The document discusses principles of holistic information governance. It begins by explaining that information governance is about records, security, information architecture, storage, acceptable use policies, and other topics. It then lists 10 principles of holistic information governance: 1) treat information as an organizational asset, 2) understand how information is used, 3) understand where it comes from and goes, 4) understand when it's needed, 5) understand who can access it, 6) understand compliance obligations, 7) understand information risks, 8) understand how stakeholders interact with information, 9) recognize information has a finite lifespan, and 10) assign accountability. The document then provides examples and further explanation for each principle.
ARMA Canada 2014 - Principles of Holistic Information Governance
1. Principles of Holistic Information
Governance
Good Governance is Good Business
#armacanada | @chris_p_walker
Chris Walker
Analyst, Digital Clarity Group
June 10, 2014
2. DCG helps business
leaders navigate the digital
transformation and create
competitive advantage from
disruption.
About Digital Clarity Group
#armacanada | @chris_p_walker
3. Information governance is about …
Records
Security
Info architecture
Storage
Acceptable use
Etc.
GETTING BUSINESS
DONE!!!
Information governance is
the rules, regulations,
legislation, standards, and
policies with which
organizations need to comply
when they create, share, and
use information.
#armacanada | @chris_p_walker
4. Principles of Holistic Information Governance
#armacanada | @chris_p_walker
1. Information is an organizational asset
2. Understand what you’re using information for
3. Understand where it’s coming from and where it’s going to
4. Understand when you need it
5. Understand who can and should be using it, and for what
6. Understand your social, regulatory, and compliance obligations
7. Understand your information related risks
8. Understand how stakeholders are interacting with it
9. With few exceptions, information has a finite useful life
10. Make someone accountable
5. Information is an organizational asset
Belongs to the org – not the person
Costs of acquisition, maintenance
Value may depreciate over time
In aggregate, value may increase over time
Information has REAL value
http://christianpwalker.wordpress.com/2013/10/07/i-cant-can-
you-valuing-information/
http://christianpwalker.wordpress.com/2013/11/04/i-think-i-can-
valuing-information-pt-2/
#armacanada | @chris_p_walker
6. Understand what you’re using information for
Different orgs / depts can use the same info for different
purposes
What does your info do?
– Cause action
– Help plan
– Support decisions
– Inform / educate / entertain
Tie info to business process
– Info not tied to biz proc, probably not needed
#armacanada | @chris_p_walker
7. Understand where it’s coming from & where it’s going
to
Where are you getting your info & where are you sending
it?
– Internal or external
– Social media
– Cloud
Can you trust the sources?
What will recipients do with it?
#armacanada | @chris_p_walker
8. Understand when you need it
When do you really need it?
Is real-time really necessary?
What do you do when you don’t get it in time?
Stale information
#armacanada | @chris_p_walker
9. Understand who can & should be using it, & for what
It’s about more than just security
– Don’t give people info they don’t need
– E.g.: don’t present travel / expense policies to employees that
don’t travel
Who can have or use it? What can they do with it?
What’s the best way to get info to audience?
#armacanada | @chris_p_walker
10. Understand your social, regulatory, & compliance
obligations
What are your social, regulatory, compliance obligations
Historical perspective
Multiple jurisdictions
Data sovereignty
Self-imposed / business vs. Statutory
– Most stringent wins?
Curator or Custodian?
#armacanada | @chris_p_walker
11. Understand your information related risks
Too much or not enough?
– Bad decisions or analysis paralysis?
What if it leaks?
Legal, FOIP/FOIA/ATIP
Risk profile
– Probability of occurrence
– Impact of occurrence
– Litigation frequency
Costs of mitigation vs. Impacts of occurrence
You can’t protect against everything
#armacanada | @chris_p_walker
12. Understand how stakeholders are interacting with it
How are stakeholders interacting with it?
– What kinds of devices?
– Where are they accessing?
Passive or active interactions?
– Do your consumers become contributors?
#armacanada | @chris_p_walker
13. With few exceptions, information has a finite useful life
Most information doesn’t last forever
Get rid of it when you can
– Legally defensible destruction is only one aspect
– If it still has business value, keep it
De-clutter, become info-efficient
#armacanada | @chris_p_walker
14. Make someone accountable
C-level, single role accountability
– Typical CIO focus is infrastructure
½-step below CEO, ½-step above rest of C-suite
– Stakeholder input, 1 person accountable
No room for bias
– Balance business objectives against compliance & risk
#armacanada | @chris_p_walker
16. Before We Begin
The client is a gov’t public transit authority
They are at the beginning of the road to Info Gov
– They’ve licensed S/W and redone their web comms
(inter/intra/extranet)
Sign off on IG was a HUGE win
#armacanada | @chris_p_walker
17. Change the Focus
Started with RM that
benefited few, infrequently
Driver was to be able to
better comply with FOI
requests
New driver is to use
information to support
Values and Major
Objectives
Ended with Info Gov that
benefits many, always
– Also leverage tech
investments
#armacanada | @chris_p_walker
18. Values
Safety
Customer Service
Sustainability
Integrity
Innovation
Collaboration
Major Objectives
Develop Financial
Sustainability
Support & Shape Livable
Communities
Change the Perception of
Transit
Deliver Operation Excellence
Strengthen our People &
Partnerships
#armacanada | @chris_p_walker
19. Tied to values
& objectives
Original Project Objectives Re-Stated
Systematic and consistent approach to
records and information management from
creation to disposal for all work units and
divisions
Compliance with legislation and fulfilment of
business requirements.
Awareness of the importance of records
management and the need for responsibility
and accountability at all levels
Ensure that stakeholders have access to
current, accurate information in order to
meet business objectives and legislative /
regulatory obligations.
Systematic and consistent approach to
records and information management from
creation to disposal for all work units and
divisions
Increase operational and administrative
efficiencies through effective management of
information and technology assets.
Awareness of the importance of records
management and the need for responsibility
and accountability at all levels
#armacanada | @chris_p_walker
21. 1. Info is an Org Asset
Info potentially created by 177 orgs
Only thing to discuss is which org owns what info
– Whoever owns it is accountable for it
Ownership only 1 issue – need resources to manage
– Have you considered a shared services model?
#armacanada | @chris_p_walker
22. 2. What are you using info for?
Admin procs – HR, FIN, etc. – nothing sexy
Operations – Real time route info – could be sexy
Campaigns / Awareness – dead sexy
Stakeholder collaboration – major sexy
Tie info to biz procs – bake in governance
accordingly
#armacanada | @chris_p_walker
23. 3. Where’s it coming from, where’s it going to?
To the web, intranet, extranet
From customers, communities, tree huggers
To doctors, press, unions
From doctors, unions, tourists
To/from all levels of gov’t
Loads of info flying about – it’s not always digital
– How to capture a cyclist flipping a bus driver the bird
– Won’t always know or control where info’s going
#armacanada | @chris_p_walker
24. 4. When do you need it?
Route updates (accidents/delays) – right now!
Accident/incident info – before the authorities
Customer service info – before the issue becomes
unmanageable
Need info while still possible to effect positive
outcome or minimize impact of negative outcome
#armacanada | @chris_p_walker
25. 5. Who can use it, for what?
Only partially about security & privacy
– Efficiency – if they don’t need it, don’t give it to them
One doc - many uses
– Stakeholders need to know it’s there and available
– View is not consistent for all (e.g.: driver medical reports)
#armacanada | @chris_p_walker
26. 6. Social, regulatory, compliance obligations
Pub Sect – subject to FOI
Incident reporting – not just accidents; cust serv
issues
Multiple jurisdictions – consolidate where possible
First obligation is biz value
– Accept it’s not always possible - rules are rules
#armacanada | @chris_p_walker
27. 7. Understand Info Risks
Display ads on vehicles/infra – what’s the liability
Holding PII & other sensitive info
On the hook for FOI requests
Risk profile based on public trust/transparency,
safety issues, environmental issues
Possible shared services model will impact
You can’t mitigate everything – focus on high
value/high risk
#armacanada | @chris_p_walker
28. 8. Understand Interaction
Internet, Intranet, Extranet
Ads in/on vehicles
Bus driver flipping cyclist the bird
Customers, tourists, prospects
Doctors, lawyers, Workers’ Comp, Investigators
How is influenced by who, why.
#armacanada | @chris_p_walker
29. 9. Info has a finite useful life
Applies to ALL info, not just r*****s!
– Applies no matter where it’s squirreled away
Separate retention sched from info type
Classify early, classify often if you need to
– Classify based on purpose
Big buckets to manage retention
If there’s no reason to keep it, kill it.
– Don’t do it like the previous Ontario govt’s being accused of
#armacanada | @chris_p_walker
30. 10. Make someone accountable
Each org accountable for what it owns
– Shared services / SaaS doesn’t negate
Distinguish between info curator and info custodian
Centralized decentralization – Biz unit responsible
for info, answerable to C-level
– Long journey ahead – at least info mgt now out of HR and
under Finance (may change)
#armacanada | @chris_p_walker
31. Wrapping it up
Time to switch
– Risks -> Benefits
– Cost -> Value
Policies -> procedures -> education -> tools
– Review & repeat as required
It doesn’t have to be perfect, good enough is good enough
Focus on business first
Balance business benefits against compliance, risk
Approach depends on org type & info type
Information governance is about getting business done
#armacanada | @chris_p_walker
32. Additional Resources
The Blog posts that started this
– Principles of Holistic Information Governance
– Policies First – Holism in Information Governance
– Governance Sucks but Doesn’t Have To
#armacanada | @chris_p_walker
33. #AIIM2014 | @chris_p_walker
Thank you
Chris Walker | @chris_p_walker
Digital Clarity Group | @just_clarity
cwalker@digitalclaritygroup.com
+1 780 270 5359
Skype christianpwalker1
Chris is hoping the
Kings win the cup
because he’s mad at
the Rangers for
beating the Habs.
Notes de l'éditeur
Research-driven industry analyst firm focused on helping leaders navigate the digital transformation and create competitive advantage from disruption.
Ultimately, we want to… so we work with both buyers and sellers to do that. Buyers in this way… Sellers in that way…
Holistic IG is more than records management and security. It’s really about how orgs use, organize, and manage info to conduct business.
Info format is irrelevant.
Information is an organizational asset.
In the course of our employ we produce and receive information. It doesn’t belong to us, it belongs to our employers. As such, we need to treat it like any other corporate asset. Even if you use a personal device to produce the information, it still belongs to the organization.
Assets have acquisition costs, maintenance costs, residual value (sometimes), and get disposed of at the end of their useful lives. Tell me how this doesn’t apply to information.
Residual Value – when info is ready for disposition there may still be some value that can be leveraged for reporting & analytics. E.g.: Invoice data may be copied to data warehouse prior to invoice being disposed.
Understand what you’re using information for.
How does information help you achieve strategic objectives? A government entity and a direct-to-consumer sales organization may use some of the same information, but they will use it differently and for different purposes.
Understanding what you’re using information for ought to help you understand what information you actually need. If the information you control can’t be tied to a business or compliance purpose – you don’t need it.
Understand where it’s coming from and where it’s going to.
Information doesn’t just magically appear; it comes from somewhere. You need to identify your internal and external information sources.
Most organizations don’t just fire information out willy-nilly. Information is intended for specific audiences, for specific purposes. You need to understand what effect your information is intended to have, and who you want/need it to effect.
Don’t ignore or underestimate the value/obligations/impacts of information transmitted via social media channels.
Understand when you need it.
The next person that says “I need this yesterday.” wins a smack in the head with a frozen mullet (the fish, not the hairstyle).
Information is needed at various points in business and decision making processes. Is real-time information really necessary or can you wait a few minutes or hours for it? Figure out when you actually need the information in order to make a decision.
Understand who can and should be using it, and for what.
This is not just about security, though that’s a big piece. This is also about getting the information out to those that need it or to those that you want to influence with it. Think about it in terms of getting your message out to your target audiences.
Once the information has found its way to the audience, what are they going to do with it? Are they going to make a decision, buy something, receive a benefit…?
Understand your social, regulatory, and compliance obligations.
Depending on what you do and for whom you do it, you have information related obligations. Some of these are imposed by statute, some by convention, and some are self-imposed. These obligations determine how long you must keep information, what you can do with it at the end of its life, and to whom you may or must disclose it when asked.
Understand your information related risks (too much, not enough, disclosure, etc.).
If some of your information leaks, what’re the consequences and can you live with them?
If you’re overwhelmed by information how does it impact performance?
If you’re missing information can you still get stuff done?
How likely are you to be sued?
Understand how stakeholders are interacting with it.
It’s not enough to know what your stakeholders are doing with information. You need to figure out how they’re doing it.
It’s not enough to identify the types and locations of devices that stakeholders are using; you also need to find out if the interactions are passive or active. Active interaction typically means that stakeholders are contributing, as well as, consuming content.
With few exceptions, information has a finite useful life.
Unless your information has historical/archival/archeological value, get rid of it as soon as you can. It’s not just about the whole discovery/litigation thing; it’s also about de-cluttering and being info-efficient.
Information is a perishable good; once it’s stale or rotted, get rid of it.
Litmus Test:
Does it have business value?
Is there a legal/regulatory reason to keep it?
Does it have archiva;/historical value?
If answer to any of these is yes, keep it.
The less info you have to sort through the quicker you’ll find what you’re looking for.
Make someone accountable.
Overall organizational performance, financial performance, legal, technology … they all have single-role accountability and responsibility. As, arguably, the second most important asset of an organization, information deserves at least the same level of attention as finance, IT, HR, legal, etc.
A C-level executive needs to be accountable for how information is governed and managed across the organization.
How stakeholders engage with info is influenced by who they are, what they’re doing, and why they’re doing it.
None of these ten “principles” is much good on its own; they only work as a whole. Other than the first and last, the key is to go only as deep as you need to in order to make things work for your organization. Nobody is expecting perfection; things just need to be good enough.
I’m not trying to downplay the difficulty in formulating information governance policies and procedures. However, much complexity can be avoided if common sense is applied and business objectives remain the primary focus.