Best Practices in Information Governance
Information Governance—as a discipline—has undergone a strange and wild ride over the past couple of years. Finally, we have moved past endless debates on definitions and usable frameworks, thanks to the efforts of the Information Governance Initiative (IGI) and other IG leaders and practitioners. Finally, information governance appears to have separated itself from failed enterprise content management (ECM) concepts and early, seven-figure ocean boiling IG projects to “defensibly dispose” of digital ROT (and, BTW, simply relabeling ECM as “content services” provides little utility other than the nostalgic value of harkening back to FileNet circa-2006). And, finally, IG seems to have carved some form of peaceful coexistence with information security as more firms have recognized the two are inter-linked by the concept of “information risk.”
But, what have we learned that can be elevated to the stature of “best practice” in information governance? Touring the country in recent years and talking with Compliance, Risk Management, and eDiscovery executives has led me to a few practices that I’d like to highlight.
1. Information Value and Risk are Everywhere
More firms have come to the realization that governing content that has value is not just about files, documents, or email. Some have learned the hard way that a Tweet can contain advertising for a product that is outside of FDA approval guidelines, or that a Facebook post can contain non-public information subject to SEC Regulation Fair Disclosure, or that a text message can be sent with content that violates data privacy laws. Others have simply recognized that sensitive, high-value content might be carried in any number of communications tools that have enabled employees to do their jobs, whether in the form of voice, video, messaging, or other app.
In fact, one major bank indicates that they sent more IM than email last year. A recent survey from PwC also finds that more than 40 percent of respondents feel that a social media presence is important in their choice of a healthcare provider. And, today, WeChat has over 1 billion users around the world—including a dramatically growing number of business users. The reality of information governance in 2017 is that it needs to consider the fact that content containing business records or sensitive information can be anywhere, including the cloud.
2. Your Policies Need to Reflect Today’s Communications
Have you touched your employee communications or records retention policies lately? If not, it may be time to dust them off to ensure that you are keeping up with the ways that individuals are doing their jobs. Policies designed for email may need re-inspection to reflect specific ways these rich tools can be used by employees. Similarly, retention policies may be worth a touch up as you consider the possibility that a conversation that includes information covered under a non-disclosure may be taking place right now on Skype for Business. In fact, according to the Information Governance Initiative’s Annual Survey (of which Actiance is a sponsor), projects to update retention policies are among the most common IG initiatives that firms have undertaken.
However, the issue is not just about retention policies. Many organizations have policies that require that content be inspected before delivery, sometimes referred to as “pre-review” or “moderation.” Policy violations that are surfaced (such as the mention of an investment guarantee in financial services) can lead to action from a compliance reviewer to block that message, escalate to senior management, or to notify and warn the sender of the violation. Other policies may require that specific individuals not communicate with other specified groups, for example, individuals within a tax department of a consultancy may not communicate with those in the advisory services department.
In each of these scenarios, organizations should be actively evaluating how existing policies can be applied to each new channel of communication. Additionally, when new tools introduce new capabilities, firms should determine if they need to 1) adjust policies, 2) explore how those new features can be controlled, or 3) disable those features. A common example is organizations deploying a tool such as Microsoft Skype for Business, where the App Sharing feature may be one that the organization needs to evaluate considering existing policies.
3. Employees Need to be Directly Engaged in Design of Information Governance Training
Given today’s feature-rich communications tools, IG leaders need to work closely with end users to understand how specific roles will make use of key features. For example, it may be advantageous for salespeople to collaborate with prospects over video, so governance policies should outline accepted and prohibited uses of tools like this with input from individuals whose jobs require those tools to interact with prospects. Similarly, individuals with access to information with high business value (e.g., intellectual property or data covered under non-disclosure agreements) should be consulted to understand how they might leverage new collaborative tools so that policies can be defined accordingly.
Since new tools with new features are emerging on a regular basis, training should be ongoing to keep pace with newly deployed technologies, and in a fashion where end users can share and promote best practices in use of those tools—and governance policies can be further refined.