Information Governance 2.0 A DOCULABS WHITE PAPER

Transcription

1 Information Governance 2.0 A DOCULABS WHITE PAPER

2 Information governance is the control of an organization s information to meet its regulatory, litigation, and risk objectives. Effectively managing and governing information requires that an organization know what information it has, where it is stored, and how it is shared. When it comes to information governance, many financial services firms focus primarily on risk reduction and in the process, they fail to realize the intrinsic value of their information. In this white paper, Doculabs outlines a framework for how firms can dramatically improve their control functions and make information governance a source of competitive advantage. ype here] [T

3 Next-Generation Information Governance Financial services firms face a unique set of challenges in putting information governance (IG) in place. IG efforts tend to be tactical across the various control functions, with siloed work functions and inconsistent processes, roles, standards, and metrics across these areas. The result is many firms struggle to ensure that their records are not just secure, but also easy to locate and access. Business Functions Control Functions Information Governance Structure: The Ideal State Doculabs has worked with the leading financial services firms, and we contend that IG can serve as a source of competitive advantage and deliver significant strategic value. Many firms do not understand the true value of their information. Having focused their IG efforts primarily on risk reduction, they have failed to realize the intrinsic value of the information itself (including brand, customer data, knowledge from research and product development efforts, etc.) information that can be leveraged to generate revenue, improve operational efficiency, and increase competitive advantage. This white paper outlines Doculabs framework for next-generation information governance: an approach to IG that allows the lower levels of the organization to achieve additional utility from information management, and, as a derivative, enable additional governance. We provide an overview of the framework for an aligned program for information governance, looking at each of its constituent categories and current best practices for each. Then we close by helping you make the business case for an IG initiative in your own organization. 3

4 Three Keys to Success 1. Make information management an embedded part of operational excellence. Improving information management can improve operational efficiency for business processes, while also positioning the business for improved information governance. Just as quality was recognized as critically important to operational excellence in the 1980s, so too must information management competencies be recognized today. 2. Integrate the autonomous, and sometimes redundant, activities across the compliance, risk, information security, privacy, and records management functions. The processes employed for each function are similar in nature (e.g. interrogate data, identify vulnerabilities or gaps, remediate, etc.), and can be better coordinated to become more effective and less disruptive to the business. 3. Discern the valuable and/or risky information and prioritize efforts and investment. Information security today protects all systems and data indiscriminately, using monitoring, firewalls, endpoint protection, etc. The current approaches are not sustainable, given the growth of information and the explosion of access points due to mobile users. Identifying the most valuable information and that which presents greatest risk enables the Information Security function to prioritize its efforts and invest its time and resources appropriately. Program Evolution: Creating Value The overall goal for maturing an information governance program is to evolve from a cost of doing business (satisfactory), to an efficient operation, to one providing business value. Efficiency can be achieved by delivering the same service with far fewer resource (e.g. through consolidation and elimination of redundancy) or by using third-party service providers that enable a portion of costs to be variabilized instead of fixed increasing and decreasing as demand for services fluctuates. Value can be achieved by showing how information governance enables core business processes. For example, sales teams find the latest proposal to collaborate upon, client data is maintained in the customer service system to make access simpler, and marketing teams don t waste resources recreating digital assets. 4

5 Doculabs Information Governance Framework Within any financial services firm, a wide range of constituents or domains are involved in information governance. The list below identifies these constituents and their respective roles within the information governance framework: 5

6 Improving information governance (IG) requires much more than just policies or technology. It also requires elements such as organizational resources, structure, standard practices, and communications and training. As many firms have learned, implementing technology without sufficient attention to these other areas will hinder adoption. Doculabs has identified eight key categories of an overall information governance framework for many firms: Doculabs consulting engagements address all of the categories of the IG Framework. The following subsections address these categories, defining the role that each plays in information governance and some of the key challenges it presents, with high-level recommendations for how to address those challenges in your own organization. 6

7 INFORMATION ARCHITECTURE Information Architecture: The manner in which information is organized. This includes a content taxonomy or organizational hierarchy, a records plan and retention schedule, and a content map of the organization s electronically stored information (ESI) and of its content repositories. Most financial services firms have many different systems and applications in use, making it far too cumbersome for users to store and manage their data and content. There are too many steps, and in many instances the taxonomies used don t make sense to users. In addition, poor information architecture makes it more difficult for Information Security to monitor and protect high-risk, high-value corporate information. Doculabs recommends that a firm standardize on a very small set of global metadata fields (i.e. tags) that are automatically assigned or which require minimal effort for users to add. Then configure systems to inherit metadata values and to pre-populate user-required metadata fields where possible. Finally, we recommend mapping information security metadata fields (e.g. PII/PCI flags, confidentiality level) to other metadata fields (e.g. document type, department ID) to allow for automatic assignment of information. The benefits of putting an information architecture in place include improved end user satisfaction, as users can find information more easily. From the risk standpoint, the information architecture enables better visibility into the information security risk of the firm s information, as well as improved ability to manage high-value, high-risk information according to information security policies and procedures. And because all information can be tagged according to records management criteria, it can more easily be evaluated to meet retention and disposition requirements. Core Elements of an Information Architecture 7

8 INFORMATION MANAGEMENT POLICIES AND PROCEDURES Policies and Procedures: The organization s rules for how information will be managed and governed. These include the policies that the organization and its employees must follow (the what ) and the accompanying procedures for complying with the policy (the how ). While the financial services firms we work with expect all employees to be aware of and comply with all information management policies and procedures that pertain to their work, we also find that the relevant policies and procedures for information management aren t organized systematically, and there may be gaps and overlaps in how they cover compliance and risk requirements. And, increasingly, we see policies and procedures that are outdated either they address technologies that firms no longer widely use, or they fail to address emerging technologies whose use is proliferating. Best practices for information management policies and procedures include using a comprehensive matrix of policies and procedures that explicitly prioritizes compliance requirements, identifies gaps and overlaps in requirements, and maps the requirements to existing and required policies and procedures. We recommend starting with the most demanding regulatory, security, and privacy requirements industry standard requirements that comprehensively cover more specific requirements. Then develop and/or remediate policies and procedures to address any remaining gaps, consolidating them according to a lifecycle development and maintenance methodology for policies and procedures. Key Framework Artifacts PROCESSES Processes: The overall processes used to support IG. These include processes to evaluate the maturity of various IG domains (e.g. records RIM, information security, and compliance) and remediate any control gaps, as well as more specialized processes such as e- discovery. At most financial services firms, the privacy, risk, compliance, and information management functions each have their own independent processes process that are likely to be partially redundant. And each of these functions engages the business functions, inquiring about the nature of the data and content they produce, manage, and consume, toward determining whether it contains PII, how long it should it be retained, and whether it s subject to legal hold. The problem is that business units tend to consider their information management needs narrowly i.e. considering the minimum needed to meet requirements today because they typically don t have the skills or processes in place to fully vet their long-term opportunities. 8

9 Doculabs recommends consolidating processes associated with privacy, risk, and records, as well as information security and compliance, to the extent possible. We further recommend coordinating the process through which the control functions interact with the business in order to present a more holistic view of what the business areas should be prepared to provide and minimize disruption. Future State Processes for Information Governance TECHNOLOGY Technology: The tools and technologies used or leveraged for managing information and enabling its retention, accessibility, security, and protection, and disposition. These can include technologies and capabilities for data quality, RIM, management, data archiving, information security, DLP, and e-discovery, among others. Where information governance is concerned, the current technology landscape offers tolls with overlapping tools, in various stages of maturity. The technologies at many financial services firms today are a direct reflection of this fractured landscape. Making matters worse, the investments made in software and the maintenance for these heterogeneous systems are neither scalable nor sustainable. Moreover, none of these capabilities are truly integrated into the business processes they support, resulting in swivel chair integration as users must jump from system to system to complete a process, which introduces manual steps as well as opportunities for error. The following figure shows Doculabs recommended technology stack, as a guide for where to make portfolio investments over the next 3 years. Specifically, we recommend investing in the foundational capabilities first, such as content and data management and information security, then augmenting them with more advanced records and GRC capabilities. Depending on your firm s maturity in unstructured content, you may need to focus on areas such as content analytics and content tagging systems and protocols within the Capture and Access components. Finally, use your information security tools to protect valuable information, as opposed to low-value, low-risk data. Many firms dilute the value of these tools because they use them to protect all information, whether valuable or worthless, at the same level. 9

10 Information Technology Solutions: An Integrated View ROLES AND RESPONSIBILITIES Roles and Responsibilities: The organizational structure and roles for the IG program and the various IT subdomains, and the roles and responsibilities for the individual business units as they pertain to the IG disciplines. Many firms present critical shortcomings in their current roles and responsibilities for Information Governance, with undefined data and information ownership, system administration, and custodial discipline within business units. At some firms, a further problem is the lack of enterprise resources to assist business units in determining their information governance and information management needs. Doculabs recommends consolidating the various control functions Risk, Compliance, Privacy, and Records at the enterprise level to assist business units with their various control responsibilities. (Note, however, that records coordinators should continue to reside within the business functions.) In general, Risk, Privacy, and Compliance will each have a team lead. Legal should remain in the corporate litigation group, with a dotted line into the control group. 10

11 PROGRAM GOVERNANCE Program Governance: The definition of the overall strategy and approach for oversight of corporate information, and the decision rights across all IG subdomains, including prioritization, resolving conflicts among IG subdomains, and budget approval processes such as e-discovery. Many firms do not have in place the various coordinating activities that ensure priorities and funding are applied to the stated objectives around information compliance and risk. In particular, they lack an overall strategy for addressing the various control functions. In the absence of such a strategy, each business has developed its own priorities in light of corporate mandates, but with different levels of investment and different processes and responsibilities. Doculabs recommends establishing a cross-functional steering committee to set the overall budget for the program and allocation of resources between enterprise and business-lead projects. Just as important, the business areas need direct line-of-sight into the enterprise objectives and priorities, via regular communications and involvement in monthly and quarterly meetings. FINANCIALS AND METRICS Financials and Metrics: The overall financial management and planning for the IG function, and the tracking of defined metrics within the program; the valuation of information as an asset. At many firms, business units view the costs of information governance as a corporate tax, with little ability to control the costs as they improve their information management capabilities. The problem is further complicated by the fact that few metrics exist on the efficiency of governance functions. But it s also the case that, in the financial service industry as a whole, the value of information is neither well understood nor differentiated. For example, we ve often seen content associated with critical new product development comingled with dated interdepartmental correspondence, with no differentiation in the manner in which the more valuable information is handled or managed. Doculabs recommends that firms identify a set of primary metrics to monitor the performance of the different governance functions both proactive (e.g. number of training sessions, number of individuals certified, etc.) as well as outcomes (number of incidents, number of audit findings, etc.). Recognize that units of work are very difficult to define for compliance, risk, information security, and privacy so focus on simple tasks (e.g. system enhancements, projects, events) to develop a baseline from which initial statistics can be measured. Sample Metrics 11

12 Also identify the broad categories of information under management. Differentiate the systems that house valuable information and/or accessrestricted information from those housing less valuable/less restricted information; then focus information management improvements on the systems housing the more valuable information. Finally, introduce information utilization into managerial metrics. Business unit managers will need to understand both the costs and benefits of more effective management of information. Many managers understand systems costs (allocations for desktops, specific applications, etc.), but information flowing through the systems is not typically assigned a value or cost. Use Information Utilization measurement (percentage of data managed appropriately with systems). COMMUNICATIONS AND TRAINING Communications and Training: The mechanisms used to educate the user community and improve adoption of the solutions, practices, and guidelines for information and knowledge management and collaboration. Training on tools at most firms tends to consist of one-time events or onesize-fits-all training, with insufficient guidance for users to help them after the initial training. Doculabs recommends adding new resources to provide more day-to-day guidance and reinforcement, giving users access to people who can give them practical guidance in the context of the work they do. It s also important to create a structured onboarding process for new hires, to establish expectations upfront. For reinforcement, focus on ongoing communication of information in smaller chunks, such as checklists, tips, and user guidelines focused on particular tasks (e.g. documents and ) or aspects of using key systems and business applications. Keeping the communications drum-beat going also reminds users that they have resources available to help them. Once the information governance program has been operationalized, the program will include multiple communication mechanisms and touch points, and will involve participants at different levels in the program. The table on the next page presents Doculabs recommendations for program-level communications. Regular communications are critical to operationalizing an IG program, as well as for ongoing reinforcement of new practices. 12

13 When Who What Annual Program Review Annual Program Planning Quarterly Program-level Reviews Monthly Operational Reviews Annual Vendor Reviews Monthly Health Check Reviews Quarterly Health Check Reviews Information Governance Steering Committee/Board Governance Program Management members Governance Program Management (IT Leads) Governance Program Management (IT Leads) Execution Teams Governance Program Management (IT Leads) IT Leads Data Owners Doc Controllers IT Leads Business Sponsors Review strategic plan and direction for the Information Governance program Review program-level accomplishments and key metrics Address any organizational alignment requirements or issues related to areas such as Legal, Records Management, and Information Security Confirm resource requirements Finalize strategic plan and roadmap for the year Aggregate metrics and reporting for Governance Board annual review Identify issues and opportunities to address with the Governance Board Maintain and refresh the strategic roadmap as needed Review Information Governance program and system metrics; identify concerns and risks; agree upon mitigation plans Review Information Governance procedures and usage guidelines; ensure alignment with legal and records management requirements Communicate gaps, needs, and planned changes to the Information Governance architecture Review Information Governance project delivery and solution provisioning metrics for the month Review resource utilization and current workload; agree upon resource adjustments as needed Review Information Governance project pipeline and forecast; determine resource requirements and impacts Discuss and document gaps, needs, and planned changes to the IG architecture Meet with vendors and suppliers to review performance and service levels Brief vendors on FinServCo's strategic direction and priorities for the year Gather details from vendors on their strategic direction and product roadmaps Review key metrics (usage, user volumes, content growth, migrated content volumes, etc.) Review and approve any content quarantine, suspension, or disposition actions Address any other issues and challenges encountered at the business operational level Review key metrics (usage, user volumes, content growth, migrated content volumes, etc.) Address any other issues and challenges encountered from a business management standpoint Program-level Communications Recommendations 13

14 The Business Case for Information Governance This white paper makes the case for implementing a program for information governance that aligns the interests of both the control functions and the business. But for financial services firms, the harddollar benefits for IG are substantial, and the return on investment (ROI) can be significant. Overall, the major benefits of implementing an aligned program for information governance include: Eliminating non-compliance (and thus avoiding fines, penalties, and reputational damage to the firm) with efficient, natural processes Reduced overall costs for the various governance disciplines and activities through consolidation, reduced overlap, and reduced impact on the business Opportunities to leverage investments in improved information management for business value On the investment side, following are the categories of investment an organization should expect to make to implement the IG framework: Systems: The one-time capital and ongoing maintenance costs for systems, software, and infrastructure Program Staff: Any incremental headcount added as a result of the program Implementation Services: Primarily the internal IT staff costs associated with the program Third-Party Consulting: External resources specialized in certain tasks or having certain skills Training and Communications: Includes external costs (resources and marketing communication materials) and internal costs (primarily resources currently on staff) 14

15 The Final Word Sample IG Framework To see a sample IG 2.0 Framework, visit the Doculabs web site. IG 2.0 Framework Sample Doculabs IG Consulting Services To learn more about Doculabs consulting services, visit the Services page of our web site. Looking at each of the categories of the framework, where does your own organization stand? Where is there room for improvement at your firm? Doculabs has worked with all of the nation s leading financial services firms. We can conduct an assessment of the maturity of information governance at your organization. We ll take a look at organizational resources, structure, standard practices, and communications and training, as well as existing policies and procedures and technology. Then, based on empirical data from our work with the leading firms in the financial services industry, we ll give you an assessment of where you rank with respect to each of the framework categories. Then, based on those assessments, we will work with you to craft a go-forward strategy for implementing next-generation IG complete with a roadmap with the initiatives you ll need to roll out the framework at your firm. For financial services organizations, aligning the autonomous and sometimes redundant control functions is one of the biggest benefits of Doculabs framework. Integrating these activities across the compliance, risk, information security, privacy, and records management functions enables greater coordination and effectiveness, as well as decreasing disruption to the business. But improving information governance can also deliver significant strategic value, enabling your organization to capitalize on the value inherent in the information itself and positioning you to leverage that information for competitive advantage. Just as organizations derived significant value by focusing on quality in the 1980s, they can derive value by focusing on information management competencies today. Isn t it time to roll out IG 2.0 in your organization? 15

16 About Doculabs We are experts in content management. We help our clients by delivering highly actionable and comprehensive strategic plans and roadmaps, helping our clients achieve their business goals and create competitive advantage. Our consulting services also help our clients improve their records management and information governance approaches to facilitate compliance, reduce risk, and reduce the cost of e-discovery. Founded in 1993, Doculabs has an established track record in helping its clients bring content under control and improving the ways they collaborate. Our engagements focus on guiding our clients with our expertise, analysis, and in-depth market knowledge. And we re independent; we don t sell software or implementation services, so our clients can be sure that our recommendations are objective. Our consultants are highly experienced, averaging more than 20 years of relevant professional background and many years of working together as part of the Doculabs team. We re recognized thought leaders in the industry, frequent speakers at industry events and webinars, and active contributors to leading publications, social media sites, and organizations such as AIIM. Hundreds of Fortune 1000 organizations have turned to Doculabs for assistance with their information management strategies. To learn more about our services, visit the web site at or call (312)