Principles of Holistic Information Governance
Good Governance is Good Business
#armacanada | @chris_p_walker
Chris WalkerAnalyst, Digital Clarity GroupJune 10, 2014
DCG helps business leaders navigate the digital transformation and create competitive advantage from disruption. About Digital Clarity Group
#armacanada | @chris_p_walker
Information governance is about …
Records Security Info architecture Storage Acceptable use Etc.
GETTING BUSINESS DONE!!!
Information governance is the rules, regulations, legislation, standards, and policies with which organizations need to comply when they create, share, and use information.
#armacanada | @chris_p_walker
Principles of Holistic Information Governance
#armacanada | @chris_p_walker
1. Information is an organizational asset2. Understand what you’re using information for3. Understand where it’s coming from and where it’s going to4. Understand when you need it5. Understand who can and should be using it, and for what6. Understand your social, regulatory, and compliance obligations7. Understand your information related risks8. Understand how stakeholders are interacting with it9. With few exceptions, information has a finite useful life10. Make someone accountable
Information is an organizational asset
Belongs to the org – not the person Costs of acquisition, maintenance Value may depreciate over time
In aggregate, value may increase over time Information has REAL value
http://christianpwalker.wordpress.com/2013/10/07/i-cant-can-you-valuing-information/
http://christianpwalker.wordpress.com/2013/11/04/i-think-i-can-valuing-information-pt-2/
#armacanada | @chris_p_walker
Understand what you’re using information for
Different orgs / depts can use the same info for different purposes
What does your info do?– Cause action– Help plan– Support decisions– Inform / educate / entertain
Tie info to business process– Info not tied to biz proc, probably not needed
#armacanada | @chris_p_walker
Understand where it’s coming from & where it’s going to
Where are you getting your info & where are you sending it?– Internal or external– Social media– Cloud
Can you trust the sources? What will recipients do with it?
#armacanada | @chris_p_walker
Understand when you need it
When do you really need it? Is real-time really necessary? What do you do when you don’t get it in time? Stale information
#armacanada | @chris_p_walker
Understand who can & should be using it, & for what
It’s about more than just security– Don’t give people info they don’t need– E.g.: don’t present travel / expense policies to employees
that don’t travel Who can have or use it? What can they do with it? What’s the best way to get info to audience?
#armacanada | @chris_p_walker
Understand your social, regulatory, & compliance obligations
What are your social, regulatory, compliance obligations
Historical perspective Multiple jurisdictions Data sovereignty Self-imposed / business vs. Statutory
– Most stringent wins? Curator or Custodian?
#armacanada | @chris_p_walker
Understand your information related risks
Too much or not enough?– Bad decisions or analysis paralysis?
What if it leaks? Legal, FOIP/FOIA/ATIP Risk profile
– Probability of occurrence– Impact of occurrence– Litigation frequency
Costs of mitigation vs. Impacts of occurrence You can’t protect against everything
#armacanada | @chris_p_walker
Understand how stakeholders are interacting with it
How are stakeholders interacting with it?– What kinds of devices?– Where are they accessing?
Passive or active interactions?– Do your consumers become contributors?
#armacanada | @chris_p_walker
With few exceptions, information has a finite useful life
Most information doesn’t last forever Get rid of it when you can
– Legally defensible destruction is only one aspect– If it still has business value, keep it
De-clutter, become info-efficient
#armacanada | @chris_p_walker
Make someone accountable
C-level, single role accountability– Typical CIO focus is infrastructure
½-step below CEO, ½-step above rest of C-suite– Stakeholder input, 1 person accountable
No room for bias– Balance business objectives against compliance & risk
#armacanada | @chris_p_walker
PHIGs in Action – A Case Study
From RM to IG
Before We Begin The client is a gov’t public transit authority They are at the beginning of the road to Info
Gov– They’ve licensed S/W and redone their web comms
(inter/intra/extranet) Sign off on IG was a HUGE win
#armacanada | @chris_p_walker
Change the Focus Started with RM that
benefited few, infrequently
Driver was to be able to better comply with FOI requests
New driver is to use information to support Values and Major Objectives
Ended with Info Gov that benefits many, always– Also leverage tech
investments
#armacanada | @chris_p_walker
Values Safety Customer Service Sustainability Integrity Innovation Collaboration
Major Objectives Develop Financial
Sustainability Support & Shape Livable
Communities Change the Perception of
Transit Deliver Operation Excellence Strengthen our People &
Partnerships
#armacanada | @chris_p_walker
Tied to values & objectives
Original Project ObjectivesRe-Stated
Systematic and consistent approach to records and information management from creation to disposal for all work units and divisions
Compliance with legislation and fulfilment of business requirements.
Awareness of the importance of records management and the need for responsibility and accountability at all levels
Ensure that stakeholders have access to current, accurate information in order to meet business objectives and legislative / regulatory obligations.
Systematic and consistent approach to records and information management from creation to disposal for all work units and divisions
Increase operational and administrative efficiencies through effective management of information and technology assets.
Awareness of the importance of records management and the need for responsibility and accountability at all levels#armacanada | @chris_p_walker
The Impact
Original PHIGged
#armacanada | @chris_p_walker
1. Info is an Org Asset Info potentially created by 177 orgs Only thing to discuss is which org owns what
info– Whoever owns it is accountable for it
Ownership only 1 issue – need resources to manage– Have you considered a shared services model?
#armacanada | @chris_p_walker
2. What are you using info for? Admin procs – HR, FIN, etc. – nothing sexy Operations – Real time route info – could be
sexy Campaigns / Awareness – dead sexy Stakeholder collaboration – major sexy Tie info to biz procs – bake in governance
accordingly
#armacanada | @chris_p_walker
3. Where’s it coming from, where’s it going to? To the web, intranet, extranet From customers, communities, tree huggers To doctors, press, unions From doctors, unions, tourists To/from all levels of gov’t Loads of info flying about – it’s not always
digital– How to capture a cyclist flipping a bus driver the bird– Won’t always know or control where info’s going
#armacanada | @chris_p_walker
4. When do you need it? Route updates (accidents/delays) – right now! Accident/incident info – before the authorities Customer service info – before the issue
becomes unmanageable Need info while still possible to effect positive
outcome or minimize impact of negative outcome
#armacanada | @chris_p_walker
5. Who can use it, for what? Only partially about security & privacy
– Efficiency – if they don’t need it, don’t give it to them
One doc - many uses– Stakeholders need to know it’s there and available– View is not consistent for all (e.g.: driver medical
reports)
#armacanada | @chris_p_walker
6. Social, regulatory, compliance obligations Pub Sect – subject to FOI Incident reporting – not just accidents; cust
serv issues Multiple jurisdictions – consolidate where
possible First obligation is biz value
– Accept it’s not always possible - rules are rules
#armacanada | @chris_p_walker
7. Understand Info Risks Display ads on vehicles/infra – what’s the
liability Holding PII & other sensitive info On the hook for FOI requests Risk profile based on public
trust/transparency, safety issues, environmental issues
Possible shared services model will impact You can’t mitigate everything – focus on high
value/high risk#armacanada | @chris_p_walker
8. Understand Interaction Internet, Intranet, Extranet Ads in/on vehicles Bus driver flipping cyclist the bird Customers, tourists, prospects Doctors, lawyers, Workers’ Comp,
Investigators How is influenced by who, why.
#armacanada | @chris_p_walker
9. Info has a finite useful life Applies to ALL info, not just r*****s!
– Applies no matter where it’s squirreled away Separate retention sched from info type Classify early, classify often if you need to
– Classify based on purpose Big buckets to manage retention If there’s no reason to keep it, kill it.
– Don’t do it like the previous Ontario govt’s being accused of
#armacanada | @chris_p_walker
10. Make someone accountable Each org accountable for what it owns
– Shared services / SaaS doesn’t negate Distinguish between info curator and info
custodian Centralized decentralization – Biz unit
responsible for info, answerable to C-level– Long journey ahead – at least info mgt now out of
HR and under Finance (may change)
#armacanada | @chris_p_walker
Wrapping it up
Time to switch– Risks -> Benefits– Cost -> Value
Policies -> procedures -> education -> tools– Review & repeat as required
It doesn’t have to be perfect, good enough is good enough Focus on business first Balance business benefits against compliance, risk Approach depends on org type & info type Information governance is about getting business done
#armacanada | @chris_p_walker
Additional Resources
The Blog posts that started this– Principles of Holistic Information Governance– Policies First – Holism in Information Governance– Governance Sucks but Doesn’t Have To
#armacanada | @chris_p_walker
#AIIM2014 | @chris_p_walker
Thank you
Chris Walker | @chris_p_walker
Digital Clarity Group | @just_clarity
+1 780 270 5359
Skype christianpwalker1
Chris is hoping the Kings win the cup
because he’s mad at the Rangers for
beating the Habs.