I just spent the last few days (May 25th – 27th) at the ARMA Canada conference in Calgary. As you’d expect it was great to get together with people that I typically only engage with online. But that’s not the reason I go through the effort and expense of attending. I come to this and other conferences to learn and see what’s new, and maybe make some new connections (that whole networking thing). Unless there’s something really compelling (there wasn’t, for me) I do much of my learning on the trade show floor rather than by attending sessions. I try to figure out what’s new, innovative, and exciting by talking to the vendors and attendees.
- What’s new? Other than RSD’s first appearance (I think) at ARMA Canada, nothing really.
- What’s innovative? Nothing really.
- What’s exciting? Nothing really.
The problem seems to be that the Records Management community is not evolving with the times. Sure, they say “information governance”, but I’m not convinced they know what it means or what the implications are. They talk about social media, but do they use it (there was actually a session during which they were taught to tweet). They talk about cloud but then do nothing about it other than give in to the boogie man prognostications. Shit! Even the younger RM folks are sounding like the older ones who are close to retiring.
Based on what I saw and heard at the conference, I hold no optimism that the state of Records and Information Management will join the 21st century any time soon. RIM professionals are complaining about not being given the dues and respect they deserve (and they DO deserve it) but they have to take it, not wait for it to be handed out. ARMA Canada as an association is not helping. They’ve had pretty much the same content, speakers, and vendors since I went to my first conference in 2008. Yes, the names have changed, but you know what I mean.
I’m not sure how, but ARMA Canada needs to freshen things up a bit. Dump the vendors that do nothing but SharePoint stuff or physical records management; that stuff hasn’t changed since the shelf was invented. Attract vendors that represent the new way of doing business and are influencing and enabling digital transformation of business. Solicit speakers that want to do more than talk about how to build another functional file plan or how to implement an ECM platform. ARMA Canada needs a slate of speakers and vendors that represent a balance of what today’s realities are, and what the very near future will hold for managing information.
I’ll wait until I see what the agenda for next year’s conference is, but if it’s pretty much like this year’s this is likely my last ARMA Canada conference for a while. And if things don’t change fast, the RIM profession will be further marginalized, and I’ll likely contribute to the further marginalization; not because we dislike RIM and RIM professionals, but because the rest of us have to move forward to succeed.
Just to add a little positivity …
Over dinner with a friend of mine I got a good look at Oracle’s Document Cloud (I think that’s the name). It’s Oracle’s offering to the EFSS (I HATE that name) market. It’s really, really slick. The version I saw (not sure if it’s generally available yet) looks as easy to use as Box (which is what I use for my business). I know a couple of things about where Oracle is going with it, but not a ton. One thing that I do really like about it is that it sits on top of Oracle Web Center Content so all the security, metadata, workflow, and retention are taken care of. By the way, for those of you who care; Oracle’s Web Center Content is likely the best kept secret amongst ECM platforms. It’s a secret because Oracle really sucks at marketing it.
Image taken from http://www.a-tips-of-life.com/tag/awake/
Over the last few weeks some pretty bright minds have been talking / writing about what Information Governance (IG) is and isn’t. Unfortunately, I couldn’t find the restraint to stay out of it. To get some of the background of what’s been going on, read a few posts from these guys (I don’t always agree with them, but I do have a great deal of respect for them and their smarts):
- George Parapadakis (this, this, and this)
- Barclay Blair (this one and this one)
- Laurence Hart (this one and this one and this one, too)
There’s also been a bit of a conversation going on on Twitter involving the folks mentioned above, along with Jeffrey Lewis, Ron Layel, Ron Miller, Bryant Duhon, et moi. Had I been prescient I would have captured / saved the stream and included it here. Oh well.
First things first … the definition of Information Governance I use is the one I wrote: “Information governance is all the rules, regulations, legislation, standards, and policies with which organizations need to comply when they create, share, and use information.”
The thing to remember about IG is that it’s really about policies that put constraints and roadblocks in the way of working with information. Implementing the policies, via procedures, is where value gets added; using the right technologies helps take the burden off of people. Information Governance without appropriate procedures and tools is just not going to work. Don’t even bother to try.
I am definitely in the camp with those who view IG as an overarching thing that covers a vast array of disciplines that determine every aspect of managing, using, storing, sharing, and disposing of information. And therein lies the problem with IG; it is too broad to be of real interest to any single executive in the C-suite, unless that executive’s job is IG and only IG. That said, oversight for IG has to be centralized in order to be effective on a broad scale, and it has to be centralized in a manner that allows no bias.
Putting oversight for IG in the hands of the CMO, the CIO, the CLO, or anyone else in the C-suite, assuming they actually wanted the job, would likely end up biasing IG towards a specific agenda. IG implemented has to be good for the overall business. Granted, there are various drivers, but those drivers cannot be used as justification to sacrifice or jeopardize other business concerns. Does that mean we need a new title in the C-suite? Maybe, maybe not. Personally, I’d like to see the CIO role redefined on a global basis to be the information equivalent of the CFO and let the various disciplines report into it.
If an organization is a litigation magnet for sure that organization needs to do whatever is necessary to reduce the risk and the burden. But it can’t be done in a way that compromises business effectiveness of other parts of the organization. The policies need to be implemented via procedures and tools that support the business moving forward. There is no legitimate reason that one cannot implement litigation risk mitigation that also benefits the rest of the organization. The immediate need may be related to litigation, but the long play has to be holistic. By the same token, getting field manuals to engineers cannot expose the organization to unnecessary risk or exposure.
During the past few weeks there was also talk about splitting out Information Governance and Information Management. The short version is that governance is the policies and management is the procedures. I don’t think that there’s anything wrong with splitting things out like that, but does it make a huge difference when trying to convince clients or execs about the need for governance? I’ve been guilty of using the terms interchangeably, but I’ve made progress so I don’t care. The fact is some of my clients get the shakes when I mention IG, but they’re cool when we talk about IM. The end result is the same except that I have not “educated” the client about the right terminology. Again, who cares? My clients don’t hire me to teach them the right terminology so that they can sound hip when having beverages with the IG illuminati; they hire me to solve problems or leverage information better.
I really like Barclay’s sentiment: it doesn’t matter what you call it as long as the concepts are understood and progress is being made. Ultimately, that’s the bottom line.
We can bang on all we want about IG vs IM or whatever, and continue to struggle to get buy in and move things forward. Or, we can compromise our principles a little (it’s not like it’ll matter in the long run anyways) and focus on telling clients, sponsors, and executives what they need to hear in a way they understand, are comfortable with, and ultimately buy into. As long as I do right by my clients, I personally don’t care whether we call it IG or IM. We can have the philosophical conversations next time we’re gathered at some conference and it’s only us nerds talking.
During the Twitter conversation, Ron Layel asked me if I thought that information is the currency of business. I don’t think so. If an organization has a bunch of cash sitting in the bank, idle, the cash doesn’t expose the organization to risk, and it appreciates in value. If information is just sitting around, it potentially causes risk, and has no value. Information accumulates, morphs, and transmogrifies too fluidly to really be considered currency. To be sure, businesses couldn’t run without information or currency, but unlike information you can fake currency (think about letters of credit, loans, debentures, IPO’s, etc.).
One last little point … peeve, actually … there are vendors out there (hardware, software, services, associations) that tout themselves as Information Governance vendors. They’re not. They may solve portions of what IG is, but they don’t do it all.
A while back I wrote a couple of posts (one and two) about attempting to value information as an asset, carried on the balance sheet. I took a very accounting oriented approach, and I think I’ve made some progress. This post follows, after a fashion, those two previous posts.
During my session (here’s a link to the deck) at the 2014 AIIM conference, someone from the middle of the room respectfully disagreed that information is always an asset. My response at the time was that information is always an asset and that you need to set up a contra account to offset any of the negatives that can happen. For example, a contra account for Accounts Receivable would be Allowance for Bad Debts. You can read more about contra accounts here, on Investopedia.
What I should have said was …
When information reaches the stage where it can harm you, let’s say in litigation, you need to create a contingent liability account in order to capture how much (in dollar terms) you anticipate the exposure to be. Now, I’m not an accountant, but from what I can find out an asset cannot be transformed into a liability (please correct me if I’m wrong). However, assets that expose organizations to financial risk, can be accounted for by using contingent liability accounts. You can read more about contingent liabilities on Investopedia.
The other thing I should have said was that organizations need to evaluate the value:risk ratio of their information periodically. It’s absolutely true that certain types of information don’t age well and expose organizations to risk that is greater than the information’s value. At this point an organization needs to determine whether they will dispose of the information (legally) or commit additional resources to mitigating the risk, in whatever manner is most appropriate (doing nothing is not an option).
So, to the gentleman in the middle of the room; Thank you. Your comments forced me to dig a bit and learn something.
For those of you interested, here’s the presentation to which I am referring …
As some of you may already know, I will be speaking about the Principles of Holistic Information Governance at the AIIM Conference in Orlando (my session is at 2pm on April 3). Here’s a brief preview of what I’ll be talking about.
This is a little story about how the Principles of Holistic Information Governance (the PHIGs) were leveraged to turn a pure Records Management project into something the entire organization, and its stakeholders, could benefit from.
I was approached by a partner to help them out on a project they are working on for a public transportation company. Their project is to put together a new web communication and presence strategy, and to implement it. Where they asked me to help out is on developing a Records Management strategy. The two projects were to be separate from each other since the RM project was really to fill in some gaps in the client being compliant with legislation and in helping them to respond to Freedom of Information (FOI) requests. There was no thought given to integrating the two projects or to looking at how an holistic approach could benefit the entire organization and its stakeholders.
As all good analysts and consultants do, I started gathering as much information about the organization and the projects as I could. The two critical documents that I had access to were the Web Communication project strategy (summary and detailed) and the organization’s 20 year strategic plan and roadmap.
There were obvious tie-ins to linking the RM project and the Web project, but selling them to the organization wasn’t easy as they just didn’t care all that much. They were happy to go forward with identifying what was a record, and subject to FOI, then just firing that content into their RM tool (which they don’t have yet). The real clincher to getting the organization to accept a PHIGged approach was the long term strategic plan. In the plan were articulated six values and five major objectives.
- Customer Service
All six of the values can be directly supported by information, provided it’s properly governed and managed, from cradle to grave.
- Develop Financial Sustainability
- Support and Shape Livable Communities
- Change the Perception of Transit
- Deliver Operational Excellence
- Strengthen our People and Partnerships
Like the values, the objectives will benefit from taking an holistic view of how information lives in the organization.
One of the other things that I did was to review the RM strategy document I was provided and link those objectives to the objectives in the Web Communication strategy and the long term strategy. It’s both funny and sad that folks get so focused on their own view of the world that they don’t see the bigger picture. The RM strategy probably had 85% of what was needed for an organization wide (I’m trying not to use the word “enterprise” too much) information management strategy.
From a technology point of view there will be many different tools used to provide the solutions that the organization will, over time, implement. But, they’ll be underpinned by the PHIGs. The PHIGs are there to help organizations take a look at how and why information exists and affects all relevant stakeholders. The PHIGs aren’t about technology; they’re about business and doing it better by understanding what you need from information.
By reordering and rewording some of the RM strategy objectives, and adding a couple of new ones, we were able to change the focus from an RM project that would provide very limited benefits, to an organization-wide information management program that will benefit all stakeholders. Of course it’ll take longer to get to the end, but at least the client has taken the first step and realized the importance of information to the proper running of the business.
Below is the presentation from my session at the AIIM 2014 conference …
Some weeks ago (2013-10-7 to be exact) I posted this about trying to assign value to information. Thanks to the discussions the post generated on Linkedin and on this blog I realised I was approaching the issue from the wrong angle. Doug Laney (of Gartner & the Center for Infonomics) and Juerg Hagmann (of itopia) get special mentions for really steering me in the right direction.
Let me start by saying that I completely disavow whatever it was I said in the closing paragraph of my previous post on this topic.
The mistake I made was that I was looking at the issue from an Information Management point of view. I really should have stepped back 20+ years in my career and applied an accounting thought process. I think we’re all pretty much agreed that information is an asset; if that’s the case then the real challenge lies in determining which class of assets information belongs to. The challenge is complicated because:
a) Not all information is used the same way;
b) Some information can fall into multiple classes;
c) Information is not depleted as it’s consumed (retention/disposition adds a different layer of complexity);
d) It could be argued that, for some types of information, value increases with time unlike more “traditional” assets whose value depreciates;
e) Some of the future economic benefit may actually be the avoidance of future economic sanctions or penalties.
For those of you not familiar with what an asset is (the accounting version):
- It’s a resource (may or may not be tangible) that is under the organization’s control or ownership;
- It’s a resource that will provide future economic benefit;
- Assets are carried on the Balance Sheet, not the Income Statement;
- Quoted from the IFRS Framework “An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”
Some responses to the original post posited that information only has value if it’s being used. Uhm, no.
Whether it’s being used or not information has value. Think about earth moving equipment; whether it’s sitting idle or grading a road it still has value. The value of the asset is based upon acquisition costs and future or potential economic value, not actual economic value. Information that’s not being used is not valued at zero; it is merely an asset that isn’t currently generating any economic benefit. If people really thought that then why are they loathe to toss out all those documents they’ve been hoarding for years but haven’t looked at (Ha!!! I got you, you information hoarders). Prior year budgets, completed contracts, old operating procedures, paid invoices, etc. all have potential future economic benefit. That’s why we keep them. They also have potential benefit to our foes if they contain a “smoking gun” which is why we ought to dispose of them as soon as we are legally able and are certain that they provide no positive benefit to us.
Assigning value to information is possible, but it requires understanding how the information was acquired and how it’s going to be used. You can’t use the same metrics and methods for a purchased subscriber list destined for telemarketing as you would for HR policies developed by internal resources.
I tell my clients to focus on high value, high risk information, but without understanding the acquisition and intended use of the information, there’s no real way to determine which information is high value and/or high risk.
I am putting together a survey for an upcoming project and I need your help. I am testing two things: 1) whether or not PollDaddy is a reasonable tool to use, and; B) the survey. You can send feedback via the survey (last question), via this blog post, or directly to me via email (email@example.com). Please feel free to pass this on. Depending on the responses received, I may use the results to come up with a clever hypothesis, or not.
The project, as originally defined by the client, is to develop a records management strategy. However, between the client and I we’ve redefined the project to encompass all information and support corporate objectives (I’ve actually read and understood their corp strategy docs). The current phase is to document the current state of records and information management, come up with a target state, and develop an implementation roadmap to get from here to there.
The intended audience for the survey is the entire organization (they’re not really that huge). Survey completion will be mandatory for all directors and above, for everyone else it is optional. My point with doing this survey is to have information that is directly applicable to the client, rather than relying on industry or generic information.
Back in June (2013) during the ARMA Canada Regional Conference I attended a pretty good session delivered by Emily Gusba (Information Management Lead, GCDOCS Implementation at Natural Resources Canada). Emily was accompanied by Trevor Banks and Julie Colgan (ARMA Int’l President, Julie rocked as a last minute walk-on for Debra Power who is all better now). The session, titled Learning IT-ese, was about IT and RIM (Records & Information Management) having to work better, together. Essentially, the point was that RIM had to learn to speak IT.
Now, I’m all for IT and RIM working better together, but I don’t mean what you think they (see above) think you think they mean. Simply put, we’re not on the same page. Bear with me a bit …
IT and RIM are both service providers within their organizations, n’est pas? They serve the same clients, though they provide different but complementary services. RIM and IT also have a symbiotic (some would say parasitic, but that’s just mean) relationship with each other. The truth is that one’s not much good without the other.
RIM and IT need to join together, not to serve the purposes of RIM, but to serve the interests of the entire organization. Having RIM sit with IT to explain RIM’s wants/needs (in whatever language they choose) is, in a word, crap. IT and RIM need to approach stakeholders with a joint message; “Your stuff needs managing and governing and we’re the team to do it for you.” Yes, children, RIM and IT need to get together and become a formidable team. They need to approach the cheque-writers (notice Canadian spelling, thank you) as one.
When Marketing wants to migrate from one platform to another, RIM/IT needs to be in those meetings TOGETHER. When HR wants to implement a new HRMS, IT/RIM needs to be there to make sure all that information flows correctly throughout its lifecycle.
When I talk about RIM I don’t mean the RIM we knew from the paper days; I mean what RIM can and should be in 2013 and beyond. Drop the Records reference and focus on the Information and the Management, regardless of the medium that information is created or stored in. Join with IT to become IM&T (the M comes before the T because you need the management bits before the tools) and provide your clients the information services and governance that they need. In some organizations there still is, and always will be, the need for the Records part of RIM. However, the Records function really needs to be a subsidiary of the IM&T group.
If IT provides the plumbing, and information is akin to water, then RIM performs as the treatment facility. IM&T not only gets the information to you, they make sure that the information you get is clean and safe. (Sorry about the crappy analogy.)
Yes, RIM and IT need to work together, but not as two different parts of the organization. They need to join and serve the organization as a single unit. I’m not saying that RIM professionals ought to become developers or systems analysts. Nor am I advocating for IT professionals to become Records Managers or Archivists. What I am saying is that the IM&T TEAM needs to incorporate roles that address the Information Management and Governance needs as much as the Information Technology needs. Separating RIM from IT hasn’t really worked all that well after all, has it?
Over the last couple of days I’ve seen/heard some comments that Big Buckets don’t work well in Records Management. Uhm, you’re doing it wrong.
I suspect that a large part of the issue is that classification models are too granular and too tightly coupled to the retention schedule. I’ve been involved in a couple of projects where this was the case. One client understood this, made the necessary adjustments, and achieved success. The other client … held steadfastly to granular, overly complex schedules and models, and is only now (4+ years later) re-examining their original plan.
You wanna make big buckets work? Here’s some simple stuff you need to do:
- Simple, function based classification models;
- Uncouple classification from retention;
- Automate & hide RM tasks from users (they know what they’re working on and don’t give a rat’s ass about RM – I know, hard to believe);
- Classify on capture/creation;
- Check out the cool diagram;
- Review periodically.
Note: During a Google Hangout yesterday (featuring @cawprhyd, @tchernik, @lllivingston, and some others whose twitter id’s I don’t have handy) the subject of disposition reviews for automated disposition came up. My position is pretty simple – you don’t need them. Sort of. If you assume that classification and retention have been agreed prior to implementation, and that content is classified up front, there is no need to review. Of course, this works only on a day forward basis and requires that whatever tools you have in place can do the legal hold and suspend disposition processing / time clock when needed. You really should follow the twitterers that I’ve id’d here – they’re pretty smart.
A while back I mentioned that I was going to try to write a book. Well, I’ve started it at last. Between losing my job and spending time at the cabin I’ve not really been motivated or focused. I’ve been spending my time looking for work, but also enjoying rural life at my cabin. I have also found that this writing thing is a lot harder than it looks. Anyways, here’s a draft of the introduction to my as yet untitled book of PHIGs. Let me know what you think.
I used to think that people were an organization’s most important resource, but I don’t think that’s the case any longer. You see, some things have changed over the years: 1) Organizations put more time and effort into making sure they have the right information than whether or not they have the right people; 2) Missing key information causes more consternation than when a key person is missing (vacation, prison, dead, etc.); 3) Organizations will happily jettison people they think are no longer required, but hold on to useless information for eternity; 4) Organizations don’t pay the people that manage information nearly enough.
If a person unexpectedly leaves their job the organization copes and moves on. If key information vanishes right before a planning cycle … different story. So why do organizations suck so bad at managing information like the asset it is? I don’t know and I’m not going to try to figure it out. This book is more about helping organizations stop sucking at managing information. As for better pay for information management people … fight your own battles people.
What is Information Governance?
Information governance is all the rules, regulations, legislation, standards, and policies with which we need to comply when we create, share, and use information. Governance is mandated internally and externally. Done correctly (i.e.: holistically), information governance allows organizations to conduct business better and meet all their information related obligations while minimizing risk. Done incorrectly (i.e.: in a silo’d manner), information governance may help organizations met obligations and reduce risk, but business efficiency is sacrificed.
Why do Information Governance?
“We can find everything we have, we just don’t know if we have everything we’re supposed to find.”
The above was a statement made by a director at my first ever Enterprise Content Management gig in 2006. Back then I don’t think the idea of Information Governance (IG) went far beyond IT security and perhaps Service Level Agreement (SLA) management. Even today, IG is not really thought of in an holistic way, applied to managing all aspects of an organization’s information assets.
In order to make the most effective and efficient use of information, it needs to be properly managed and governed from cradle (creation / capture) to grave (destruction / archiving). Holistic information governance makes organizations info-efficient by providing the means to keep what’s needed and legally dispose of what’s no longer necessary. Holistic information governance results in faster, better decisions, reduced information related risks, reduced ediscovery costs, and reduced information storage costs.
Principles of Holistic Information Governance
The first thing you need to understand as you read the PHIGs is that no distinction is drawn between records and non-records. From a business execution perspective the difference is irrelevant, from an evidentiary perspective it’s minimal since any information you have can be used against you in proceedings.
Whether the information is structured, semi-structured, or unstructured (there`s no such thing) makes no difference. Format and storage location are similarly unimportant to the PHIGs, as are the devices (personal or corporate) used to create or edit the information. The only thing that matters is whether or not the information is needed by the organization to either conduct business or meet obligations.
The PHIGs are really based on understanding how an organization uses information to conduct business. Understanding has to happen at the micro (department, process) level and at the macro level to be truly useful. Not all information is equal for all organizational stakeholders; therefore it cannot be governed the same way across the entire organization.
The PHIGs are not an information approach to information governance; they are a business approach to information governance. The intent of the PHIGs is to help organizations analyze their information assets and apply the right level of governance based on how the information is used / needed to conduct business.
By now all of you (yeah, right) have read my Principles of Holistic Information Governance (PHIGs) post, viewed the slide deck, and some of you attended the presentation I gave in Calgary. Based partly on the popularity of PHIGs, but mostly on my belief that they cover an important business and information management topic, I have decided to attempt to write a book based on PHIGs.
I’m not sure at this point whether it’s going to be tome-like or Cole’s Note-ish (bet on the latter ‘cause I’m kinda a lazy writer) or what the final format will be. I do know that it’s going to be written based on my consulting experience. I also know that my goal is to get people thinking about information and what it really means to their organizations. It may or may not include anecdotes from previous projects, but it will include (I hope) practical stuff that can be used.
Why am I telling you about this? Well, Bryant Duhon of AIIM told me to, and he knows a butt-load more about this writing stuff than I do, so I am taking his advice. Also, I wanna generate “buzzzzzzzzz” and get you excited. Probably the most important reason I am doing this (the blog post) is because I’d love to get your input into the book. I figure you’re the audience (paying, I hope) so you ought to have some say as to what goes into it.
So let me know what you think and what you’d like to see in the book and I’ll occasionally update how things are moving along. I’m looking forward to this thing, I hope you are too.
One last thing … I have no timeline for this book; it’ll be ready when it’s ready.
This may be the shortest post I’ve ever written.
This previous post was about the need for holism in information governance. This post brings up topics that you’ll have to deal with in defining holistic information governance. (I think I’ll refer to these as PHIGs – Principles of Holistic Information Governance). This isn’t going to be exhaustive or ultra-detailed; it’s just a list to guide where you need to pay attention.
Gartner defines information governance as the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.
Principles of Holistic Information Governance
1 – Information is an organizational asset.
In the course of our employ we produce and receive information. It doesn’t belong to us, it belongs to our employers. As such, we need to treat it like any other corporate asset. Even if you use a personal device to produce the information, it still belongs to the organization.
Assets have acquisition costs, maintenance costs, residual value (sometimes), and get disposed of at the end of their useful lives. Tell me how this doesn’t apply to information.
If you do not understand this, stop reading and go away. There is no hope for you.
2 – Understand what you’re using information for.
How does information help you achieve strategic objectives? A government entity and a direct-to-consumer sales organization may use some of the same information, but they will use it differently and for different purposes.
Understanding what you’re using information for ought to help you understand what information you actually need.
3 – Understand where it’s coming from and where it’s going to.
Information doesn’t just magically appear; it comes from somewhere. You need to identify your internal and external information sources.
Most organizations don’t just fire information out willy-nilly. Information is intended for specific audiences, for specific purposes. You need to understand what effect your information is intended to have, and who you want/need it to effect.
4 – Understand when you need it.
The next person that says “I need this yesterday.” wins a smack in the head with a frozen mullet (the fish, not the hairstyle).
Information is needed at various points in business and decision making processes. Is real-time information really necessary or can you wait a few minutes or hours for it? Figure out when you actually need the information in order to make a decision.
5 – Understand who can and should be using it, and for what.
This is not just about security, though that’s a big piece. This is also about getting the information out to those that need it or to those that you want to influence with it. Think about it in terms of getting your message out to your target audiences.
Once the information has found its way to the audience, what are they going to do with it? Are they going to make a decision, buy something, receive a benefit…?
6 – Understand your social, regulatory, and compliance obligations.
Depending on what you do and for whom you do it, you have information related obligations. Some of these are imposed by statute, some by convention, and some are self-imposed. These obligations determine how long you must keep information, what you can do with it at the end of its life, and to whom you may or must disclose it when asked.
7 – Understand your information related risks (too much, not enough, disclosure, etc.).
If some of your information leaks, what’re the consequences and can you live with them?
If you’re overwhelmed by information how does it impact performance?
If you’re missing information can you still get stuff done?
How likely are you to be sued?
8 – Understand how stakeholders are interacting with it.
It’s not enough to know what your stakeholders are doing with information. You need to figure out how they’re doing it. It’s not enough to identify the types and locations of devices that stakeholders are using; you also need to find out if the interactions are passive or active.
9 – With few exceptions, information has a finite useful life.
Unless your information has historical/archival/archaeological value, get rid of it as soon as you can. It’s not just about the whole discovery/litigation thing; it’s also about de-cluttering and being info-efficient.
Information is a perishable good; once it’s stale or rotted, get rid of it.
10 – Make someone accountable.
Overall organizational performance, financial performance, legal, technology … they all have single-role accountability and responsibility. As, arguably, the second most important asset of an organization, information deserves at least the same level of attention as finance, IT, HR, legal, etc.
A C-level executive needs to be accountable for how information is governed and managed across the organization.
None of these ten “principles” is much good on its own; they only work as a whole. Other than the first and last, the key is to go only as deep as you need to in order to make things work for your organization. Nobody is expecting perfection; things just need to be good enough.
I’m not trying to downplay the difficulty in formulating information governance policies and procedures. However, much complexity can be avoided if common sense is applied and business objectives remain the primary focus.
PHIGs downloadable PDF
PHIGs – the new and improved slide deck …