Information Governance Decision Quadrant

I was recently at the site of a financial services client, helping design its information governance program. As I do everywhere, whether the company is in financial services, utilities, healthcare or in a different industry, I encourage the use of an Information Governance Decision Quadrant.

Each organization is different when it comes to defining information governance needs.

When I’m with a client working on a new information governance project, I’m always struck by how important it is to work under the rules of the “one-size-doesn’t-fit-all” dictum. Each organization is different. And that difference comes from history, regulatory requirements, the needs of customers, where the organization is on its digital transformation journey and its culture. There’s another input that helps define the right information governance approach: understanding who has authority over the information.

At Doculabs, we don’t start by telling you where you need to be. We ask: “Where are you today?” “Where do you want to be?” And, most importantly, we work with you to figure out “where you should be.” Are you writing the policies and procedures (P&P), or are you responsible for enforcing them? And how might your interaction with policies and procedures change over time?

Do you already own information governance tools?

Does your organization already owns its own information governance tools, or do you need help facilitating the purchase of new or upgraded information governance tools? Should the enterprise own the tools outright or license them?

Are the people who work in the area going to work on governance part-time or will there be dedicated resources? If you’re in the operational or enforcement area, you may need full-time resources. It’s all about coming up with Best Practices for Highly Effective Corporate Information Governance Programs.

The information governance decision quadrant is the first step in developing an information governance body.

The chart below is the first step in developing an information-governance body. Each organization needs to understand where it lies on that chart—and how future goals may move the organization from one location to another. Once you’ve established that you need an information governance program, you can use the chart to help figure out where the governing body sits.

Doculabs Information Governance Decision Quadrant

Involvement in execution ranges from strategic to operational. The level of authority applied ranges from advisory to enforcement.

Knowing where your company sits becomes important because it helps you visualize the scope of the information governance project, areas of responsibility and roles, and the resources you may need.

In the upper left Advisory-Strategic quadrant, you define IG policies and best practices for general data governance and protection. In the lower left Advisory-Operational quadrant, you may use technology to report on compliance to policies. The technologies won’t make you “adhere” to the policy—it isn’t enforcement tool, per se—but it does inform you about how to comply with general policies and data policy practices.

If your organization—or a particular set of data—sits in (or you want it to be in) the upper right Enforcement-Strategic quadrant, you’re not only defining the policies, but you have the authority to enforce them. If you’re here, you’re not in the weeds, and you’re allowing the business to take point.

By contrast, the bottom right, Enforcement-Operational quadrant is where a lot of work happens. Here you are discovering the data. Here you have the authority to ensure compliance with your organization’s policies.

Different projects within one organization may place you in more than one information governance quadrant.

Choosing a square is not an all-enterprise phenomenon. For some activities (and for some types of data) you may land in one of the information governance squares. For other types of activities or information, you may find yourself in a completely different square.

For example, take the financial services client I referenced earlier. For the really critical stuff, such as personally identifiable information (PII), account numbers and social security numbers, the focus was on enforcement. For other data types (such as proprietary information), the organization landed on the more advisory square.

For instance, our client did not want information getting out about its “strategic project development projects.” With good information governance, if there were a problem, the company wouldn’t be fined. The damage would be reputational and competitive, not regulatory.

Our financial services client ended up more on the advisory-operational part of the quadrant. But it had a mandate to change its focus to become more strategic. It started on the bottom left, and moved to the enforcement-strategic quadrant on the upper right.

An analogy between information governance and project management:

There’s an analogy here with the project management space and how an organization runs its Project Management Office (PMO). There are, of course, many project management methodologies. Some organizations view the PMO as both the standard bearer and enforcer. Others view it as a consultative group there to provide help if needed.

The problem in the world of the PMO—and this is equally true when it comes to information governance—is that templates are nothing but well thought-out standards or “averages” of best practices. That doesn’t work in project management; and it doesn’t work in information governance.

Consider both the before and the after states.

Remember there are two parts to this when it comes to information governance—a before and an after. Identify where you are, then know where you want to move. Do you know where your business needs to be? What’s the best cultural fit for you? And how should you change given the pressures of regulation, competition and mergers or acquisitions?

 

Rich Medina
Jim Polka
I’m a Principal Consultant. My expertise is in security-based information management and strategic deployment of ECM technologies.