ARMA Canada 2014 - Principles of Holistic Information Governance

Principles of Holistic Information Governance

Good Governance is Good Business

#armacanada | @chris_p_walker

Chris WalkerAnalyst, Digital Clarity GroupJune 10, 2014

DCG helps business leaders navigate the digital transformation and create competitive advantage from disruption. About Digital Clarity Group


Information governance is about …

Records Security Info architecture Storage Acceptable use Etc.

GETTING BUSINESS DONE!!!

Information governance is the rules, regulations, legislation, standards, and policies with which organizations need to comply when they create, share, and use information.


Principles of Holistic Information Governance


1. Information is an organizational asset2. Understand what you’re using information for3. Understand where it’s coming from and where it’s going to4. Understand when you need it5. Understand who can and should be using it, and for what6. Understand your social, regulatory, and compliance obligations7. Understand your information related risks8. Understand how stakeholders are interacting with it9. With few exceptions, information has a finite useful life10. Make someone accountable

Information is an organizational asset

Belongs to the org – not the person Costs of acquisition, maintenance Value may depreciate over time

In aggregate, value may increase over time Information has REAL value

http://christianpwalker.wordpress.com/2013/10/07/i-cant-can-you-valuing-information/

http://christianpwalker.wordpress.com/2013/11/04/i-think-i-can-valuing-information-pt-2/







Understand what you’re using information for

Different orgs / depts can use the same info for different purposes

What does your info do?– Cause action– Help plan– Support decisions– Inform / educate / entertain

Tie info to business process– Info not tied to biz proc, probably not needed


Understand where it’s coming from & where it’s going to

Where are you getting your info & where are you sending it?– Internal or external– Social media– Cloud

Can you trust the sources? What will recipients do with it?


Understand when you need it

When do you really need it? Is real-time really necessary? What do you do when you don’t get it in time? Stale information


Understand who can & should be using it, & for what

It’s about more than just security– Don’t give people info they don’t need– E.g.: don’t present travel / expense policies to employees

that don’t travel Who can have or use it? What can they do with it? What’s the best way to get info to audience?


Understand your social, regulatory, & compliance obligations

What are your social, regulatory, compliance obligations

Historical perspective Multiple jurisdictions Data sovereignty Self-imposed / business vs. Statutory

– Most stringent wins? Curator or Custodian?


Understand your information related risks

Too much or not enough?– Bad decisions or analysis paralysis?

What if it leaks? Legal, FOIP/FOIA/ATIP Risk profile

– Probability of occurrence– Impact of occurrence– Litigation frequency

Costs of mitigation vs. Impacts of occurrence You can’t protect against everything


Understand how stakeholders are interacting with it

How are stakeholders interacting with it?– What kinds of devices?– Where are they accessing?

Passive or active interactions?– Do your consumers become contributors?


With few exceptions, information has a finite useful life

Most information doesn’t last forever Get rid of it when you can

– Legally defensible destruction is only one aspect– If it still has business value, keep it

De-clutter, become info-efficient


Make someone accountable

C-level, single role accountability– Typical CIO focus is infrastructure

½-step below CEO, ½-step above rest of C-suite– Stakeholder input, 1 person accountable

No room for bias– Balance business objectives against compliance & risk


PHIGs in Action – A Case Study

From RM to IG

Before We Begin The client is a gov’t public transit authority They are at the beginning of the road to Info

Gov– They’ve licensed S/W and redone their web comms

(inter/intra/extranet) Sign off on IG was a HUGE win


Change the Focus Started with RM that

benefited few, infrequently

Driver was to be able to better comply with FOI requests

New driver is to use information to support Values and Major Objectives

Ended with Info Gov that benefits many, always– Also leverage tech

investments


Values Safety Customer Service Sustainability Integrity Innovation Collaboration

Major Objectives Develop Financial

Sustainability Support & Shape Livable

Communities Change the Perception of

Transit Deliver Operation Excellence Strengthen our People &

Partnerships


Tied to values & objectives

Original Project ObjectivesRe-Stated

Systematic and consistent approach to records and information management from creation to disposal for all work units and divisions

Compliance with legislation and fulfilment of business requirements.

Awareness of the importance of records management and the need for responsibility and accountability at all levels

Ensure that stakeholders have access to current, accurate information in order to meet business objectives and legislative / regulatory obligations.

Systematic and consistent approach to records and information management from creation to disposal for all work units and divisions

Increase operational and administrative efficiencies through effective management of information and technology assets.

Awareness of the importance of records management and the need for responsibility and accountability at all levels#armacanada | @chris_p_walker

The Impact

Original PHIGged


1. Info is an Org Asset Info potentially created by 177 orgs Only thing to discuss is which org owns what

info– Whoever owns it is accountable for it

Ownership only 1 issue – need resources to manage– Have you considered a shared services model?


2. What are you using info for? Admin procs – HR, FIN, etc. – nothing sexy Operations – Real time route info – could be

sexy Campaigns / Awareness – dead sexy Stakeholder collaboration – major sexy Tie info to biz procs – bake in governance

accordingly


3. Where’s it coming from, where’s it going to? To the web, intranet, extranet From customers, communities, tree huggers To doctors, press, unions From doctors, unions, tourists To/from all levels of gov’t Loads of info flying about – it’s not always

digital– How to capture a cyclist flipping a bus driver the bird– Won’t always know or control where info’s going


4. When do you need it? Route updates (accidents/delays) – right now! Accident/incident info – before the authorities Customer service info – before the issue

becomes unmanageable Need info while still possible to effect positive

outcome or minimize impact of negative outcome


5. Who can use it, for what? Only partially about security & privacy

– Efficiency – if they don’t need it, don’t give it to them

One doc - many uses– Stakeholders need to know it’s there and available– View is not consistent for all (e.g.: driver medical

reports)


6. Social, regulatory, compliance obligations Pub Sect – subject to FOI Incident reporting – not just accidents; cust

serv issues Multiple jurisdictions – consolidate where

possible First obligation is biz value

– Accept it’s not always possible - rules are rules


7. Understand Info Risks Display ads on vehicles/infra – what’s the

liability Holding PII & other sensitive info On the hook for FOI requests Risk profile based on public

trust/transparency, safety issues, environmental issues

Possible shared services model will impact You can’t mitigate everything – focus on high

value/high risk#armacanada | @chris_p_walker

8. Understand Interaction Internet, Intranet, Extranet Ads in/on vehicles Bus driver flipping cyclist the bird Customers, tourists, prospects Doctors, lawyers, Workers’ Comp,

Investigators How is influenced by who, why.


9. Info has a finite useful life Applies to ALL info, not just r*****s!

– Applies no matter where it’s squirreled away Separate retention sched from info type Classify early, classify often if you need to

– Classify based on purpose Big buckets to manage retention If there’s no reason to keep it, kill it.

– Don’t do it like the previous Ontario govt’s being accused of


10. Make someone accountable Each org accountable for what it owns

– Shared services / SaaS doesn’t negate Distinguish between info curator and info

custodian Centralized decentralization – Biz unit

responsible for info, answerable to C-level– Long journey ahead – at least info mgt now out of

HR and under Finance (may change)


Wrapping it up

Time to switch– Risks -> Benefits– Cost -> Value

Policies -> procedures -> education -> tools– Review & repeat as required

It doesn’t have to be perfect, good enough is good enough Focus on business first Balance business benefits against compliance, risk Approach depends on org type & info type Information governance is about getting business done


Additional Resources

The Blog posts that started this– Principles of Holistic Information Governance– Policies First – Holism in Information Governance– Governance Sucks but Doesn’t Have To


http://christianpwalker.wordpress.com/2013/04/01/principles-of-holistic-information-governance/

http://christianpwalker.wordpress.com/2013/02/20/policies-first-holism-in-informaiton-governance/

http://christianpwalker.wordpress.com/2012/09/17/governance-sucks-but-doesnt-have-to/

#AIIM2014 | @chris_p_walker

Thank you

Chris Walker | @chris_p_walker

Digital Clarity Group | @just_clarity

[email protected]

+1 780 270 5359

Skype christianpwalker1

Chris is hoping the Kings win the cup

because he’s mad at the Rangers for

beating the Habs.

mailto:[email protected]