Many IG projects (sometimes even an entire IG “Program” or function!) are initiated when senior management realizes that a specific “issue” requires an urgent and vigorous response. The issue could be an audit finding, a regulatory enforcement action, the advent of new regulations, or an enterprise cost strategy, to name just a few.
For the business leader or project manager charged with sponsoring or leading the project, it’s hard to balance gaining the support of senior management (that we always hear is vital to success) with gaining agreement on what to do and how to do it. How do you overcome the governance delays of “it’s too a big a task and we need multiple stakeholders’ input” while mitigating the execution risk that comes with “we’ve just got to get started on this project”?
As with governance of any large project, the answer is to break it down into comprehensible components, that can be quickly grasped by, and gain approval from, individuals with limited knowledge and time to apply the issues. Start by addressing three critical issues that can derail the long-term success of an IG project but if established properly can enable projects to “get started” and create the early wins that build credibility and momentum.
- First, ambiguity as to the critical objective. Is it risk mitigation, cost reduction, or a business opportunity?
- Second, a lack of insight as to where to focus efforts. What are the timeframes and data priorities that will most effectively achieve the critical objective? Should the timeframe focus be to “stop the bleeding” going forward or remediate legacy systems? Should the data priority be determined by risk, business-unit, region, data store, data type?
- Third, a tendency (especially for senior management!) to assume that what is missing is one component of the operating model (people, governance, process, technology), and thus make the urgent development of that “solution” the critical activity, e.g., a new policy “framework”, or a new enterprise IT solution.
Here’s a concrete example of “how to get started” without bogging down in governance or charging ahead with the wrong approach, using Defensible Disposal as the example.
“Defensible Disposal” is of increasing interest to enterprises. This can be both a Risk and Business Objective, as shown by this description:
Reduce the amount of data held, to decrease processing costs, streamline control processes, and reduce privacy, eDiscovery, and litigation risks and costs, by disposing of information no longer required for legal, regulatory, or business purposes.
It’s easy to see why senior management would support this objective…and have lots of opinions and ideas on what to do! But, to “get started”, management could be asked to endorse the following as the initial objective, focus, and operating model development for the program:
“The growth of privacy legislation around the world is creating heightened financial and reputational risks associated with the collection and use of “personal data”. Thus, the critical objective of the Defensible Disposal Project will be risk reduction: reducing the stores of personal data that the company retains which would most likely be subject to regulator or consumer challenge.
The largest concentration of personal data is in our consumer banking business and the initial focus of the Project will be on improving information governance in that division to support Defensible Disposal. We believe the greatest risk lies in retail consumer clients’ reaction to the collection of information in the context of new product marketing and onboarding.
Key to success will be technology that provides regulatory intelligence and privacy program management. With the first, we will establish the set of requirements we are subject to in the multiple jurisdictions in which we operate. With the second, we will create a suitable knowledge base of our personal data. These are the prerequisites for proposing a disposal plan.”
Obviously, establishing these high-level parameters will require doing some background work first: understanding the concerns of senior management and making some meaningful assessment of the organization’s current state. But, the time and place to discover and agree the initial objectives and activities – to get the program quickly underway – is not in a program steering committee or a presentation to senior management. “Measure twice; cut once”…and get going.