Information Governance Is


Over the last few weeks some pretty bright minds have been talking / writing about what Information Governance (IG) is and isn’t. Unfortunately, I couldn’t find the restraint to stay out of it. To get some of the background of what’s been going on, read a few posts from these guys (I don’t always agree with them, but I do have a great deal of respect for them and their smarts):

There’s also been a bit of a conversation going on on Twitter involving the folks mentioned above, along with Jeffrey Lewis, Ron Layel, Ron Miller, Bryant Duhon, et moi. Had I been prescient I would have captured / saved the stream and included it here. Oh well.

First things first … the definition of Information Governance I use is the one I wrote: “Information governance is all the rules, regulations, legislation, standards, and policies with which organizations need to comply when they create, share, and use information.

The thing to remember about IG is that it’s really about policies that put constraints and roadblocks in the way of working with information.  Implementing the policies, via procedures, is where value gets added; using the right technologies helps take the burden off of people. Information Governance without appropriate procedures and tools is just not going to work. Don’t even bother to try.

I am definitely in the camp with those who view IG as an overarching thing that covers a vast array of disciplines that determine every aspect of managing, using, storing, sharing, and disposing of information. And therein lies the problem with IG; it is too broad to be of real interest to any single executive in the C-suite, unless that executive’s job is IG and only IG. That said, oversight for IG has to be centralized in order to be effective on a broad scale, and it has to be centralized in a manner that allows no bias.

Putting oversight for IG in the hands of the CMO, the CIO, the CLO, or anyone else in the C-suite, assuming they actually wanted the job, would likely end up biasing IG towards a specific agenda. IG implemented has to be good for the overall business. Granted, there are various drivers, but those drivers cannot be used as justification to sacrifice or jeopardize other business concerns. Does that mean we need a new title in the C-suite? Maybe, maybe not. Personally, I’d like to see the CIO role redefined on a global basis to be the information equivalent of the CFO and let the various disciplines report into it.

If an organization is a litigation magnet for sure that organization needs to do whatever is necessary to reduce the risk and the burden. But it can’t be done in a way that compromises business effectiveness of other parts of the organization. The policies need to be implemented via procedures and tools that support the business moving forward. There is no legitimate reason that one cannot implement litigation risk mitigation that also benefits the rest of the organization. The immediate need may be related to litigation, but the long play has to be holistic. By the same token, getting field manuals to engineers cannot expose the organization to unnecessary risk or exposure.

During the past few weeks there was also talk about splitting out Information Governance and Information Management. The short version is that governance is the policies and management is the procedures. I don’t think that there’s anything wrong with splitting things out like that, but does it make a huge difference when trying to convince clients or execs about the need for governance? I’ve been guilty of using the terms interchangeably, but I’ve made progress so I don’t care. The fact is some of my clients get the shakes when I mention IG, but they’re cool when we talk about IM. The end result is the same except that I have not “educated” the client about the right terminology. Again, who cares? My clients don’t hire me to teach them the right terminology so that they can sound hip when having beverages with the IG illuminati; they hire me to solve problems or leverage information better.

I really like Barclay’s sentiment: it doesn’t matter what you call it as long as the concepts are understood and progress is being made. Ultimately, that’s the bottom line.

We can bang on all we want about IG vs IM or whatever, and continue to struggle to get buy in and move things forward. Or, we can compromise our principles a little (it’s not like it’ll matter in the long run anyways) and focus on telling clients, sponsors, and executives what they need to hear in a way they understand, are comfortable with, and ultimately buy into. As long as I do right by my clients, I personally don’t care whether we call it IG or IM. We can have the philosophical conversations next time we’re gathered at some conference and it’s only us nerds talking.

During the Twitter conversation, Ron Layel asked me if I thought that information is the currency of business. I don’t think so. If an organization has a bunch of cash sitting in the bank, idle, the cash doesn’t expose the organization to risk, and it appreciates in value. If information is just sitting around, it potentially causes risk, and has no value. Information accumulates, morphs, and transmogrifies too fluidly to really be considered currency. To be sure, businesses couldn’t run without information or currency, but unlike information you can fake currency (think about letters of credit, loans, debentures, IPO’s, etc.).

One last little point … peeve, actually … there are vendors out there (hardware, software, services, associations) that tout themselves as Information Governance vendors. They’re not. They may solve portions of what IG is, but they don’t do it all.

When Information Becomes a Liability


A while back I wrote a couple of posts (one and two) about attempting to value information as an asset, carried on the balance sheet. I took a very accounting oriented approach, and I think I’ve made some progress. This post follows, after a fashion, those two previous posts.

During my session (here’s a link to the deck) at the 2014 AIIM conference, someone from the middle of the room respectfully disagreed that information is always an asset. My response at the time was that information is always an asset and that you need to set up a contra account to offset any of the negatives that can happen. For example, a contra account for Accounts Receivable would be Allowance for Bad Debts. You can read more about contra accounts here, on Investopedia.

What I should have said was …

When information reaches the stage where it can harm you, let’s say in litigation, you need to create a contingent liability account in order to capture how much (in dollar terms) you anticipate the exposure to be. Now, I’m not an accountant, but from what I can find out an asset cannot be transformed into a liability (please correct me if I’m wrong). However, assets that expose organizations to financial risk, can be accounted for by using contingent liability accounts. You can read more about contingent liabilities on Investopedia.

The other thing I should have said was that organizations need to evaluate the value:risk ratio of their information periodically. It’s absolutely true that certain types of information don’t age well and expose organizations to risk that is greater than the information’s value. At this point an organization needs to determine whether they will dispose of the information (legally) or commit additional resources to mitigating the risk, in whatever manner is most appropriate (doing nothing is not an option).

So, to the gentleman in the middle of the room; Thank you. Your comments forced me to dig a bit and learn something.

For those of you interested, here’s the presentation to which I am referring …

My Reaction – Laptop Stolen – 620K Patient Records Compromised


Last week a story was reported in the news about a stolen laptop. The laptop contained patient information for more than 620,000 Albertans. This is my response to the situation. It’s far less ranty than what was in my head before I started typing.

Last night I wrote a letter to the Alberta Privacy Commissioner (Jill Clayton), the Alberta Minister for Health (Fred Horne), and Medicentres (hope it gets to Dr. Arif Bhimji). I would have included the consultant, but he/she was simply identified as “IT Consultant”. I did copy the letter to CTV News (where I first read the story) and the Edmonton Journal.

The following links are to the stories on the CTV News site.

I’ll update this post if I hear anything from anyone involved.

http://edmonton.ctvnews.ca/laptop-containing-health-information-for-thousands-stolen-province-seeking-investigation-1.1651500

http://edmonton.ctvnews.ca/privacy-commissioner-frustrated-after-laptop-with-personal-information-stolen-1.1653696

This is a bonus story – http://edmonton.ctvnews.ca/patient-information-stolen-from-covenant-health-1.1656104#commentsForm-478263

Note to Medicentres – Please direct this to Dr. Arif Bhimji

I’m writing to you in regard to the theft of a laptop containing health information of approximately 620,000 Albertans.

My name is Chris Walker. I’m an Albertan whose health information may have been compromised by the above mentioned theft (I visited the St. Albert Medicentre in 2011 or 2012). I am also a consultant who specializes in Information Management and Governance.

First of all, I don’t understand why a consultant would be allowed to store personal information on his/her laptop and then leave the building with it. I’ve been a consultant for more than 25 years and have never had the need to store personal or sensitive information on a non-client controlled device, and I have never removed such information from client premises. During my career I’ve dealt with information from banks, pharmaceutical companies, provincial ministries, federal governments, municipal governments, etc. During many of those engagements I’ve had occasion to deal with extremely sensitive information. In all cases the information was stored and secured on client servers, or it was masked / redacted / sanitized before I even saw it. In the rare cases where I needed to access real information, it was always by using client hardware.

To the Consultant – I’d love to know what you were working on that you thought you needed to store live patient data on your laptop. I’d also love to know whether you were at Medicentre as an independent contractor or you were working on behalf of one of the System Integration firms. In either case, I’d love to know who you are so that, in case our paths cross, I can either educate you on how to properly handle sensitive information or make sure you’re never involved on any project that I am associated with.

To Dr. Bhimji – You need to go through those records and inform every one of the affected Albertans. Don’t put the onus on us to find out if we’ve been compromised. Be responsible and do the right thing. The fact is, as soon as you were aware of the theft you should have started identifying affected individuals and begun informing them of the situation. As it is, enough time has passed that damage may already have been done.

The complete lack of mention about the breach on your (Medicentres) website does not provide me with the sense that Medicentres is giving this matter the due it requires. That’s just my opinion as an Albertan, one of your patients, and as someone that makes a living by advising organizations about the proper management and handling of information.

That you’ve made some policy adjustments is great, however, how is that going to help any of us if our information’s been compromised? You really ought to have done something ages ago. For what it’s worth, you may also want to consider not giving access to live data to anyone that doesn’t absolutely need it to do their job. If you need some help sorting this out let me know; I’d be happy to help.

To Minister Horne – I agree that changes to legislation need to happen. I don’t think that you need to wait until the Privacy Commissioner releases her report to get started. To be frank, many changes to operating policies and procedures for managing information can be made without changing legislation at all; think of them as preventative measures.

Enacting new legislation for dealing with breaches is necessary since we’ll never have 100% security as far as sensitive information is concerned, but we also need to focus on preventing security breaches in the first place. Effective controls are far more cost effective than trying to clean up the potential messes that would occur once a breach happened.

To Commissioner Clayton – I don’t envy your position. I trust that you wanted to do the right thing, but were hampered by legislation. I hope that your investigation into this matter is fast-tracked. I encourage you to make the results of the investigation public; we have a right to know.

To All of You – I strongly suggest that you get involved with professional organizations such as AIIM (Global Community of Information Professionals) and ARMA (Association of Records Managers and Administrators). Both of these organizations are focused on managing, governing, and securing information. There are also organizations that deal specifically with information security and privacy. With the resources available to us today and with what we know about managing information, there’s just no excuse for what happened.

As someone whose information may have been compromised, I am angry. As someone who consults on Information Management and Governance, I’m incredulous that this happened considering how easy it is to prevent this type of thing. While the theft was a criminal, deliberate act, the presence of patient information on the stolen laptop was nothing more than negligence.

Sincerely,

Chris Walker

Update January 29, 2014 …

Much to my surprise, I did hear from Dr. Bhimji of Medicentres. Below is an excerpt from the email he sent last night. I’m happy to note that there is now mention of the privacy breach on Medicentres home page.

I can advise that we reported the breach to the Privacy Commissioner and have worked closely with them.  The Commissioner approved the form and wording of the notification.  

 The website is updated regularly and the information is found under the patient tab and has been present there since the announcement.  I have asked the operations people to consider putting some information on the main landing page.

 Patients have been advised about what measures they can take to determine if there have been any intrusions on their privacy.  This information is available on our website and also by calling our call centre if you wish more detailed information.

 

Update January 31, 2014

Heard from the Privacy Commissioner’s office that she will be making the results of the investigation and review public. – I’m very happy about this.

Heard from Medicentres’ folks that if you visited one of their clinics during the time period stated, you details are on the laptop that was stolen. We (the Medicentres person and I) both speculated that the theft was for the laptop, not the data, but we could be wrong.

PHIGs take Phlyte – AIIM Conference Preview


Eat Your PHIGs

As some of you may already know, I will be speaking about the Principles of Holistic Information Governance at the AIIM Conference in Orlando (my session is at 2pm on April 3). Here’s a brief preview of what I’ll be talking about.

This is a little story about how the Principles of Holistic Information Governance (the PHIGs) were leveraged to turn a pure Records Management project into something the entire organization, and its stakeholders, could benefit from.

I was approached by a partner to help them out on a project they are working on for a public transportation company. Their project is to put together a new web communication and presence strategy, and to implement it. Where they asked me to help out is on developing a Records Management strategy. The two projects were to be separate from each other since the RM project was really to fill in some gaps in the client being compliant with legislation and in helping them to respond to Freedom of Information (FOI) requests. There was no thought given to integrating the two projects or to looking at how an holistic approach could benefit the entire organization and its stakeholders.

As all good analysts and consultants do, I started gathering as much information about the organization and the projects as I could. The two critical documents that I had access to were the Web Communication project strategy (summary and detailed) and the organization’s 20 year strategic plan and roadmap.

There were obvious tie-ins to linking the RM project and the Web project, but selling them to the organization wasn’t easy as they just didn’t care all that much. They were happy to go forward with identifying what was a record, and subject to FOI, then just firing that content into their RM tool (which they don’t have yet). The real clincher to getting the organization to accept a PHIGged approach was the long term strategic plan. In the plan were articulated six values and five major objectives.

Values

  1. Safety
  2. Customer Service
  3. Sustainability
  4. Integrity
  5. Innovation
  6. Collaboration

All six of the values can be directly supported by information, provided it’s properly governed and managed, from cradle to grave.

Major Objectives

  1. Develop Financial Sustainability
  2. Support and Shape Livable Communities
  3. Change the Perception of Transit
  4. Deliver Operational Excellence
  5. Strengthen our People and Partnerships

Like the values, the objectives will benefit from taking an holistic view of how information lives in the organization.

One of the other things that I did was to review the RM strategy document I was provided and link those objectives to the objectives in the Web Communication strategy and the long term strategy.   It’s both funny and sad that folks get so focused on their own view of the world that they don’t see the bigger picture. The RM strategy probably had 85% of what was needed for an organization wide (I’m trying not to use the word “enterprise” too much) information management strategy.

From a technology point of view there will be many different tools used to provide the solutions that the organization will, over time, implement. But, they’ll be underpinned by the PHIGs. The PHIGs are there to help organizations take a look at how and why information exists and affects all relevant stakeholders.  The PHIGs aren’t about technology; they’re about business and doing it better by understanding what you need from information.

By reordering and rewording some of the RM strategy objectives, and adding a couple of new ones, we were able to change the focus from an RM project that would provide very limited benefits, to an organization-wide information management program that will benefit all stakeholders. Of course it’ll take longer to get to the end, but at least the client has taken the first step and realized the importance of information to the proper running of the business.

Below is the presentation from my session at the AIIM 2014 conference …

I Think I Can – Valuing Information Pt 2


Some weeks ago (2013-10-7 to be exact) I posted this about trying to assign value to information. Thanks to the discussions the post generated on Linkedin and on this blog I realised I was approaching the issue from the wrong angle.  Doug Laney (of Gartner & the Center for Infonomics) and Juerg Hagmann (of itopia) get special mentions for really steering me in the right direction.

Let me start by saying that I completely disavow whatever it was I said in the closing paragraph of my previous post on this topic.

The mistake I made was that I was looking at the issue from an Information Management point of view. I really should have stepped back 20+ years in my career and applied an accounting thought process. I think we’re all pretty much agreed that information is an asset; if that’s the case then the real challenge lies in determining which class of assets information belongs to. The challenge is complicated because:

a)       Not all information is used the same way;

b)       Some information can fall into multiple classes;

c)       Information is not depleted as it’s consumed (retention/disposition adds a different layer of complexity);

d)       It could be argued that, for some types of information, value increases with time unlike more “traditional” assets whose value depreciates;

e)       Some of the future economic benefit may actually be the avoidance of future economic sanctions or penalties.

For those of you not familiar with what an asset is (the accounting version):

  • It’s a resource (may or may not be tangible) that is under the organization’s control or ownership;
  • It’s a resource that will provide future economic benefit;
  • Assets are carried on the Balance Sheet, not the Income Statement;
  • Quoted from the IFRS Framework “An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”

Some responses to the original post posited that information only has value if it’s being used. Uhm, no.

Whether it’s being used or not information has value. Think about earth moving equipment; whether it’s sitting idle or grading a road it still has value. The value of the asset is based upon acquisition costs and future or potential economic value, not actual economic value. Information that’s not being used is not valued at zero; it is merely an asset that isn’t currently generating any economic benefit. If people really thought that then why are they loathe to toss out all those documents they’ve been hoarding for years but haven’t looked at (Ha!!! I got you, you information hoarders). Prior year budgets, completed contracts, old operating procedures, paid invoices, etc. all have potential future economic benefit. That’s why we keep them. They also have potential benefit to our foes if they contain a “smoking gun” which is why we ought to dispose of them as soon as we are legally able and are certain that they provide no positive benefit to us.

Assigning value to information is possible, but it requires understanding how the information was acquired and how it’s going to be used. You can’t use the same metrics and methods for a purchased subscriber list destined for telemarketing as you would for HR policies developed by internal resources.

I tell my clients to focus on high value, high risk information, but without understanding the acquisition and intended use of the information, there’s no real way to determine which information is high value and/or high risk.

Help Wanted – Testing a Survey


I am putting together a survey for an upcoming project and I need your help. I am testing two things: 1) whether or not PollDaddy is a reasonable tool to use, and; B) the survey. You can send feedback via the survey (last question), via this blog post, or directly to me via email (walkerchrisp@gmail.com). Please feel free to pass this on. Depending on the responses received, I may use the results to come up with a clever hypothesis, or not.

The project, as originally defined by the client, is to develop a records management strategy. However, between the client and I we’ve redefined the project to encompass all information and support corporate objectives (I’ve actually read and understood their corp strategy docs). The current phase is to document the current state of records and information management, come up with a target state, and develop an implementation roadmap to get from here to there.

The intended audience for the survey is the entire organization (they’re not really that huge). Survey completion will be mandatory for all directors and above, for everyone else it is optional. My point with doing this survey is to have information that is directly applicable to the client, rather than relying on industry or generic information.

The survey http://christianpwalker.polldaddy.com/s/records-information-management-what-you-know-what-you-think

 

Random Graph

I Can’t, Can You? Valuing Information


NB: I’m using “information” in an all-encompassing context in this post so that I don’t have to differentiate between data, content, and information.

Information is a tool; no one buys a tool for the sake of the tool. People buy tools for what can be produced with them. Information has inherent value that can’t always be consistently, reliably, and definitively quantified.

On September 26, 2013 I participated in a Tweetchat moderated by AIIM’s intrepid community manager, Bryant Duhon. Bryant managed to wrangle up a bunch of us to discuss the value of information; you can read the unedited wrap up here. Participants were a bunch of smart people that I highly recommend following on Twitter (you can get to them via the wrap up link).

We were supposed to be chatting about various aspects of the value of information. What became abundantly clear, really quickly, was that this is no easy task. Most of what was said was more about the cost of information (cost of creation/acquisition, cost of lost info, cost of unsecure info, etc.). We all agreed that information is an asset, but how do you assign a dollar value to it?

There was mention of things like increased productivity as a result of systems deployed. However, even that does not quantify the value of the information itself. On the other hand, it`s fairly obvious that information that can`t be accessed has, at best, zero value. At worst it has a negative value (or value to your competitors) because it’ll be used against you.

For a couple of days after the Tweetchat I was thinking about how I would go about assigning value to information. What really struck me is that the value of information is not fixed. Whether it’s financial statements, my resume, a maintenance handbook, marketing brochures, etc., they have no value until something is done to achieve an outcome. Even then, the value wouldn`t necessarily be the same for all stakeholders.

My resume is a tool that gets me a job; is the value of the resume the same to me as it is to my employer? What about to the head hunter that effected the hiring? My resume has potential value. In order to realize the value something needs to be done with or to it.

Corporate financial statements have a different value depending on who is reading them, and for what purpose. Even as the issuing organization, the value changes depending on the purpose. In one case the value of the financials is in avoiding sanctions for failure to file and meet regulatory obligations, in another the value is in the amount of investment to be had from potential investors.

When we (vendors, systems integrators, consultants) talk to clients and prospects about solutions, ROI, and information’s value, we’re not talking about changing the inherent value of information; we’re talking about using, handling, and controlling information. When a client of mine saved $250K per year by changing how invoices are handled, it didn’t change the value of the invoices, it reduced the labour costs of processing the invoices.

There are definitely cases where having good information leads to good business outcomes, and we pretty much all agree that without information we’d be in deep doo-doo. But maybe our attempts at trying to assign value to information should stop at “it’s worth a lot, but we can’t always put a number on it.” Maybe information is one of those resources whose value is only quantifiable after the outcome has been determined or when we’re missing it.

Perhaps what Damian Webber said about processes applies to information as well; “processes have no value – they contribute to something that has value”. Maybe we need to start thinking of information in terms of raw material; it`s only what you do or create with it that has true, quantifiable value.

Shacking Up – IT and RIM In Love


Back in June (2013) during the ARMA Canada Regional Conference I attended a pretty good session delivered by Emily Gusba (Information Management Lead, GCDOCS Implementation at Natural Resources Canada). Emily was accompanied by Trevor Banks and Julie Colgan (ARMA Int’l President, Julie rocked as a last minute walk-on for Debra Power who is all better now). The session, titled Learning IT-ese, was about IT and RIM (Records & Information Management) having to work better, together. Essentially, the point was that RIM had to learn to speak IT.

A couple of weeks ago I had an email exchange with Charmaine Brooks of IMERGE and one of the topics that came up was … wait for it … IT and RIM needing to work better together.

Now, I’m all for IT and RIM working better together, but I don’t mean what you think they (see above) think you think they mean. Simply put, we’re not on the same page. Bear with me a bit …

IT and RIM are both service providers within their organizations, n’est pas? They serve the same clients, though they provide different but complementary services. RIM and IT also have a symbiotic (some would say parasitic, but that’s just mean) relationship with each other. The truth is that one’s not much good without the other.

RIM and IT need to join together, not to serve the purposes of RIM, but to serve the interests of the entire organization. Having RIM sit with IT to explain RIM’s wants/needs (in whatever language they choose) is, in a word, crap. IT and RIM need to approach stakeholders with a joint message; “Your stuff needs managing and governing and we’re the team to do it for you.” Yes, children, RIM and IT need to get together and become a formidable team. They need to approach the cheque-writers (notice Canadian spelling, thank you) as one.

When Marketing wants to migrate from one platform to another, RIM/IT needs to be in those meetings TOGETHER. When HR wants to implement a new HRMS, IT/RIM needs to be there to make sure all that information flows correctly throughout its lifecycle.

When I talk about RIM I don’t mean the RIM we knew from the paper days; I mean what RIM can and should be in 2013 and beyond. Drop the Records reference and focus on the Information and the Management, regardless of the medium that information is created or stored in. Join with IT to become IM&T (the M comes before the T because you need the management bits before the tools) and provide your clients the information services and governance that they need. In some organizations there still is, and always will be, the need for the Records part of RIM. However, the Records function really needs to be a subsidiary of the IM&T group.

If IT provides the plumbing, and information is akin to water, then RIM performs as the treatment facility. IM&T not only gets the information to you, they make sure that the information you get is clean and safe. (Sorry about the crappy analogy.)

Yes, RIM and IT need to work together, but not as two different parts of the organization. They need to join and serve the organization as a single unit. I’m not saying that RIM professionals ought to become developers or systems analysts. Nor am I advocating for IT professionals to become Records Managers or Archivists. What I am saying is that the IM&T TEAM needs to incorporate roles that address the Information Management and Governance needs as much as the Information Technology needs. Separating RIM from IT hasn’t really worked all that well after all, has it?

Big Buckets of Stuff


Over the last couple of days I’ve seen/heard some comments that Big Buckets don’t work well in Records Management. Uhm, you’re doing it wrong.

I suspect that a large part of the issue is that classification models are too granular and too tightly coupled to the retention schedule. I’ve been involved in a couple of projects where this was the case. One client understood this, made the necessary adjustments, and achieved success. The other client … held steadfastly to granular, overly complex schedules and models, and is only now (4+ years later) re-examining their original plan.

You wanna make big buckets work? Here’s some simple stuff you need to do:

  • Simple, function based classification models;
  • Uncouple classification from retention;
  • Automate & hide RM tasks from users (they know what they’re working on and don’t give a rat’s ass about RM – I know, hard to believe);
  • Classify on capture/creation;
  • Check out the cool diagram;
  • Review periodically.

Note: During a Google Hangout yesterday (featuring @cawprhyd, @tchernik, @lllivingston, and some others whose twitter id’s I don’t have handy) the subject of disposition reviews for automated disposition came up. My position is pretty simple – you don’t need them. Sort of. If you assume that classification and retention have been agreed prior to implementation, and that content is classified up front, there is no need to review. Of course, this works only on a day forward basis and requires that whatever tools you have in place can do the legal hold and suspend disposition processing / time clock when needed. You really should follow the twitterers that I’ve id’d here – they’re pretty smart.

BigBuckets0001

Book of PHIGs – Introduction Draft


A while back I mentioned that I was going to try to write a book. Well, I’ve started it at last. Between losing my job and spending time at the cabin I’ve not really been motivated or focused. I’ve been spending my time looking for work, but also enjoying rural life at my cabin. I have also found that this writing thing is a lot harder than it looks. Anyways, here’s a draft of the introduction to my as yet untitled book of PHIGs. Let me know what you think.

I used to think that people were an organization’s most important resource, but I don’t think that’s the case any longer. You see, some things have changed over the years: 1) Organizations put more time and effort into making sure they have the right information than whether or not they have the right people; 2) Missing key information causes more consternation than when a key person is missing (vacation, prison, dead, etc.); 3) Organizations will happily jettison people they think are no longer required, but hold on to useless information for eternity; 4) Organizations don’t pay the people that manage information nearly enough.

If a person unexpectedly leaves their job the organization copes and moves on. If key information vanishes right before a planning cycle … different story. So why do organizations suck so bad at managing information like the asset it is? I don’t know and I’m not going to try to figure it out. This book is more about helping organizations stop sucking at managing information. As for better pay for information management people … fight your own battles people.

What is Information Governance?

Information governance is all the rules, regulations, legislation, standards, and policies with which we need to comply when we create, share, and use information. Governance is mandated internally and externally. Done correctly (i.e.: holistically), information governance allows organizations to conduct business better and meet all their information related obligations while minimizing risk. Done incorrectly (i.e.: in a silo’d manner), information governance may help organizations met obligations and reduce risk, but business efficiency is sacrificed.

Why do Information Governance?

We can find everything we have, we just don’t know if we have everything we’re supposed to find.

The above was a statement made by a director at my first ever Enterprise Content Management gig in 2006. Back then I don’t think the idea of Information Governance (IG) went far beyond IT security and perhaps Service Level Agreement (SLA) management. Even today, IG is not really thought of in an holistic way, applied to managing all aspects of an organization’s information assets.

In order to make the most effective and efficient use of information, it needs to be properly managed and governed from cradle (creation / capture) to grave (destruction / archiving). Holistic information governance makes organizations info-efficient by providing the means to keep what’s needed and legally dispose of what’s no longer necessary. Holistic information governance results in faster, better decisions, reduced information related risks, reduced ediscovery costs, and reduced information storage costs.

Principles of Holistic Information Governance

The first thing you need to understand as you read the PHIGs is that no distinction is drawn between records and non-records. From a business execution perspective the difference is irrelevant, from an evidentiary perspective it’s minimal since any information you have can be used against you in proceedings.

Whether the information is structured, semi-structured, or unstructured (there`s no such thing) makes no difference. Format and storage location are similarly unimportant to the PHIGs, as are the devices (personal or corporate) used to create or edit the information. The only thing that matters is whether or not the information is needed by the organization to either conduct business or meet obligations.

The PHIGs are really based on understanding how an organization uses information to conduct business. Understanding has to happen at the micro (department, process) level and at the macro level to be truly useful. Not all information is equal for all organizational stakeholders; therefore it cannot be governed the same way across the entire organization.

The PHIGs are not an information approach to information governance; they are a business approach to information governance. The intent of the PHIGs is to help organizations analyze their information assets and apply the right level of governance based on how the information is used / needed to conduct business.

Images Preview

Accountable RiskCoverImage RiskQuadrant PHIGsandPrinciples

Holy PHIG I’m Writing a Book


By now all of you (yeah, right) have read my Principles of Holistic Information Governance (PHIGs) post, viewed the slide deck, and some of you attended the presentation I gave in Calgary. Based partly on the popularity of PHIGs, but mostly on my belief that they cover an important business and information management topic, I have decided to attempt to write a book based on PHIGs.

I’m not sure at this point whether it’s going to be tome-like or Cole’s Note-ish (bet on the latter ‘cause I’m kinda a lazy writer) or what the final format will be. I do know that it’s going to be written based on my consulting experience. I also know that my goal is to get people thinking about information and what it really means to their organizations. It may or may not include anecdotes from previous projects, but it will include (I hope) practical stuff that can be used.

Why am I telling you about this? Well, Bryant Duhon of AIIM told me to, and he knows a butt-load more about this writing stuff than I do, so I am taking his advice. Also, I wanna generate “buzzzzzzzzz” and get you excited. Probably the most important reason I am doing this (the blog post) is because I’d love to get your input into the book. I figure you’re the audience (paying, I hope) so you ought to have some say as to what goes into it.

So let me know what you think and what you’d like to see in the book and I’ll occasionally update how things are moving along. I’m looking forward to this thing, I hope you are too.

One last thing … I have no timeline for this book; it’ll be ready when it’s ready.

This may be the shortest post I’ve ever written.

%d bloggers like this: