Information Governance @ Work

In the late 1500s, privateer and explorer Martin Frobisher embarked upon a journey that would net him fame—Frobisher Bay is named for him—but not much fortune. His travels took him to what is now Canada, where he claimed Baffin Island for the Crown because of the vast amounts of gold he found there. He was so convinced he had found great riches that he continued to make multiple trips with increasingly more ships to mine and send the ore home for safekeeping. Queen Elizabeth I even ordered quadruple locks in the Tower of London to guard the trove.

Unfortunately for all, however, what Frobisher had so diligently worked to procure, transport, and store was nothing but iron pyrite—fool’s gold. Once it was discovered that his cache was not real gold, an Italian alchemist was engaged to work his magic and transform the worthless rocks into the gold everyone desired. Needless to say, he was unsuccessful.

I was reminded of this story while attending the Information Governance Conference recently in Connecticut.

 will be missed, but his wisdom will endure. Who else could have observed “No one goes there nowadays. It’s too crowded”? The information governance equivalent is “No one has information anymore. There’s too much of it.” In the last decade we have witnessed the systemic utilitization of computing power. Data used to be housed predominantly within a company’s own systems, but now, through remote storage, SaaS, PaaS, and other cloud solutions, more and more information is hosted by third-party providers. Also, as marketplace forces compel organizations to leverage or outsource functions that used to reside internally, operational service providers increasingly create, receive, maintain, and process information on the organization’s behalf.

It follows that information governance (the organization’s approach to satisfying information compliance and controlling information risk while maximizing information value) can no longer simply be an internally-focused exercise. IG “has come to a fork in the road, and must take it.” Service provider selection, contracting, and oversight are now primary vehicles of information governance – because when it comes to governing your organization’s information, “the future ain’t what it used to be.”

With a click of a button, a former employee can communicate to a large audience of connections made during his career. Such communications often involve the former employee enticing co-workers or customers to follow them to the new employer. If left unrestricted, a former employee’s social media use can damage the former employer’s customer and employee relationships. To protect relationships with employees and customers, employers should include a social media provision in their non-solicitation agreements.

Last Friday, when Amazon’s market cap pushed past Walmart’s, the headlines almost wrote themselves – “Internet Retailer Amazon Topples Traditional Retailer Walmart,” or the like. The lead angle? Amazon’s information-based business model had surpassed Walmart’s old-school, bricks and mortar business concept. Just one problem – totally wrong lead, with the totally wrong point.

A busy examiner, working on 15-20 other cases, sets a file aside in the “delayed/pending” queue while awaiting information, and a gun is sold and nine people died. A utility transferred responsibility for recordkeeping functions to its distribution business unit, files containing information about pressure and strength tests were not kept current, and an explosion kills eight. Computer files are accidentally deleted from an Airbus plane and three of its four engines shut down, causing a crash that kills four.

What do these seemingly disparate events have in common?

Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.

I met this grumpy fellow in Sabi Sands, South Africa, and took this picture with my phone (nope, no zoom… wish he’d been further away). The experience reminded me of the fable about the Blind Men and the Elephant, a classic allegory for how we often do not perceive the big picture, but instead only the part we directly encounter. This fable has become a useful metaphor for Information Governance. In so many organizations, individual departments and functions have their own, limited perspectives on information, seeing only the issues and objectives with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk. Information Governance is the means through which organizations can bridge across such silos and perceive the big picture of information compliance, risk, and value.

Actually, I prefer a different version, restyled as the Blind Elephants and the Man.

Once upon a time—back when paper ruled—junk mail was clearly junk.  We easily separated the bills from the ads, and it never crossed our minds to save the ads “just in case.”  Fast forward to today’s digital world, and we find that not only are we doubling the volume of data every two years, we are outpacing our storage and, arguably, our ability to manage it. We’re keeping the “ads” and a whole lot more.

While governing my information (yep, cleaning up old email and files), I came across one of my early white papers on Information Governance, from 2010:  The Information Governance C Change. It can be cringe-inducing to revisit old material, but this piece seems as valid today as five years ago:

“Companies are awash in an ocean of data. E-mail servers are overflowing, troves of legacy data and documents are accumulating, rogue IT is proliferating, and social media and other Web 2.0 usage is seeping into the workplace. These same companies are also experiencing a sea change in their information compliance environment. E-discovery costs and exposures continue to mount, while courts’ expectations are escalating for compliant preservation, collection, and production of ESI. And new laws and regulations are expanding the reach of information privacy and security requirements to a broader range of entities and business operations.

So, your organization has committed to Information Governance, and you’ve been tasked with making it a reality. Now what?

You’ll need a framework on which to build your program, a platform that will help you bridge across siloed functions (IT, InfoSec, Legal/Compliance, Records Management, Internal Audit, Operations…) and siloed perspectives (privacy, data security, records & information management, litigation discovery…). You’ll also need to come to grips with three persistent barriers to operationalizing Information Governance: