How to Plan and Implement Information Governance

Information governance (IG) is a mix of a lot that’s old and a lot that’s new. The good news is that while much of the terrain is very new (mobile, social, cloud, big data, and petabytes of files), there are proven, reliable methodologies that we can apply to keep us on solid ground as we forge ahead.

Start with an “IG program framework,” which is just a glorified checklist. But it has proven to be a useful checklist for those organizations who are addressing complex initiatives in enterprise information management, enterprise content management (ECM), records management, regulatory compliance, and e-discovery. The program framework organizes the individually necessary and jointly sufficient activities for planning and management initiatives in the content technologies.

Assembling these conditions and activities to effectively handle IG involves much more than just technology or process. Effective IG requires competency in a number of different areas. We have found that it’s most useful to bucket the areas of competency into six general categories:

  1. Overall Information Governance Program Strategy
  2. Governance Team and Operations
  3. Information Architecture
  4. Process Design and Implementation
  5. Architecture and Technology
  6. Communications and Training

Let’s look briefly at the first category.

Yes, I need help with my IG plan.

Overall Information Governance Program Strategy

A best practice is to develop an overall strategy for an IG Program that encompasses and aligns your organization’s existing visions and strategies for IG, addressing significant gaps that may exist. The strategy should also establish, at a high level, general principles for the level of resources the organization will apply to the program.

The key elements of an overall IG program strategy typically include:

  1. Your set of defined goals, priorities, and desired outcomes. This will include ranking your “defensive” objectives (your regulatory, legal, and business risk objectives) against each other, against acceptable levels of costs and risks of project failure, and against your “offensive” organizational objectives (e.g. business process operational efficiency, increased sales and retained customers, number of products in the pipeline, etc.).
  2. Your explicit, documented IG policy. This is the design specification that clearly states the objectives that your IG program will fulfill. You should be able to defend your actions by pointing at your policy for information control, which shows what you intend to do, and then showing that you are following it. You don’t need such a “policy” for many other kinds of content initiatives, like most ECM programs. But you should have one for IG, since you will likely find yourselves defending your information governance actions by pulling out your IG policy and showing how in practice you fulfilled your IG policy.
  3. An objective assessment of your organization’s current state with respect to IG. Address the familiar categories: people, process, technology, and content. There’s a solid methodology for doing this, available from AIIM and others.
  4. A realistic target future state vision for typically 1.5 years, 3 years, and 5 years. It should be clearly articulated and documented.
  5. A roadmap outlining the sequencing of projects required to take you from your current state to your sequence of future states.
  6. Often, a business case showing that the expected benefits of your IG program justify the required investment of time and capital and justifies an acceptable level of risk of initiative failure.

The good news is that, in the eyes of the law, you don’t need to be perfect; you don’t have to perfectly satisfy your retention, disposition, and other IG demands. You do need to use the Principle of Reasonableness and act in Good Faith, and, as outlined by Jim McGann and Julie Colgan in an article for Inside Counsel, this means the following:

Courts do not ask, expect, or necessarily reward organizations for perfection. Courts do expect, however, that whatever information management tactics an organization undertakes are appropriate to how that particular entity is situated (size, financial resources, regulatory and litigation profile, etc.).

Download the Transforming Information Security with Information Management White Paper

Rich Medina
Rich Medina
I’m a Principal Consultant and co-founder of Doculabs, and the resident expert in using ECM for information lifecycle management.