Sunday, January 27, 2013
Information - Governance, Risk and Compliance – GRC - Part 1
Governance is about securing the information and also about using information for greater value. People don’t talk much about value of information but information is strategic asset of a company.
What makes a company great among other things is the ability to take information and use it as an asset. Information is what drives an organization, whether it is through development of new drugs, new products, looking into new geographic regions to expand to, etc.
Governance is like an insurance policy that you feel like you are paying for nothing, until you need it. You don’t know when and if an “accident” will happen and you don’t know how big it will be, but when it does happen, you are very happy that you have that insurance policy. Until then you resent having to pay for it. Governance which is controls is your insurance policy.
KM can be costly in terms of fines, brand reputation, legal fees. In case of a legal discovery, the lack of documents means a disaster. Absence of document control in place will result in violating regulatory compliance.
To an increasing extent, organizations are focusing on risk management as a central issue in GRC equation. Enterprise Risk Management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.
Governance and compliance are essential business functions. Risks need to be understood and managed. Risk management does not mean that every risk can be anticipated but it can plan for the risk and have alternatives ready.
Information governance – effective content controls, allowing all info to be securely and properly shared across departments, geographic locations, and systems.
Organizations need a closed loop environment for assessing business risks, documenting compliance and automating control monitors to sift through their business systems.
For example, SharePoint is widely adopted system for knowledge management. According to a recent AIIM report, more than 60% of organizations have yet to bring their SharePoint deployment into existing compliance, retention, and long-term archive policies.
To prevent potential exposure of sensitive or classified information, it is imperative for organizations to bring their SharePoint in line with existing compliance policies.
Benefits of information governance: helps management to enforce focus on business mission, employees have information that is accurate, current and is in suitable format for their use; employees are more efficient and productive; removing duplicate and unnecessary content reduces the time needed to find information, derive higher profits; operational cost is lowered; retention management optimizes cost-effectiveness of storage platforms; legal fees are reduced in case of litigation.
Where to begin?
To start information governance initiative, create steering committee – CIO, legal officer, compliance officer, other main stakeholders.
Outline the scope, timeline, and budget.
It should be rolled out from the top. This way everybody will be on the same page.
Have a strategy. Strategy should drive what is measured and monitored for compliance and performance.
Information governance strategy must account for the value of information and how it is classified and accessed.
Information governance policies should support all of the organization’s governance controls – retention, disposition, legal hold, data privacy and security.
Policies need to be scalable, enforceable, and measurable. It is better not to have a policy than to have a policy which can’t be enforced.
Policies should change depending on new business requirements, regulatory demands, rising costs, litigation. Companies must have a process to update, validate, deploy, and enforce these policies. They should be deployed without negatively impacting users and operations.
Rank the value of information depending on its type and where it is coming from. For example, information created by VP of sales should be ranked higher that information created by a marketing intern.
More about governance in the next post.