Best practices for building an information governance program that will last
This Q&A with Aaron Bryant, PMP, is based on a series of interviews I’m conducting with thought leaders who are steering their organizations through the challenges of developing an information governance program.
Over the last 15 years, Aaron has run IG programs and designed, implemented and maintained information management systems to support them. He has worked as a mid-level manager and an executive, most recently as chief information governance officer (CIGO) at Washington State Department of Health. His experiences in these roles and his differing levels of success have informed his thoughts on what it takes to build a successful information governance program. Aaron is also a CGOC Faculty Member.
For this article, I asked Aaron about the signs that an IG program is in trouble, what the keys to success are, and how to overcome the obstacles to that success.
Information Management: Information governance is tough. What’s the one bit of advice you’d give to a company that’s struggling?
Aaron Bryant: Get buy-in across the executive management team, and make sure there’s a hands-on, C-level executive leader in charge, not a manager. A mid-level manager just doesn’t have the power and influence to overcome resistance to change.
For example, a few years ago, as a law firm records manager, I controlled client data but not the firm’s administrative data, which was managed by IT. Since I had no influence to change the management structure, there was no opportunity to move the firm toward a comprehensive IG program.
In another instance, despite being a hotel chain’s records and information governance director, a lawyer who understood only the IG issues related to e-discovery took control of the company’s IG program. As a result, I had no ability to communicate at the executive level the broader perspective required for IG success, and a true IG program never got off the ground.
Today, as the CIGO of a government agency, I now have the influence and in some cases the authority to effect cultural change across the organization. For example, I created an IG steering committee with the power to impose IG best practices on people, processes and technology.
But even with an executive-level position, it’s critical to obtain support from other executives. Creating an IG program requires cross-departmental changes, including in data management, privacy and security.
These changes may require some departments or individuals to cede some control or responsibility to the IG program, and resistance to those changes can come from other executives. A single executive cannot set the overall organizational strategy for handling information and will likely not be able to overcome resistance at the top or resolve issues of misunderstanding and miscommunication. The more support there is at the executive level, the easier it will be to produce change.
The recent CGOC survey indicated that 72 percent of companies believe they have the appropriate level of executive support and leadership. This is great news, but it’s still important to make sure these executives are fully engaged.
IM: How can you tell if your IG program is in hot water?
Bryant: There may be many general and specific clues that an IG program is headed for trouble or will never have a positive impact on the organization. Consider:
- If you have to constantly explain what IG is, then there is a communications issue or possibly strong resistance to change.
- If you cannot clearly state your overall organizational strategy regarding information, then your program is fragmented, and IG will stall.
- If your IG leaders are not being included in organizational strategic planning conversations, then there are structural and support issues that will certainly prevent the IG program from progressing.
- If separate departments are launching data initiatives without working together, or if IT is implementing new systems for managing data—to support GDPR for example—without consulting the IG program, then your organization is still too siloed for effective IG.
IM: How do you pull together the right team to make an Information Governance program work?
Bryant: You need to create an IG steering committee that includes primary stakeholders from legal, records, compliance, privacy and security, IT, and HR. When I say “primary stakeholder,” I mean someone who has a vested interest or concern in the success of the organization and is affected by its actions, objectives and policies.
- Legal needs to be involved in managing data that flows to third parties as part of discovery.
- Records involvement is essential for helping to meet GDPR and other regulatory requirements.
- Compliance must track evolving regulations and help to ensure compliance across all the other groups.
- Today, no IG step can be taken without the involvement of the privacy and security teams.
- IT must understand the needs of all the other groups, and all groups must have input into technology selection.
- HR is essential because IG programs will fail without adequate employee training.
The members of the steering committee must be committed to the overall IG effort, not just the needs of their departments. In the past, I’ve found many steering committee members were assigned to the task but actually lacked commitment to the program, as well as the necessary knowledge and experience. In this case, trying to impose IG best practices is usually futile.
Clearly, one of the most important jobs of an IG program leader is to select the right people to support the program at the strategic and tactical levels.
IM: OK, you have your team in place and now it’s time to implement new policies. What do you do if you face resistance?
Bryant: You need to make the case for change by creating the conditions that cause change. The best way to do this is through policies and procedures driven by laws, rules, regulations, standards, guidelines and best practices for managing the lifecycle of information.
For example, I recently identified that a group within the agency had a process for storing information that resulted in multiple copies of PDFs being stored in multiple locations. I pointed out the IG issues with the process, but there was some resistance to change: “This is how we’ve done it for a long time, and there are good reasons for doing it this way.”
Instead of arguing about process, I focused on changing the RIM policy to address how document drafts and extra copies are managed and disposed of. With that new policy in place, when I do assessments across the agency, I can point to the compliance policy as the rationale for change. Groups are far more receptive to change when compliance with clear policies are at stake.
IM: Change is everywhere in the enterprise: the cloud, big data, AI. How will IG change over the next few years?
Bryant: Over the last decade, IG has really focused on defensible disposition of information. Today, privacy, such as the right to be forgotten, and security around data breaches are becoming major topics across all the groups responsible for managing information.
Over the next few years, I believe IG will shift its focus to how defensible disposition and IT intersect with privacy and security challenges. Collaboration will be the key to success.