Recently, I’ve been investigating ARMA certification as an Information Governance Professional (IGP). Needless to say, there is a substantial amount of material outlined in the DACUM curriculum for that program, but I’ve learned that there are a series of core elements common to effective information governance programs. For the purposes of this discussion, I am defining information governance as:
“An accountability framework that encourages desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion. Like most complex initiatives, creating an information governance strategy can seem overwhelming. Breaking the project down into discrete phases helps organize the effort and makes it a bit less daunting to undertake. Based on the IGP program and other resources, here are some broad project categories you can use to get started:
- Understand & assess your business goals. Each organization has a unique set of business objectives and constraints that must be factored into their governance strategies, and the goal of this phase is to uncover those. For example, is your organization subject to specific regulatory requirements? Regulations such as HIPAA or SOX may not only impose restrictions on how information is handled, but may introduce additional risk in the form of fines or sanctions if the regulations are violated. In addition to regulations, be sure to identify key sponsors and stakeholders, outline external dependencies and consider budgetary constraints during this phase.
- Plan & document the governance strategy. With a solid understanding of the business goals that your governance strategy must achieve, you can turn your attention toward developing a detailed plan for reaching those goals. We recommend approaching this process by creating a project plan that maps each business goal with the governance tasks required to support that goal. For example HIPAA compliance requires potentially-sensitive data to be safeguarded or encrypted, access controls be enforced, etc. Each of those requirements in turn may result in secondary project tasks such as developing RFP or RFI documents for new access control systems.
- The steps outlined in your project plan will become the basis for the implementation phase of the initiative. During this phase, polices are drafted, approved and rolled out to the organization. In conjunction with introducing new policy controls, technology solutions may be put in place to enforce compliance. Not all policies and procedures can be fully technology-based, however, so it is also important to work with the corporate training and change management teams to make sure there is a comprehensive training program rolled out to employees. Training should stress the importance of corporate information as an asset, and responsibilities that individual employees have for protecting that asset.
- An information governance process does not end with implementation, ongoing management of the process is a crucial element. Regulations change, business needs evolve and employee turnover will occur. Plan to address these organizational changes by conducting periodic audits, reviews and training programs to address any gaps in the process that emerge over time.
Over the coming months we will be covering each phase of building a corporate information governance framework in more detail in our white paper series. Watch the Sherpa Software web site for more information, or join our LinkedIn group for the latest updates.