How to Implement a Sustainable Information Governance Framework
We live in a world with rapidly accelerating data volumes, and in which data sources are becoming more complex all the time. With the rise of unstructured data sources such as videos, audio files and instant messages, business teams have an unprecedented data landscape to contend with. In parallel, many businesses are holding onto an ever-increasing universe of data, often without a holistic strategy to manage information and reduce digital risk. The result is an environment in which risks abound, costs soar and business agility is hampered.
However, when businesses understand the information they hold, where it is stored and the scope of risks that surround it, leaders can better protect it, and at the same time, maximise tremendous value hidden within it.
With a comprehensive and forward-looking information governance framework, this reality can be achieved. Key steps to getting started include:
Assess and Understand Information and Data
A fundamental starting point for any information governance effort is to build a detailed understanding of the data held, including how it is generated, where it is stored and who it is shared with. To achieve this, a data inventory should be created with appropriate classification for both structured and unstructured data and identifying the rules and standards that apply to it.
To complement the data inventory, an architecture map with data flows can support better understanding of how information is shared between teams and assets, and to identify legacy systems that likely need to be decommissioned.
The assessment phase will also enable teams to more effectively pinpoint related risks. For example, where sensitive confidential information requires additional security protections or more restrictive access controls.
Build a Framework
Once you have built a robust understanding of the information landscape, it is time to develop a framework to manage data more effectively. Key elements include the following.
Before embarking on the implementation of a framework, it is critical to establish the goals of the framework. Governance frameworks should be consistent with the organisation’s wider business objectives and attend to the risks identified in the assessment phase.
Build the Team
It will be necessary to identify the individuals and teams who will be responsible for supporting the implementation of the framework. This will include IT teams, information governance professionals, legal and security. This core team will likely form the nucleus of a more formalised governance model to be developed later.
Policies and Procedures
Policies and procedures should be developed to cover data protection, data quality, data management and information security, and to establish standards for the business to follow. The policies and procedures developed should also articulate the steps that need to be taken by employees to carry out good information governance.
An important, yet often overlooked aspect of information governance is retention, and the business should review the current retention and disposal practices to avoid the accumulation of redundant, obsolete or trivial data (often referred to as ROT data). Teams should ensure that there is a comprehensive retention schedule defining the retention periods for all record classes with appropriate trigger points. Furthermore, the organisation should develop disposal processes to ensure that both electronic and paper formats of data are disposed of securely and on time.
Governance and Reporting
By this stage, the key stakeholders who will manage information governance within the organisation should be clearly defined. However, it is important at this step to also identify data stewards. Data stewards are the individuals who can help to provide oversight of information governance processes, escalate risks and communicate key messages to employees. Data stewards should be incorporated into a wider governance model that includes a steering committee, management teams and employees. For businesses that are in the early phases of governance maturity, it is likely that a centralized model, whereby implementation comes in the form of a top-down approach, will be more appropriate.
Before implementing a reporting process, it is important to determine metrics and key performance indicators to measure the success of the information governance framework. A reporting process should be established so that stakeholders can evaluate what adjustments need to be made to the framework and to identify key risks on an ongoing basis.
Training is a key instrument to truly embed information governance within an organisation, and is the cornerstone of any compliance program. Training should be provided to data stewards to communicate the role they play in implementing effective information governance, to cover policies and procedures that have been developed and to detail the reporting process.
Training and awareness materials should also be provided to employees on key policies and processes, to ensure that they are followed effectively and to build data literacy across the business.
Information governance technology can be deployed to operationalise compliance and to automate certain processes such as data cataloguing, data quality and data management. The automation of processes can help to alleviate the burden on employees and to streamline compliance, although it is not a silver bullet. For technology to be fully effective, it must be configured in a way that aligns with business needs, policies and procedures.
Jack Fletcher is a Senior Director within FTI Consulting’s Technology segment, based in Dubai. FTI Consulting has a dedicated team of information governance experts who provide tailored compliance advisory support to a range of businesses in the Middle East and North Africa Region.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.