Information - Governance, Risk and Compliance – GRC - Part 1

Governance is about securing the information and also about using information for greater value. People don’t talk much about value of information but information is strategic asset of a company.

What makes a company great among other things is the ability to take information and use it as an asset. Information is what drives an organization, whether it is through development of new drugs, new products, looking into new geographic regions to expand to, etc.

Governance is like an insurance policy that you feel like you are paying for nothing, until you need it. You don’t know when and if an “accident” will happen and you don’t know how big it will be, but when it does happen, you are very happy that you have that insurance policy. Until then you resent having to pay for it. Governance which is controls is your insurance policy.

KM can be costly in terms of fines, brand reputation, legal fees. In case of a legal discovery, the lack of documents means a disaster. Absence of document control in place will result in violating regulatory compliance.

To an increasing extent, organizations are focusing on risk management as a central issue in GRC equation. Enterprise Risk Management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.

Governance and compliance are essential business functions. Risks need to be understood and managed. Risk management does not mean that every risk can be anticipated but it can plan for the risk and have alternatives ready.

Information governance – effective content controls, allowing all info to be securely and properly shared across departments, geographic locations, and systems.

Organizations need a closed loop environment for assessing business risks, documenting compliance and automating control monitors to sift through their business systems.

For example, SharePoint is widely adopted system for knowledge management. According to a recent AIIM report, more than 60% of organizations have yet to bring their SharePoint deployment into existing compliance, retention, and long-term archive policies.

To prevent potential exposure of sensitive or classified information, it is imperative for organizations to bring their SharePoint in line with existing compliance policies.

Benefits of information governance: helps management to enforce focus on business mission, employees have information that is accurate, current and is in suitable format for their use; employees are more efficient and productive; removing duplicate and unnecessary content reduces the time needed to find information, derive higher profits; operational cost is lowered; retention management optimizes cost-effectiveness of storage platforms; legal fees are reduced in case of litigation.

Where to begin?

To start information governance initiative, create steering committee – CIO, legal officer, compliance officer, other main stakeholders.

Outline the scope, timeline, and budget.

It should be rolled out from the top. This way everybody will be on the same page.

Have a strategy. Strategy should drive what is measured and monitored for compliance and performance.

Information governance strategy must account for the value of information and how it is classified and accessed.

Information governance policies should support all of the organization’s governance controls – retention, disposition, legal hold, data privacy and security.

Policies need to be scalable, enforceable, and measurable. It is better not to have a policy than to have a policy which can’t be enforced.

Policies should change depending on new business requirements, regulatory demands, rising costs, litigation. Companies must have a process to update, validate, deploy, and enforce these policies. They should be deployed without negatively impacting users and operations.

Rank the value of information depending on its type and where it is coming from. For example, information created by VP of sales should be ranked higher that information created by a marketing intern.

More about governance in the next post.

Enhancing SharePoint Through Information Governance

According to Microsoft, every day for the past five years 20,000 new SharePoint users have been added. As one of the most popular departmental content management solutions, SharePoint silos are now littering the organizational landscape with little or no centralized control. Enterprises are seeking to do more with less, leverage what they already own, and take advantage of SharePoint 2010 functionality.

Technologies are available to tag content, classify it to organizational taxonomies, preserve and protect information through the automatic identification of records and privacy data, and as a migration tool. These building blocks work well in the SharePoint environment and add functionality transparently to the end user.

Building Block #1: Metadata

An enterprise metadata repository is the primary building block in the framework, enabling the proactive management of content. This component is tightly integrated with the management of content life-cycle. Enterprises struggle with managing content, stemming from the end user's inability to accurately and consistently tag content for search, storage, records identification and archiving purposes. Most organization still focus on relying on the end user for appropriate tagging. Only by eliminating the human factor can enterprise metadata management be achieved and subsequently the content life-cycle management.

Through automatic semantic metadata generation and auto-classification as content is created or ingested, the taxonomy component integrates well with Term Store to seamlessly manage the metadata. Eliminating end user tagging, a comprehensive metadata repository can be easily developed, deployed, and managed.

Building Block #2: Search

For many organization, content exists in numerous locations, on diverse repositories and replicated across various silos. Most end users are unable to find relevant information to support business objectives resulting in the inability to re-use and re-purpose content. This leads to impaired decision making and decreased organizational agility.

Whether the enterprise search is SharePoint or FAST, the delivery of meaningful results depends on the ability to effectively index and classify content and utilize taxonomies to better manage the content. The search engine provides the features, functions and interface, while the technologies provide the tagging and classification structure to deliver relevant results.

Building Block #3: Governance

The enterprise governance structure allows employees to work in the most efficient and effective way possible by giving them access to information in a controlled and secure manner. This building block consists of tools that ensure information quality, maintain content life-cycle, address the retention and disposition of records, secure and protect privacy, and establish standards when dealing with information.

Building Block #4: Policy

The application of policy must be deployed from an enterprise perspective and address the entire portfolio of information assets. The technology generates the identification of concepts, records, and privacy of data. Assignment of custom content types and workflows can be initiated for disposition making user involvement much less. This solution ensures consistency, improves record-keeping and enables the establishment of monitoring and auditing processes to ensure proof of compliance and data protection.

Building Block #5: Privacy

The demarcation of who is responsible for the protection of privacy data is becoming blurred. Each business function may have a unique view of what is confidential, such as legal, human resources, and product development. It remains the responsibility of the organization to set the policies and the stakeholders to protect and hold confidential certain information.

Leveraging content types to drive information rights management coupled with automatic semantic metadata generation and organizationally defined descriptions, unknown privacy exposures can be identified and processed automatically to the appropriate repository for disposition.

Building Block #6: Enterprise and Web 2.0

SharePoint provides technology to implement collaboration tools. These tools encourage collaboration and link employees, partners, suppliers, and customers to share information. Adding structure to chaos provides more control of collaboration, while encouraging the audience with ability to interact and share information. Adding control via classification and providing an integrated view of organized content through the taxonomy structure, end users still have the ability to freely contribute and the enterprise can more effectively use these tools as a business advantage.

Information Governance Uncovered

Content management is useless without information governance. In fact, it does not exist. You cannot successfully manage content if you don't have policies and procedures in place to govern it.

In my previous post on information governance, I mentioned that information governance is set of structures, policies, procedures, processes, and controls implemented to manage information at an enterprise level, supporting an organization's immediate and future regulatory, legal, risk, environmental and operational requirements. Let's look closely at these structures, policies, procedures, processes and controls.

Content Types

Before uploading content into your CMS, you need to determine what types of content you have now and/or will have in future. Knowing this will help you to set up the taxonomy and metadata accordingly and to make sure that your CMS contains documents that you would expect to find there. Uploading documents that are not included in your content types list, would create havoc in your CMS. If you have multiple systems in place such as document control systems, CRM, ERP, etc., you need to determine what documents each system will contain and what interactions these systems will have with each other.

Document Owners

You have a content management system (CMS) in place and you have uploaded your documents there. And you keep uploading them. At some point in time, you are going to have thousands of documents in your CMS. Well, they can't just stay there indefinitely without somebody taking some action about these documents such as update, move to the archive, delete, etc. In addition, when users look at these documents, they may have questions about content of these documents. Somebody has to own these documents. Each document should have a document owner. It could be a group name. The document owner should be entered into the document metadata. This will allow users and the CMS administrator to find owners of documents.

Retention Schedule

If you upload documents into your CMS and do nothing about them, the time will come when your search for documents will retrieve obsolete documents which will over-flood the system. In order to prevent this from happening, retention schedule needs to be put in place. Determine document types for your content. For each document type, determine the period of time, during which this document type is current and active.

For each document type, set up a workflow which would trigger an email to the administrator that this document type has reached an expiration date. This workflow is based on the expiration date of the document type. Upon receiving this email, the content administrator should contact the document owner who would make a decision whether this document needs to be reviewed and updated, moved to archive, or deleted. If the document is reviewed and updated, re-set the workflow for the next period of time.

Change Management and Control

When you set up taxonomy, metadata, naming conventions, systems functions, etc., they should not arbitrarily be changed. There should be a procedure in place for a change management. Changes like this, should go through a workflow and be approved. In addition, users feedback should be obtained.

Naming Conventions

For each document type, you need to establish naming conventions. Users should be able to have a very good idea what the document is about without opening it. This would save a lot of time for users.

Approval and Publishing Documents

Set up a workflow for content approval and publishing documents. Users upload documents and populate metadata. They may upload documents in a wrong place or enter wrong metadata. These errors would impact search and browse functions. The administrator should check to make sure that the document has been uploaded into the correct place and the correct metadata is entered. Errors should be corrected before the document is published.

Time for Check-out Documents

In a CMS environment, users need to check out documents if they need to edit them. They may check out documents and leave them checked out for a long time. While documents are checked out, other users can't edit them. Set up a policy with the time frame that users can have their documents checked out to them. Monitor checked out documents. If you see a checked-out document with expired check out time frame, contact the user and request that the document would be checked in. You can also check in the document yourself or discard the check out.

Permissions

Determine your users groups. For each document type, determine which permissions should your users groups have, e.g. read and write or read only. It is highly recommended that only CMS administrator has full permissions to the system. Users should not be allowed to change the system.

These are main and most important procedures. Depending on your specific requirements, you may have other procedures in place. Set them up from the very beginning of your CMS deployment and educate your users about them. Create these procedures with users feedback. When users provide their feedback to you, they will agree with these procedures and will follow them.

Information Governance

Information is the lifeblood of any modern-day business. Companies succeed or falter based on the reliability, availability and security of their data. A company's capacity to handle information depends upon a variety of factors, including engaged executives and a company culture that supports collective ownership of information.

However, strategically created enterprise-wide frameworks that define how information is controlled, accessed and used are the most critical elements in a successful information management program. This framework is information governance.

Information governance is the set of policies, procedures, processes, roles, metrics, and controls implemented to manage information on all media in such a way that it supports an organization's immediate and future regulatory, legal, risk, and operational requirements. It treats information as a valuable business asset and ensures the effective and efficient use of information in enabling an organization to achieve its goals. Information governance is a holistic approach to managing corporate information.

Organizations with good information governance know the who, what, when, where, why and how of their information:

• What is this information?  
• Who has access to this information? 
• When was this information created or processed? 
• Where is the information stored? 
• What information is being retained? 
• How long it is retained? 
• How is this information being protected? 
• How policies, standards, and regulations are enforced?

The goal of a holistic approach to information governance is to make information assets available to those who need it, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, allows the company to reduce the legal risks associated with un-managed or inconsistently managed information and be more agile in response to a changing marketplace.

When a company fails to manage their information properly, it puts itself in jeopardy of violating compliance rules, damaging its brand equity, and paying hefty fines.

To implement or strengthen an information governance consider the following:

• Define procedures, processes, and controls with users feedback. When they participate in the creating processes and procedures, they will agree with them.
• Be clear at the outset about roles, responsibilities and accountability across the organization. Establish a central governance body with decision-making authority and cross-functional and geographic representation. Committees should plan to meet regularly and be sufficiently small and empowered to make decisions swiftly.
• Top-down support is critical to the success of any information governance strategy. Senior management should be briefed regularly on projects and progress related to information governance.
• Establish a formal and ongoing training to make employees aware of new policies and procedures and the reasoning behind them. Develop training sessions and annual governance refreshers to ensure that the entire organization is in-line with the information governance framework.
• Enforce standards with flexibility. While some policies and procedures should be universal, certain business units and regions may need some leeway when it comes to process particularities. They should be free to determine the best course of action within the overall governance boundaries.

The future of information governance depends on continually evaluating policies and adapting them as business priorities and market conditions evolve. Just as an effective corporate governance strategy can yield competitive advantages, effective information governance can turn information into a more consistent generator of business value.