitely much easier to talk about than to put into practice. Setting aside the hype for the moment, there are really only three things you need to know about information governance. These can be summed up as:

• Information Control
• Information Lifecycle
• Information Policies

Let’s explore these concepts in more detail.

Information Control

Information control means just that: that you are in control of the information within your company or work area. You may think that you are in control now; but are you? To be in control you must:

• Know what information you have – you should only be keeping the information that is necessary to carrying on your business; all other information should be ruthlessly purged.
• Know how to find it – your information needs to be organised so that you can find exactly what you want, quickly and easily.
• Know what it relates to – your information should be arranged around business functions or cases and linked, so that from a single item of information you can discover all the related information that provides it with context.
• Know where it is – typically your related information will be spread across different corporate systems and different repositories; you need to be equipped to manage related information effectively across and between across these silos.
• Know that it is complete – you should be confident that you are capturing all of the information related to a particular function or case and not introducing gaps or incomplete records. All the staff involved must be able to access all of the information and it is vital that important information is not to be found only in the minds of key staff members, or locked up in their personal email accounts, or located only on the local drives of their laptops?
• Know who has access to it – who can see your information and are you in control of it? How does your governance strategy deal with: the need to know, collaboration with external bodies, the malicious employee, back-up and recovery, etc. etc. etc.
• Know how to govern it – see the separate sections on Information Lifecycle and Information Policies below.

The bottom line: if you are not in control then you are sitting on a ticking time bomb. There will be bad practices occurring in the ranks below you, which may or may not blow up into significant incidents or breaches during your tenure. How old are you? Can you make it to retirement before gaps in your organisation’s corporate knowledge invite the inevitable audit review, eDiscovery action, malpractice lawsuit, class-action, subject access request, freedom of information enquiry, corruption allegation, etc. and are you ready to take responsibility for them when they do?

At RSD we use the term “proactive compliance” to describe our approach to information governance. Being proactive means getting control of your information before you have to front up to regulatory scrutiny/internal or external enquiry, or audit. The alternative is being “reactive”: being unprepared for what is going to happen next and constantly having to play catch-up.

Information Lifecycle

Governing information means not just being in control in the moment, but controlling your information though time. We will never know more about a particular item of information than at the point where we produce or consume it. It makes sense that it is at that precise moment that we should capture as much peripheral data as possible to help us in the future when we might want to find it again, or report on it, or we are ready to delete it, or declassify it, etc.

Information managers call this peripheral data “metadata” and it should contain information about the identity of the information, what other information, business functions and cases it is related to, who has handled it and it what ways, and more. Of course, in our busy lives when we have a lot of different things to deal with, all of them urgent, it is difficult to collect this information in the moment. So, more and more we are looking to automation to do some of these tasks for us. But, the counter-argument to not collecting metadata at the point of transaction, when we have the opportunity, is always: “if not now then when”?

Managing the information lifecycle means taking a cradle to grave approach to governance. It means extending information control from the moment we receive an item of information to the moment we finally delete the last copy. Across the information lifecycle various events will occur: for information we create we may make multiple drafts or versions; for contractual documents we may add digital signatures; we may transmit the information through various channels; we may be legally required to keep the information for only a set period of time; the information may be classified and then progressively declassified over time; the information may contain personal data that we are not allowed to retain; we may be required to review information before we delete it; we may need to transfer it to internal or external archives; and so on.

Typically what happens to information during its lifecycle is dependent on the information policies that we apply to it, these are discussed below.  What we have learned is that a strategy of keeping everything and relying on a powerful search engine to find it when we need it is a naïve approach that is fraught with danger, not the least when we are in an industry subject to regulatory scrutiny.

And yet, isn’t “keep everything” the policy that most of us use now with our own email accounts? We continue to pursue this failed strategy, despite the many instances of high profile executive email accounts that have been exposed. Do we even need to mention Sony Pictures, Hillary Clinton or even Ashley Madison?

Information Policies

Governance of information is not the same as traditional information and records management. The main difference between “governance” and “management” lies in the use of information policies to control the information. Policies need to be easy to define, centrally managed and agnostic of the platform on which the information is stored. Information policies should also be related to the organisation’s mission.

For example, restricting each user’s email inbox to a size of X gigabytes is not a good information policy because it applies only to information in email form on the email server. It does not relate to the organisation’s mission because some users, in some business functions, may perform critical tasks using primarily email while other users do most of their work in a different system. This type of policy is typical of an imposition made by IT to manage storage space to a fixed budget, without thinking top down from the organisational vision to determine what platforms and storage space and therefore what budget is required to support it.

By comparison a policy where temporary or insubstantial information that is not linked to a function or a business case is automatically deleted after Y days, does typically represent a good information policy. It can be applied across any type of information on any corporate platform, not just email in isolation and, as a policy, it can be linked directly to the organisational mission and higher level governance policies set by the executive team.

Central management means that each information policy is set only once, in a central policy system, from which it can be applied to any item of information in any system throughout the company. At RSD we use the term “hybrid governance” to refer to this type of implementation where policies are repository agnostic and independent. This doesn’t just mean, say, governing information in Sharepoint with the same policies as are used to govern information on shared drives; it can be cross-platform as well. So an information policy can be applied to govern information in the cloud on a shared cloud drive, such as Dropbox for Business; and the same policy used in a different context to govern information in on-premise repositories such as in an ECM system, or even further applied to governance of physical documents, folders and boxes.

Hybrid governance allows your information governance strategy to remain resilient to changes in your technology infrastructure, and can even help you to migrate information between repositories and platforms, including in response to an information policy that you have created.

The devil in the details

By now you may be wondering how you are going to implement such a complete approach to information governance in an effective manner within your workplace? There are many different considerations that you will need to take into account. For example, if you update your information systems every 5 to 7 years, how are you going to ensure that you can manage the information lifecycle for an item that you have to keep for 20 years?

We need to be able to handle change at any point in our information governance processes. Systems and technologies need to be able to be updated and replaced; key personnel with differing levels of skill and experience will come and go; laws and regulations change and increase (for example, the new General Data Protection Regulation [GDPR] that is due to come into force across the European Union before the end of the year); and even organisational missions and goals will be re-directed over time.

This ability to alter and update our governance structures, processes, systems and information policies across all our governed information is something that at RSD, we call “Agile Governance”. Above all else your approach to information governance must be agile, or your programme will be out-of-date before you have even finished designing and implementing it.

Conclusion

In this article we are not going to lay out in full how to go about developing and implementing a strategy for adoption of information governance, but that is clearly the next step. It is enough that we agree that every organisation, including yours, needs a robust and 24/7 information governance programme if it is going to be fit for today’s modern regulated business environment.

In closing for now, without going into too much more detail, here are some thoughts gleaned from our long experience, about how to ensure such a future strategy will be successful:

• Ensure all stakeholders, including end users, are engaged in your information governance programme
• Recognise that success in information governance depends on inducing change in your organisation, not just introducing new technology
• Focus on people, processes and systems
• Rise above the level of an individual repository and implement a solution that scale up over time to address your whole enterprise
• Introduce your programme quickly and be prepared to change it with experience
• Rule out the big bang approach – it never works – and instead roll out your information governance programme in a progressive, evolutionary and modular fashion
• Think proactively, and implement an agile solution that can be deployed into your current less-than-perfect environment using a hybrid approach if necessary.

A final word of advice: don’t wait for a breach or an incident before you adopt information governance. You can do something now within your current budget constraints. Even if you have the cash to meet the fines and other penalties, or you think an incident is low risk to your business, many companies have failed to cope with the subsequent reputational damage that a failure to govern information incurs.

If you want to explore what an information governance solution means for you then RSD GLASS comes in five editions to match your level of maturity, including an easy on-board, cloud-based Starter Edition that you can trial for free. Just go to www.rsd.com/getstarted