Navigating the Maze of Information Governance

IGStart Here

Diane E. Walker, CRM, CMC

Presenters

Robin Athlyn Thompson, CEDS | Vice President, Marketing | Business Intelligence Associates | Phoenix • ACEDS Advisory Board • ACEDS Phoenix Chapter Vice President • Manages BIA educational webcasts and strategic private briefings• Stevie Award winner for lifetime achievement in e-discovery, information

governance and RIM

Diane Walker, CRM, CMC | Manager of Records and Information | McDermott, Inc. | Houston• Helps Fortune 500 companies develop and manage records and

information resources • Appointed as one of six international judges for ARMA International’s

prestigious Cobalt Award in 2008• Participated in development of the Information Governance Professional

Certification

What is Information Governance?

• IG is an overarching discipline that encompasses a variety of key concepts of:

• Regulatory Compliance• Risk Management• Records and Information Management (RIM)• Content Management• Data Governance• Information Security• Data Privacy • Litigation Readiness

Who is Information Governance?

IG Team

Legal

RIM

IT

Core Business

Regulatory

Steering Committee

Change ManagementCompliance

Risk Management

Finance & Accounting

Audit

Business Development

QA/QC

Why Does IG Makes Sense?• Organizations need ONLY keep/manage the information they need, for as

long as the information has value… PERIOD• Improved security, visibility, and access to information enhances

productivity• Courts and regulatory agencies expect a fiduciary duty of care (SARBOX,

HIPPA, GLBA, FTC, EAR, Basel II, Litigation Hold Orders, etc.)

• Risk mitigation and overall awareness that an IG program offers can positive effect on the bottom line • It will never get easier• Edward Snowden

10K View

Information Risk & Compliance

• Monitor Legal & Regulatory Landscape• Identify Internal and External Compliance Requirements• Prepare Risk Profile• Conduct a Risk Assessment• Develop Risk and Compliance Metrics• Create a Migration Plan• Manage the Risk Mitigation Process• Conduct a Risk and Compliance Audit

Information Risk & Compliance (Duties, Tasks, Steps)

Legal & Regulatory Landscape

ID Internal & External

CompliancePrepare Risk

ProfileConduct a Risk

AssessmentDevelop Risk

ad Compliance Metrics

Create a Mitigation Plan

Manage the Risk Mitigation

Process

Conduct Risk and

Compliance Audit

Engage w/Legal & Stakeholders

Investigate Industry Practices

Collaborate and Consult with Stakeholders

ID Risk Assess Methodology

Define Compliance Success

Conduct a Cost Benefit Analysis

Monitor & Update Metrics

Develop Audit Framework

ID & Interpret Laws (All Jurisdictions)

Review Business Practices

ID Management’s Risk Tolerance ID Stakeholders ID Measurement

MethodologyPrioritize Risks to

Mitigate Respond to Anomalies ID Resources for Audit

ID Resources for Current Development

Collaborate w/internal

StakeholdersCreate Risk Profile

DocumentID and Collect

ResourcesID Non-Compliance

TriggersDevelop

Methodology for Mitigation of Risks

Communicate with Stakeholders

Assign Audit Responsibilities

Document Relevant Laws & Regulations

Conduct Benchmarking

Obtain Stakeholder Signoff

Develop Interview Materials

Conduct Ongoing Gap Analysis

Communicate Mitigation Plan to

StakeholdersModify Risk Mitigation

Program As NeededOversee Audit Performance

Establish Review Process

Interview and Collect Data Document Metrics

Provide Implementation

AssistanceAnalyze Audit Results

Analyze Risk Data Present Metrics to Stakeholders

Monitor Implementation of

Mitigation Plan

Present Findings & Recommendations to

Stakeholders

Prepare Risk Assessment Report

Obtain Signoff on Metrics

Update Risk Mitigation Plan on

Audit Findings

Obtain Signoff

IG Strategic Plan

• Align Resources to Develop Plan• Analyze Internal Drivers• Analyze External Drivers &

Trends• Develop a Strategic Plan

IG Strategic Plan (Duties, Tasks, Steps)

Align Resources to Develop Strategic Plan Analyze Internal Drivers Analyze External Drivers & Trends Develop Strategic Plan

Obtain Executive Sponsor Incorporate Enterprise Strategic Plan into IG Plan ID Technology Needs Define Strategies Based Upon Collected

Information

ID Stakeholders Incorporate IT Strategy Into IG Plan Identify Information and Data Trends (e.g., information types and new data formats) Prioritize Strategies

ID Roles and ResponsibilitiesIncorporate Business Plans into IG Plan to

Maximize Business Improvement Opportunities Through Governance Efforts

Identify External Dependencies Align Goals to Strategies

Incorporate Corporate Culture Into IG Plan Evaluate Economic Environment/Conditions ID Initiatives to Achieve Goals

Incorporate Corporate Risk Tolerances Into IG Strategic Plan Evaluate Political Environment Define Critical Factors

Incorporate Cost Benefit Analysis Into IG Plan Evaluate Legal and Regulatory Environments Define Measurement for Success

Review Constraints (e.g., financial, time, resources, legal) ID Industry Best Practices & Trends Write the Strategic Plan

Evaluate Competitive Landscape Review with Stakeholders

Obtain Approval for Strategic Plan

Regularly Review and Update Plan as Needed

IG Framework

• Conduct Due Diligence to ID Standards to Guide the IG Framework• Establish Enterprise IG Policies and

Standards• Develop Authority Roles and

Responsibilities• Develop Communications and Training• Develop Auditing and Enforcement

Mechanisms for the Framework

IG Framework (Duties, Tasks, Steps)

Conduct Due Diligence to ID Standards

Establish Enterprise IG Policies and Standards

Develop Authority Roles & Responsibilities

Develop Communications & Training

Develop Audit & Enforcement Mechanisms

Evaluate External Standards, Guidelines, Technical Reports, Best

PracticesDefine Discrete Policies and Standards Define Authority, Roles and

Responsibilities ID Communication Audiences Establish Auditing Criteria and Metrics

Evaluate Internal Policies, Standards, Guidelines, Technical Reports, Best

PracticesValidate against Organizational Goals

& Objectives Asses Role Requirements Draft Communication Plan Establish Enforcement Mechanisms

Select Standards, Guidelines, Technical Reports, Best Practices Draft Internal Policies and Standards Review Roles with Stakeholders

Document the Selection Process Review Draft Documents with Stakeholders

Obtain Role Assignment Approval From Steering Committee

Review and Verify Selection with Stakeholders Obtain Approval and Signoff Assign Authority, Roles and

Responsibilities

Establishing The IG Program

• Establish Program Scope, Mandate and Reporting• Assign Accountabilities• Implement The IG

Program• Manage the IG Program

IG Program (Duties, Tasks, Steps)

Establish Program Scope, Mandate & Reporting Assign Accountabilities Implement the IG Program Manage the IG Program

Engage Executive Leadership and establish Primary & Secondary Organizational Structure ID IG Program Roles & Responsibilities Develop Communication Plan for the IG Program Monitor the Adoption of the IG Program

Define IG Program Mandate and Scope Assign IG Program Roles and Responsibilities Implement a Change Management Plan for the IG Program Evaluate Effectiveness of the IG Program

Establish Appropriate Funding and Resources Provide Training of Assigned Resources Evaluate and Align Resources

Establish Ongoing Executive Reporting Report to Management

Obtain Executive Management Signoff

Business Integration and Oversight

• Define Current State of Business Processes• Define Current State of

Technology Use in Business Process• Align IG Framework with

Business Area Requirements• Guide Information Management

Decisions

Business Integration & Oversight (Duties, Tasks, Steps)

Define Current State of Business Processes

Define Current State of Technology Use in Business

ProcessAlign IG Framework with Business

Area RequirementsGuide Information

Management Decisions

Interview Business Areas Identify Business and Technology Stakeholders and Users Identify Strategic Goals of the Enterprise Develop an Ongoing Participation Process

Review Current Business Environment (e.g. culture, systems, processes)

Survey and Interview Technology Stakeholders and Users Identify Strategic Goals of the Business Areas Develop an Ongoing Approval Process

Identify Information Needs of the Business Collect and Analyze Data Collaborate with each Business Area to Develop IG Framework

Implement a Participation and Approval Process

Document Current Environment and Desired State Identify Gaps Review and Approve Each Business Area IG

Framework

Address Gaps Through Responsible Channel Draft Detailed Change Management Process as Required

Align Technology with IG Framework

• Identify How Technology is Used in the Business• Monitor & Evaluate Technology

Trends• Evaluate Hardware, Software

and Data Life Cycles• Align IG Strategic Plan and

Framework with the IT Strategy and Operations

Align Technology With IG Framework (Duties, Tasks, Steps)

ID How Technology is Used in the Business

Monitor and Evaluate Technology Trends

Evaluate Hardware, Software and Data Life Cycles

Align Strategic Plan and Framework with the IT

Strategy and Operations

Review IT, Information Asset Inventory or

Register, Architecture and Strategic Plan

Review Existing Policies Pertaining to Information

Review General Technology Trends in the Markets (e.g., Cloud Computing, Social Media) Review IT Procurement Procedures Review Goals of IT Organization

Review Technology Adoption

Review Help Desk Strategy

Evaluate General Technology Trends for IG Implications

Incorporate Information Governance Requirements to IT Procurement Process Assess and Analyze IT Goals

Review Back Up Strategy

Review Technology Outsourcing Strategy

Review Implications with Stakeholders in Accordance with IG Framework

Incorporate Information Governance Requirements to IT Development Process

Collaborate with IT to Develop Strategy to Incorporate Information Governance Requirements Into Existing Systems

Review Disaster Recovery Strategy

Review Content Retention & Disposition

Strategy

Review Technology Trends Specific to IG in the Markets (e.g., Record/Content Management,

Applications, Developing Standards, Data Discovery, Storage, New Data Formats)

Incorporate Information Governance Requirements Into System Requirement and Data

Migration ProcessesCollaborate with IT to Incorporate IG Requirements Into Legacy Systems

Review Privacy Strategy Review Digital Preservation Plans*

Participate in the Evaluation of IG Specific Technologies

Incorporate Information Governance Requirements to Decommissioning Process

Collaborate with IT to assist in System Upgrade and Replacement Strategy

Review Information Mobility Strategy

*= To Ensure Data Quality Through

Integration of New Technologies to

Enhance Business Operations (e.g.,

Master Data Management,

Metadata Management)

Review IG Specific Technologies with Stakeholders in Accordance with IG Framework

Review Information Storage Practices (hard

copy, digital, microforms)

Review Use of Vendors and Outsourcing

References

• Sailing in Dangerous Waters – A Director’s Guide to Data Governance (Michael Power & Roland Trope)

• Information Governance – Concepts, Strategies & Best Practices (Robert Smallwood)

• Chucking the Daisies – Randolph Kahn• ARMA International - IG DACUM Chart• The Sedona Conference –

WWW.TheSedonaConference.com• EDRM.net • ARMA.org• AIIM.org

Thank You!

Diane E. Walker, CRM, CMCWalker.Diane.CRM@Gmail.com281-799-8910