Over the last few weeks some pretty bright minds have been talking / writing about what Information Governance (IG) is and isn’t. Unfortunately, I couldn’t find the restraint to stay out of it. To get some of the background of what’s been going on, read a few posts from these guys (I don’t always agree with them, but I do have a great deal of respect for them and their smarts):
- George Parapadakis (this, this, and this)
- Barclay Blair (this one and this one)
- Laurence Hart (this one and this one and this one, too)
There’s also been a bit of a conversation going on on Twitter involving the folks mentioned above, along with Jeffrey Lewis, Ron Layel, Ron Miller, Bryant Duhon, et moi. Had I been prescient I would have captured / saved the stream and included it here. Oh well.
First things first … the definition of Information Governance I use is the one I wrote: “Information governance is all the rules, regulations, legislation, standards, and policies with which organizations need to comply when they create, share, and use information.”
The thing to remember about IG is that it’s really about policies that put constraints and roadblocks in the way of working with information. Implementing the policies, via procedures, is where value gets added; using the right technologies helps take the burden off of people. Information Governance without appropriate procedures and tools is just not going to work. Don’t even bother to try.
I am definitely in the camp with those who view IG as an overarching thing that covers a vast array of disciplines that determine every aspect of managing, using, storing, sharing, and disposing of information. And therein lies the problem with IG; it is too broad to be of real interest to any single executive in the C-suite, unless that executive’s job is IG and only IG. That said, oversight for IG has to be centralized in order to be effective on a broad scale, and it has to be centralized in a manner that allows no bias.
Putting oversight for IG in the hands of the CMO, the CIO, the CLO, or anyone else in the C-suite, assuming they actually wanted the job, would likely end up biasing IG towards a specific agenda. IG implemented has to be good for the overall business. Granted, there are various drivers, but those drivers cannot be used as justification to sacrifice or jeopardize other business concerns. Does that mean we need a new title in the C-suite? Maybe, maybe not. Personally, I’d like to see the CIO role redefined on a global basis to be the information equivalent of the CFO and let the various disciplines report into it.
If an organization is a litigation magnet for sure that organization needs to do whatever is necessary to reduce the risk and the burden. But it can’t be done in a way that compromises business effectiveness of other parts of the organization. The policies need to be implemented via procedures and tools that support the business moving forward. There is no legitimate reason that one cannot implement litigation risk mitigation that also benefits the rest of the organization. The immediate need may be related to litigation, but the long play has to be holistic. By the same token, getting field manuals to engineers cannot expose the organization to unnecessary risk or exposure.
During the past few weeks there was also talk about splitting out Information Governance and Information Management. The short version is that governance is the policies and management is the procedures. I don’t think that there’s anything wrong with splitting things out like that, but does it make a huge difference when trying to convince clients or execs about the need for governance? I’ve been guilty of using the terms interchangeably, but I’ve made progress so I don’t care. The fact is some of my clients get the shakes when I mention IG, but they’re cool when we talk about IM. The end result is the same except that I have not “educated” the client about the right terminology. Again, who cares? My clients don’t hire me to teach them the right terminology so that they can sound hip when having beverages with the IG illuminati; they hire me to solve problems or leverage information better.
I really like Barclay’s sentiment: it doesn’t matter what you call it as long as the concepts are understood and progress is being made. Ultimately, that’s the bottom line.
We can bang on all we want about IG vs IM or whatever, and continue to struggle to get buy in and move things forward. Or, we can compromise our principles a little (it’s not like it’ll matter in the long run anyways) and focus on telling clients, sponsors, and executives what they need to hear in a way they understand, are comfortable with, and ultimately buy into. As long as I do right by my clients, I personally don’t care whether we call it IG or IM. We can have the philosophical conversations next time we’re gathered at some conference and it’s only us nerds talking.
During the Twitter conversation, Ron Layel asked me if I thought that information is the currency of business. I don’t think so. If an organization has a bunch of cash sitting in the bank, idle, the cash doesn’t expose the organization to risk, and it appreciates in value. If information is just sitting around, it potentially causes risk, and has no value. Information accumulates, morphs, and transmogrifies too fluidly to really be considered currency. To be sure, businesses couldn’t run without information or currency, but unlike information you can fake currency (think about letters of credit, loans, debentures, IPO’s, etc.).
One last little point … peeve, actually … there are vendors out there (hardware, software, services, associations) that tout themselves as Information Governance vendors. They’re not. They may solve portions of what IG is, but they don’t do it all.
A while back I wrote a couple of posts (one and two) about attempting to value information as an asset, carried on the balance sheet. I took a very accounting oriented approach, and I think I’ve made some progress. This post follows, after a fashion, those two previous posts.
During my session (here’s a link to the deck) at the 2014 AIIM conference, someone from the middle of the room respectfully disagreed that information is always an asset. My response at the time was that information is always an asset and that you need to set up a contra account to offset any of the negatives that can happen. For example, a contra account for Accounts Receivable would be Allowance for Bad Debts. You can read more about contra accounts here, on Investopedia.
What I should have said was …
When information reaches the stage where it can harm you, let’s say in litigation, you need to create a contingent liability account in order to capture how much (in dollar terms) you anticipate the exposure to be. Now, I’m not an accountant, but from what I can find out an asset cannot be transformed into a liability (please correct me if I’m wrong). However, assets that expose organizations to financial risk, can be accounted for by using contingent liability accounts. You can read more about contingent liabilities on Investopedia.
The other thing I should have said was that organizations need to evaluate the value:risk ratio of their information periodically. It’s absolutely true that certain types of information don’t age well and expose organizations to risk that is greater than the information’s value. At this point an organization needs to determine whether they will dispose of the information (legally) or commit additional resources to mitigating the risk, in whatever manner is most appropriate (doing nothing is not an option).
So, to the gentleman in the middle of the room; Thank you. Your comments forced me to dig a bit and learn something.
For those of you interested, here’s the presentation to which I am referring …
As some of you may already know, I will be speaking about the Principles of Holistic Information Governance at the AIIM Conference in Orlando (my session is at 2pm on April 3). Here’s a brief preview of what I’ll be talking about.
This is a little story about how the Principles of Holistic Information Governance (the PHIGs) were leveraged to turn a pure Records Management project into something the entire organization, and its stakeholders, could benefit from.
I was approached by a partner to help them out on a project they are working on for a public transportation company. Their project is to put together a new web communication and presence strategy, and to implement it. Where they asked me to help out is on developing a Records Management strategy. The two projects were to be separate from each other since the RM project was really to fill in some gaps in the client being compliant with legislation and in helping them to respond to Freedom of Information (FOI) requests. There was no thought given to integrating the two projects or to looking at how an holistic approach could benefit the entire organization and its stakeholders.
As all good analysts and consultants do, I started gathering as much information about the organization and the projects as I could. The two critical documents that I had access to were the Web Communication project strategy (summary and detailed) and the organization’s 20 year strategic plan and roadmap.
There were obvious tie-ins to linking the RM project and the Web project, but selling them to the organization wasn’t easy as they just didn’t care all that much. They were happy to go forward with identifying what was a record, and subject to FOI, then just firing that content into their RM tool (which they don’t have yet). The real clincher to getting the organization to accept a PHIGged approach was the long term strategic plan. In the plan were articulated six values and five major objectives.
- Customer Service
All six of the values can be directly supported by information, provided it’s properly governed and managed, from cradle to grave.
- Develop Financial Sustainability
- Support and Shape Livable Communities
- Change the Perception of Transit
- Deliver Operational Excellence
- Strengthen our People and Partnerships
Like the values, the objectives will benefit from taking an holistic view of how information lives in the organization.
One of the other things that I did was to review the RM strategy document I was provided and link those objectives to the objectives in the Web Communication strategy and the long term strategy. It’s both funny and sad that folks get so focused on their own view of the world that they don’t see the bigger picture. The RM strategy probably had 85% of what was needed for an organization wide (I’m trying not to use the word “enterprise” too much) information management strategy.
From a technology point of view there will be many different tools used to provide the solutions that the organization will, over time, implement. But, they’ll be underpinned by the PHIGs. The PHIGs are there to help organizations take a look at how and why information exists and affects all relevant stakeholders. The PHIGs aren’t about technology; they’re about business and doing it better by understanding what you need from information.
By reordering and rewording some of the RM strategy objectives, and adding a couple of new ones, we were able to change the focus from an RM project that would provide very limited benefits, to an organization-wide information management program that will benefit all stakeholders. Of course it’ll take longer to get to the end, but at least the client has taken the first step and realized the importance of information to the proper running of the business.
Below is the presentation from my session at the AIIM 2014 conference …
Over the last couple of days I’ve seen/heard some comments that Big Buckets don’t work well in Records Management. Uhm, you’re doing it wrong.
I suspect that a large part of the issue is that classification models are too granular and too tightly coupled to the retention schedule. I’ve been involved in a couple of projects where this was the case. One client understood this, made the necessary adjustments, and achieved success. The other client … held steadfastly to granular, overly complex schedules and models, and is only now (4+ years later) re-examining their original plan.
You wanna make big buckets work? Here’s some simple stuff you need to do:
- Simple, function based classification models;
- Uncouple classification from retention;
- Automate & hide RM tasks from users (they know what they’re working on and don’t give a rat’s ass about RM – I know, hard to believe);
- Classify on capture/creation;
- Check out the cool diagram;
- Review periodically.
Note: During a Google Hangout yesterday (featuring @cawprhyd, @tchernik, @lllivingston, and some others whose twitter id’s I don’t have handy) the subject of disposition reviews for automated disposition came up. My position is pretty simple – you don’t need them. Sort of. If you assume that classification and retention have been agreed prior to implementation, and that content is classified up front, there is no need to review. Of course, this works only on a day forward basis and requires that whatever tools you have in place can do the legal hold and suspend disposition processing / time clock when needed. You really should follow the twitterers that I’ve id’d here – they’re pretty smart.
A while back I mentioned that I was going to try to write a book. Well, I’ve started it at last. Between losing my job and spending time at the cabin I’ve not really been motivated or focused. I’ve been spending my time looking for work, but also enjoying rural life at my cabin. I have also found that this writing thing is a lot harder than it looks. Anyways, here’s a draft of the introduction to my as yet untitled book of PHIGs. Let me know what you think.
I used to think that people were an organization’s most important resource, but I don’t think that’s the case any longer. You see, some things have changed over the years: 1) Organizations put more time and effort into making sure they have the right information than whether or not they have the right people; 2) Missing key information causes more consternation than when a key person is missing (vacation, prison, dead, etc.); 3) Organizations will happily jettison people they think are no longer required, but hold on to useless information for eternity; 4) Organizations don’t pay the people that manage information nearly enough.
If a person unexpectedly leaves their job the organization copes and moves on. If key information vanishes right before a planning cycle … different story. So why do organizations suck so bad at managing information like the asset it is? I don’t know and I’m not going to try to figure it out. This book is more about helping organizations stop sucking at managing information. As for better pay for information management people … fight your own battles people.
What is Information Governance?
Information governance is all the rules, regulations, legislation, standards, and policies with which we need to comply when we create, share, and use information. Governance is mandated internally and externally. Done correctly (i.e.: holistically), information governance allows organizations to conduct business better and meet all their information related obligations while minimizing risk. Done incorrectly (i.e.: in a silo’d manner), information governance may help organizations met obligations and reduce risk, but business efficiency is sacrificed.
Why do Information Governance?
“We can find everything we have, we just don’t know if we have everything we’re supposed to find.”
The above was a statement made by a director at my first ever Enterprise Content Management gig in 2006. Back then I don’t think the idea of Information Governance (IG) went far beyond IT security and perhaps Service Level Agreement (SLA) management. Even today, IG is not really thought of in an holistic way, applied to managing all aspects of an organization’s information assets.
In order to make the most effective and efficient use of information, it needs to be properly managed and governed from cradle (creation / capture) to grave (destruction / archiving). Holistic information governance makes organizations info-efficient by providing the means to keep what’s needed and legally dispose of what’s no longer necessary. Holistic information governance results in faster, better decisions, reduced information related risks, reduced ediscovery costs, and reduced information storage costs.
Principles of Holistic Information Governance
The first thing you need to understand as you read the PHIGs is that no distinction is drawn between records and non-records. From a business execution perspective the difference is irrelevant, from an evidentiary perspective it’s minimal since any information you have can be used against you in proceedings.
Whether the information is structured, semi-structured, or unstructured (there`s no such thing) makes no difference. Format and storage location are similarly unimportant to the PHIGs, as are the devices (personal or corporate) used to create or edit the information. The only thing that matters is whether or not the information is needed by the organization to either conduct business or meet obligations.
The PHIGs are really based on understanding how an organization uses information to conduct business. Understanding has to happen at the micro (department, process) level and at the macro level to be truly useful. Not all information is equal for all organizational stakeholders; therefore it cannot be governed the same way across the entire organization.
The PHIGs are not an information approach to information governance; they are a business approach to information governance. The intent of the PHIGs is to help organizations analyze their information assets and apply the right level of governance based on how the information is used / needed to conduct business.
This is a response to comments that Jürg Meier made recently on something I posted a while ago. Jürg is a very smart and personable guy, whom I had the pleasure of meeting in person at ARMA Switzerland’s inaugural event on November 29, 2011. I urge you to check him out on twitter and here, where he works.
I was going to simply reply to Jürg’s comments on my blog, but I figured that the points he brought up are pretty substantial and would be of interest to a broader audience. I asked Jürg if I could paste his comments into a post and respond to them. You’re reading this so either: a) Jürg agreed; or 2) I’m in deep doo-doo.
From the original post: “Users know what business process they’re involved in. …”
JM: Chris, not sure here. What about knowledge workers, who “often advance the overall understanding of that subject through focused analysis, design and/or development” (Wikipedia). Are they in a business process? Perhaps, but more often than not in a very large one, like a product development, an IT or marketing project. These people send email, word and powerpoint docs back and forward, take notes. Notes? Karl Alexander Mueller, Nobel price winner in physics 1987, discovered a material for high-temperature supraconductors. He took the decisive note a few years earlier at a congress – on a single page of his pocket notepad.
Moreq2010 comes up with a similar example. In the introduction chapter, they show a hand written shopping list and the resulting cash register receipt. They consider only the latter as a record.
I would say that regardless of what the duration or intended outcome of a process is, it’s still a business process with measurable business objectives. Projects and cases (as in case management) cross multiple business processes and can be of several years duration. Product development takes ages, is complex, involves large numbers of people and huge volumes of content. However, it can still be tied to business processes and the participants (usually) know what they’re doing. In that type of scenario I think I would recommend using a case aggregation for the users to plunk their content into, and apply appropriate retention to the aggregate.
I would assume that Müller knew what he was working towards when he wrote the decisive note in his pocket notepad (how different is the pocket notepad from a tablet these days?). If my assumption is correct then it stands to reason that the note is part of the research documentation, which must be filed and retained. The big question in my mind is related to ownership of the intellectual property; does it belong to Müller, to IBM, or to both?
Another question that I have concerns an outcome that is unintended, but beneficial nonetheless. I’m sure we all remember what Sildenafil was originally intended for, and what its current use is. What, if anything, are the impacts on categorization and retention? Research & knowledge based processes are really tricky to deal with, but I think the key is that you can apply (business) rules & automation to the mundane aspects, use aggregations to capture the content, and let the participants do what they are engaged to do. I would certainly rather have medical / pharma researchers figuring out cures than worrying about where to file something.
The Moreq2010 shopping list / receipt example is analogous to an order / invoice example. Each document provides a part of the complete picture, and therefore is required. I also think that particular example is nonsensical unless for some official reason (e.g.: personal taxes) you need to hold on to the receipt. Frankly, I need to keep the list to prove to my wife that I didn’t bugger something up when she “let” me go shopping for her.
JM: In my experience, it is really a question of who will consume the information. There are the usual suspects:
– long-term (historical) archive
As you pointed out during your speech at the Swiss ARMA Chapter inaugural meeting, different people have different views on the same information. So, it would be compelling to classify information multiple times by different consumers… and I’m inclined to say: as late as possible. Only if we know about the purpose of the classification, we can do it right. E.g. for legal, they actually only know what they are looking for upon a litigation. By then though, they know very well what they need.
But what’s wrong with classifying as soon as possible, and adding additional classifications as they are identified, if that’s the case. The classification with the longest retention drives how long any content needs to be kept. This only works when classification and retention/disposition are segregated. In litigation situations simply applying a hold / freeze will do the job. There’s no reason to apply additional classification to the content because you create a legal case file aggregation and dump the content into it.
Content that has archival value, but no risk is easy – just keep it. I mean, I know we’ll want to keep all of my blog posts for the next 300 years or so. J It’s tougher when content that has archival value has some potential risk associated to it (privacy issues, legal exposure). I think at that point it’s really a judgement call. Frankly, I’m in favour of preserving because I’d like to think that sometime in the future there are going to be people that are interested in what we’ve been thinking and doing, and that the information they want is available. I’m also hoping that we’re not so stupid that we evaluate everything in terms of whether or not we’re going to get sued.
JM: However, the case of “late classification” does not answer one key question: for how long should we retain? The only reliable basis here is law and the retention schedule. And for that, by nature, we must classify upfront. That isn’t too difficult for “real business processes” (e.g. selling a ticket), but becomes tricky with output from knowledge workers. Here, to some extent, we need their support. Classifying draft/final is a good start, formally assigning it to a project would be very helpful, as well as identifying ownership and the document type.
For the most part I agree with this paragraph. For the knowledge workers, especially those that are involved in a lot of trial and error, I think we can come up with some reasonable classifications and retentions for them to use. Imagine how different things would be if the people that were working on Sildenafil tossed everything away once they realized they weren’t going to achieve what they set out to do.
This was originally posted on the AIIM Community on November 18, 2011.
I’m not an expert on cloud computing, I’m just some guy that likes to be able to access the content I need to do my work, from wherever I happen to be, using whatever device I feel like using at the moment. Take this post, for example; it was written on a laptop and a tablet, in a dining room and a swimming pool (not really in the pool since my tablet isn’t waterproof though that would be mega-cool).
I agree with Billy Cripe’s thoughts that Agile can (ought to) be applied in the development of cloud based ECM solutions. However, as Billy correctly states, “Managing content is not the goal of most businesses.” Most businesses exist to make money by providing products and/or services that consumers want. Businesses rely on information in order to get their stuff done, whatever their stuff is. In order to fully exploit information, the tools (i.e.: information stores) that the businesses rely on need to be connected to each other (so do the people – the tools need to facilitate this). Content / information management tools (cloud or not) need to be part of bigger picture business solutions. We need to build solutions that deliver “I need to share this” in the context of why it needs to be shared (answer why you need to share and you’ll likely figure out who and what).
No sane person can argue the value and validity of the cloud. Except me. I’m not daft enough to think that cloud computing doesn’t have value or is not a valid approach to take. However, I do think that we’re not going to realize the full potential of the cloud (and by extension, content) if we simply limit its scope to content management. Yeah, I know that there are other things that are done in the cloud, such as CRM, payroll, and accounting.
Content Wherever I Am
One of the cool things about content in the cloud is that my content is wherever I am. (Okay, so it’s not really my content, it’s my organization’s content.) That’s not the point, though. The point is that I can work with content wherever I happen to be, using whatever device I choose. This does assume that the chosen content repository is able to be synched appropriately. Wouldn’t it be cool, though, that if in addition to being able to work with the content and share it with collaborators (the work variety, not the WWII Nazi variety) the content could also be appropriately tagged, filed, and placed under retention at the point that I plunk it into the repository? I.e.: Cloud repositories need to become extensions of ECM and ERM systems, probably through federation.
Correctly Connecting Corporate Content
Content is spread throughout an organization; cloudification just increases the spread. When I say content, I mean anything that is stored on digital media that serves any legitimate business activity. (For obvious reasons I am excluding physical content.) A key to widespread cloud acceptance is to be able access / leverage content in order to execute a business activity, regardless of where the various pieces of content reside. An agent in a social services organization should not have to know or care that a citizen’s information is spread over a number of repositories that could be on-premises, in a private cloud, and in a public cloud. The agent is there to service the needs of the citizen, not to figure out some (likely) convoluted architecture just to try and find stuff.
CMIS is a step in the right direction, but where CMIS falls short is that it doesn’t address non-CMS (think ECM) repositories. What we need is something that allows connecting everything that we need, when we need it. Device and location should not be factors. In fact, the only thing that a user should worry about is whether or not they have the right content to do the job. Governance, classification, and security ought to be just taken care of.
Speaking of Governance…
Until the governance issues get sorted, I doubt very much that we’ll see widespread adoption of public cloud services. Smaller organizations, organizations with lax regulatory / privacy regulations, and organizations that can bully providers into rock-solid SLA’s may be able to go full public cloud, but I doubt they will. I think the reality is that organizations will end up having hybrid environments of cloud and on-premises.
When I say governance I am not only referring to the poo that legislators, regulators and litigators throw in our way. Governance needs to address issues such as:
- what can / should be stored in the cloud
- service level agreements
- disaster recovery / business continuity
- classification / categorization
- retention & disposition (thanks to @JamesLappin & @AlanPelzSharpe for bringing this up)
Governance of cloud content has to deal with all of the things that we need to deal with for on-premises stored content, with the added complication that we also have to deal with where the damn box is and if some foreign government can get at it whenever they bloody well feel like it. Canada’s Anti-terrorism Act and the United States’ PATRIOT Act are not going to be very helpful in encouraging organizations to move to the cloud in a big way.
- Hybrid (cloud / on-premises) will be in the majority
- Governance (internally & externally imposed) has to be figured out
- Integration / interoperability are critical
- Privacy concerns and government snooping are major inhibitors (@ron_miller wrote a pretty good piece about this)
- If we’re not careful we’ll just move the mess from our hard drives to someone else’s
- Some Systems of Record will end up in the cloud, if they’re not already there
- Services are where it’s at
I couldn’t decide which song I wanted to use for this post, so you’re getting three:
A couple definitions for those that think it should be “on-premise”
Big Data? Big Whoop!
Over the past couple of days I’ve been seeing a number of posts and tweets about Biiiiig Dataaaaaaa (ring announcer voice in my head)! What is “Big Data”? Check out the definition in this executive summary; or as I and others like to say, “It’s as big as a piece of string is long”. I certainly understand the idea behind “Big Data”, but do we really need a new term for something that, let’s face it, isn’t new at all?
In a comment to this post I used the phrase “E2.0 meets BI”. To be more accurate I should have said “E2.0 fuels BI”. This whole “Big Data” thing is nothing more than reporting and analytics, but with more data than we had before. Those of us who have a stake in the BI domain have often wished for more raw data on which to base our decisions. Now that we have it, and are getting more of it every second, we’re freaking out and giving one or more major vendors in the space an opportunity to define something new. Two things, and only two things, have really changed:
- The available amount of raw data is way beyond what it was only a short time ago;
- The Cloud and SaaS jeopardize access to some of the raw data.
If you’ve got the resources (i.e.: $’s) dealing with #1 one is a matter of scaling. Dealing with #2 is tougher, especially if any of your data sources are not entirely under your control (Cloud, SaaS). The challenge, however, is not insurmountable:
- Rationalize your requirements and identify what is absolutely critical to your business (i.e.: leave the “it’s just cool” stuff out or defer for later);
- If you rely on hosted data sources negotiate appropriate access and up-time agreements;
- Find out if your hosted providers can provide some of the ETL for you;
- Trim your datasets where possible;
- Identify your true timing requirements (real-time, near-real-time, periodic);
- If you have retention / disposition policies on your data sources, enforce them; if not, define and enforce them.
The funny thing is, when I made my living in BI projects, 5 of the 6 points noted above where standard things we did. Maybe nothing really has changed all that much, other than my segue into RIM. Oh well.