Information Governance and Stakeholders: Taking the Complexity Out of Getting Started

By Matthew Bernstein, Bernstein Data

Many Information Governance (IG) projects (sometimes even an entire IG “Program” or function!) are initiated when senior management realizes that a specific “issue” requires an urgent and vigorous response. The issue could be an audit finding, a regulatory enforcement action, the advent of new regulations, or an enterprise cost strategy, to name just a few.

For the business leader or project manager charged with sponsoring or leading the project, it can be difficult to balance gaining the support of senior management (that we always hear is vital to success) with gaining agreement on what to do and how to do it. How do you overcome the governance delays of “It’s too a big an issue and we need multiple stakeholders’ input” while mitigating the execution risk that comes with “We’ve just got to get started on this project”?

As with governance of any large project, the answer is to break it down into comprehensible components that can be quickly grasped and approved by individuals with limited knowledge and time to review the issues. Start by addressing three critical project planning pitfalls that can derail the long-term success of an IG project. If these are clarified early on, projects can “get started” and create the early wins that build credibility and momentum.

• First, ambiguous objective. Is it risk mitigation, cost reduction, or a business opportunity? Which objective should the project address first to prove its value?
• Second, unfocused effort. What are the timeframes and data priorities that will most effectively achieve the critical objective? Should the timeframe focus be to “stop the bleeding” going forward or remediate legacy systems? Should the data priority be determined by risk, business-unit, region, data store, or data type?
• Third, ‘magic bullet’ obsession. There can be a tendency (especially for senior management!) to assume that only one component of the operating model (people, governance, process, technology) is missing. The urgent pursuit of a “magic bullet” becomes the critical activity, (e.g., a new policy or a new enterprise IT solution), instead of an approach that considers which operating components are actually required for success.

Here is a concrete example of “how to get started” without bogging down in governance or charging ahead with the wrong approach, using Defensible Disposal as the example.

“Defensible Disposal” is of increasing interest to enterprises. This can be both a risk and business objective, as defined below:

• Reduce the amount of data held to decrease processing costs; streamline control processes; and reduce privacy, eDiscovery, and litigation risks and costs by disposing of information no longer required for legal, regulatory, or business purposes.

It is easy to see why senior management would support this objective…and have lots of opinions and ideas on what to do! But, to “get started”, management could be asked to endorse the following as the initial objective, focus, and operating model for the program:

• “The growth of privacy legislation around the world is creating heightened financial and reputational risks associated with the collection and use of personal data. Thus, the critical objective of the Defensible Disposal project will be risk reduction: reducing the company’s retention of personal data that would most likely be subject to regulatory or consumer challenge.
• “The largest concentration of personal data is in our consumer banking business and the project’s initial focus will be on improving Information Governance in that division to support Defensible Disposal. We believe the greatest risk lies in retail consumer clients’ reaction to the collection of information in the context of new product marketing and onboarding.
• “Key to success will be the services and technology that provide regulatory intelligence and privacy program management. With the first, we will establish the sets of requirements we are subject to in the multiple jurisdictions in which we operate. With the second, we will create a suitable knowledge base of our personal data. These are the prerequisites for proposing a disposal plan.”

Obviously, establishing these high-level parameters will first require background work: understanding senior management’s concerns and making a meaningful assessment of the organization’s current state. But, the time and place to discover and agree on the initial objectives and activities – to get the program quickly underway – is not in a program steering committee or a presentation to senior management.

“Measure twice; cut once”…and get going!