1. Navigating the Maze of
Information Governance
IGStart Here
Diane E. Walker, CRM, CMC
2.
3. Presenters
Robin Athlyn Thompson, CEDS | Vice President, Marketing | Business
Intelligence Associates | Phoenix
• ACEDS Advisory Board
• ACEDS Phoenix Chapter Vice President
• Manages BIA educational webcasts and strategic private briefings
• Stevie Award winner for lifetime achievement in e-discovery, information
governance and RIM
Diane Walker, CRM, CMC | Manager of Records and Information |
McDermott, Inc. | Houston
• Helps Fortune 500 companies develop and manage records and
information resources
• Appointed as one of six international judges for ARMA International’s
prestigious Cobalt Award in 2008
• Participated in development of the Information Governance Professional
Certification
4. What is Information Governance?
• IG is an overarching discipline that encompasses a variety of key
concepts of:
• Regulatory Compliance
• Risk Management
• Records and Information Management (RIM)
• Content Management
• Data Governance
• Information Security
• Data Privacy
• Litigation Readiness
6. Why Does IG Makes Sense?
• Organizations need ONLY keep/manage the information they need, for
as long as the information has value… PERIOD
• Improved security, visibility, and access to information enhances
productivity
• Courts and regulatory agencies expect a fiduciary duty of care (SARBOX,
HIPPA, GLBA, FTC, EAR, Basel II, Litigation Hold Orders, etc.)
• Risk mitigation and overall awareness that an IG program offers can
positive effect on the bottom line
• It will never get easier
• Edward Snowden
8. Information Risk & Compliance
• Monitor Legal & Regulatory Landscape
• Identify Internal and External Compliance Requirements
• Prepare Risk Profile
• Conduct a Risk Assessment
• Develop Risk and Compliance Metrics
• Create a Migration Plan
• Manage the Risk Mitigation Process
• Conduct a Risk and Compliance Audit
9. Information Risk & Compliance (Duties, Tasks, Steps)
Legal &
Regulatory
Landscape
ID Internal &
External
Compliance
Prepare Risk
Profile
Conduct a Risk
Assessment
Develop Risk
ad Compliance
Metrics
Create a
Mitigation Plan
Manage the
Risk Mitigation
Process
Conduct Risk
and
Compliance
Audit
Engage w/Legal &
Stakeholders
Investigate Industry
Practices
Collaborate and
Consult with
Stakeholders
ID Risk Assess
Methodology
Define Compliance
Success
Conduct a Cost
Benefit Analysis
Monitor & Update
Metrics
Develop Audit
Framework
ID & Interpret Laws
(All Jurisdictions)
Review Business
Practices
ID Management’s Risk
Tolerance
ID Stakeholders
ID Measurement
Methodology
Prioritize Risks to
Mitigate
Respond to Anomalies ID Resources for Audit
ID Resources for
Current Development
Collaborate
w/internal
Stakeholders
Create Risk Profile
Document
ID and Collect
Resources
ID Non-Compliance
Triggers
Develop
Methodology for
Mitigation of Risks
Communicate with
Stakeholders
Assign Audit
Responsibilities
Document Relevant
Laws & Regulations
Conduct
Benchmarking
Obtain Stakeholder
Signoff
Develop Interview
Materials
Conduct Ongoing Gap
Analysis
Communicate
Mitigation Plan to
Stakeholders
Modify Risk Mitigation
Program As Needed
Oversee Audit
Performance
Establish Review
Process
Interview and Collect
Data
Document Metrics
Provide
Implementation
Assistance
Analyze Audit Results
Analyze Risk Data
Present Metrics to
Stakeholders
Monitor
Implementation of
Mitigation Plan
Present Findings &
Recommendations to
Stakeholders
Prepare Risk
Assessment Report
Obtain Signoff on
Metrics
Update Risk
Mitigation Plan on
Audit Findings
Obtain Signoff
10. IG Strategic Plan
• Align Resources to Develop
Plan
• Analyze Internal Drivers
• Analyze External Drivers &
Trends
• Develop a Strategic Plan
11. IG Strategic Plan (Duties, Tasks, Steps)
Align Resources to Develop
Strategic Plan
Analyze Internal Drivers Analyze External Drivers & Trends Develop Strategic Plan
Obtain Executive Sponsor
Incorporate Enterprise Strategic Plan into IG
Plan
ID Technology Needs
Define Strategies Based Upon Collected
Information
ID Stakeholders Incorporate IT Strategy Into IG Plan
Identify Information and Data Trends (e.g.,
information types and new data formats)
Prioritize Strategies
ID Roles and Responsibilities
Incorporate Business Plans into IG Plan to
Maximize Business Improvement Opportunities
Through Governance Efforts
Identify External Dependencies Align Goals to Strategies
Incorporate Corporate Culture Into IG Plan Evaluate Economic Environment/Conditions ID Initiatives to Achieve Goals
Incorporate Corporate Risk Tolerances Into IG
Strategic Plan
Evaluate Political Environment Define Critical Factors
Incorporate Cost Benefit Analysis Into IG Plan Evaluate Legal and Regulatory Environments Define Measurement for Success
Review Constraints (e.g., financial, time,
resources, legal)
ID Industry Best Practices & Trends Write the Strategic Plan
Evaluate Competitive Landscape Review with Stakeholders
Obtain Approval for Strategic Plan
Regularly Review and Update Plan as
Needed
12. IG Framework
• Conduct Due Diligence to ID Standards
to Guide the IG Framework
• Establish Enterprise IG Policies and
Standards
• Develop Authority Roles and
Responsibilities
• Develop Communications and Training
• Develop Auditing and Enforcement
Mechanisms for the Framework
13. IG Framework (Duties, Tasks, Steps)
Conduct Due Diligence to
ID Standards
Establish Enterprise IG
Policies and Standards
Develop Authority Roles
& Responsibilities
Develop Communications
& Training
Develop Audit &
Enforcement Mechanisms
Evaluate External Standards,
Guidelines, Technical Reports, Best
Practices
Define Discrete Policies and Standards
Define Authority, Roles and
Responsibilities
ID Communication Audiences Establish Auditing Criteria and Metrics
Evaluate Internal Policies, Standards,
Guidelines, Technical Reports, Best
Practices
Validate against Organizational Goals
& Objectives
Asses Role Requirements Draft Communication Plan Establish Enforcement Mechanisms
Select Standards, Guidelines,
Technical Reports, Best Practices
Draft Internal Policies and Standards Review Roles with Stakeholders
Document the Selection Process
Review Draft Documents with
Stakeholders
Obtain Role Assignment Approval
From Steering Committee
Review and Verify Selection with
Stakeholders
Obtain Approval and Signoff
Assign Authority, Roles and
Responsibilities
14. Establishing The IG Program
• Establish Program Scope,
Mandate and Reporting
• Assign Accountabilities
• Implement The IG
Program
• Manage the IG Program
15. IG Program (Duties, Tasks, Steps)
Establish Program Scope,
Mandate & Reporting
Assign Accountabilities Implement the IG Program Manage the IG Program
Engage Executive Leadership and establish
Primary & Secondary Organizational Structure
ID IG Program Roles & Responsibilities Develop Communication Plan for the IG Program Monitor the Adoption of the IG Program
Define IG Program Mandate and Scope Assign IG Program Roles and Responsibilities
Implement a Change Management Plan for the
IG Program
Evaluate Effectiveness of the IG Program
Establish Appropriate Funding and Resources Provide Training of Assigned Resources Evaluate and Align Resources
Establish Ongoing Executive Reporting Report to Management
Obtain Executive Management Signoff
16. Business Integration and Oversight
• Define Current State of Business
Processes
• Define Current State of
Technology Use in Business
Process
• Align IG Framework with
Business Area Requirements
• Guide Information Management
Decisions
17. Business Integration & Oversight (Duties, Tasks, Steps)
Define Current State of Business
Processes
Define Current State of
Technology Use in Business
Process
Align IG Framework with Business
Area Requirements
Guide Information
Management Decisions
Interview Business Areas
Identify Business and Technology Stakeholders
and Users
Identify Strategic Goals of the Enterprise Develop an Ongoing Participation Process
Review Current Business Environment (e.g.
culture, systems, processes)
Survey and Interview Technology Stakeholders
and Users
Identify Strategic Goals of the Business Areas Develop an Ongoing Approval Process
Identify Information Needs of the Business Collect and Analyze Data
Collaborate with each Business Area to Develop
IG Framework
Implement a Participation and Approval
Process
Document Current Environment and Desired
State
Identify Gaps
Review and Approve Each Business Area IG
Framework
Address Gaps Through Responsible Channel
Draft Detailed Change Management Process as
Required
18. Align Technology with IG Framework
• Identify How Technology is
Used in the Business
• Monitor & Evaluate Technology
Trends
• Evaluate Hardware, Software
and Data Life Cycles
• Align IG Strategic Plan and
Framework with the IT Strategy
and Operations
19. Align Technology With IG Framework (Duties, Tasks, Steps)
ID How Technology is Used in the
Business
Monitor and Evaluate Technology
Trends
Evaluate Hardware, Software and
Data Life Cycles
Align Strategic Plan and
Framework with the IT Strategy
and Operations
Review IT, Information
Asset Inventory or
Register, Architecture
and Strategic Plan
Review Existing Policies
Pertaining to
Information
Review General Technology Trends in the Markets
(e.g., Cloud Computing, Social Media)
Review IT Procurement Procedures Review Goals of IT Organization
Review Technology
Adoption
Review Help Desk
Strategy
Evaluate General Technology Trends for IG
Implications
Incorporate Information Governance
Requirements to IT Procurement Process
Assess and Analyze IT Goals
Review Back Up
Strategy
Review Technology
Outsourcing Strategy
Review Implications with Stakeholders in
Accordance with IG Framework
Incorporate Information Governance
Requirements to IT Development Process
Collaborate with IT to Develop Strategy to
Incorporate Information Governance
Requirements Into Existing Systems
Review Disaster
Recovery Strategy
Review Content
Retention &
Disposition Strategy
Review Technology Trends Specific to IG in the
Markets (e.g., Record/Content Management,
Applications, Developing Standards, Data
Discovery, Storage, New Data Formats)
Incorporate Information Governance
Requirements Into System Requirement and Data
Migration Processes
Collaborate with IT to Incorporate IG
Requirements Into Legacy Systems
Review Privacy
Strategy
Review Digital
Preservation Plans*
Participate in the Evaluation of IG Specific
Technologies
Incorporate Information Governance
Requirements to Decommissioning Process
Collaborate with IT to assist in System
Upgrade and Replacement Strategy
Review Information
Mobility Strategy
*= To Ensure Data
Quality Through
Integration of New
Technologies to
Enhance Business
Operations (e.g.,
Master Data
Management,
Metadata
Management)
Review IG Specific Technologies with Stakeholders
in Accordance with IG Framework
Review Information
Storage Practices (hard
copy, digital,
microforms)
Review Use of Vendors
and Outsourcing
20. References
• Sailing in Dangerous Waters – A Director’s Guide to Data
Governance (Michael Power & Roland Trope)
• Information Governance – Concepts, Strategies & Best
Practices (Robert Smallwood)
• Chucking the Daisies – Randolph Kahn
• ARMA International - IG DACUM Chart
• The Sedona Conference –
WWW.TheSedonaConference.com
• EDRM.net
• ARMA.org
• AIIM.org
21. Thank You!
Diane E. Walker, CRM, CMC
Walker.Diane.CRM@Gmail.com
281-799-8910
Editor's Notes
And this is something we are very excited about… ACEDS will be holding its annual conference September 29 to 30 at the Gaylord National Resort in Washington, DC. A live certification prep course will precede the conference on the 28th. And we expect another first-class show. We’ve announced a number of great speakers, including US Judges Xavier Rodriguez, Paul Grimm, David Waxse, and Thomas Vanaskie, who sits on the Third Circuit Court of Appeals. Last week, we announced that retired US magistrate Judge Nan Nolan, who is now at JAMS, will be presenting. And we’ve posted several new panels as well. To learn more and to register at super early bird rates, you can visit e-discoveryconference.com.