Importance of Information Governance

The fact is that most people will either embrace or decline information governance depending on their individual situation at a certain point in time. Information governance is closely allied with privacy and security. Knowledge as internal currency that needs to be managed wisely, which is where a governance procedure would be helpful.

It is entirely possible that someone might curse a rule as arbitrary while simultaneously recognizing the necessity of it from a security standpoint. Someone else could easily applaud relevant search results without actually realizing the role information governance played in facilitating that relevance. And there’s always “that guy” who complains regardless of whether the complaint is justified.

Information governance is an important and necessary component of modern organizations’ information infrastructure. It is our job, as information specialists and knowledge managers, to combat any negativity about information governance within our organizations and to manage expectations. Information governance is an integral part of both information technology and knowledge management. Together, they bring information governance forward onto that center stage.

With almost everyone in an organization contributing content, the role of information governance is ever more critical. Information governance is hardly an impediment to productivity; it’s actually a productivity enhancer. Risk management in the form of information governance, data security processes, and legal compliance stands center stage for organizations of all sizes and types.

Information governance is not just a good idea, created by computer geeks or imposed by legal departments. It is tied to international legislation about privacy and that affects all organizations, whether they are involved in international trade or not. 

Companies should be looking at information governance not in reaction to legislation but as an opportunity to reflect on what is good information life cycle management. 

Take archiving, for example. If data is archived in five different places, your potential exposure is multiplied by five. It’s also harder to determine which version is the most current and the most authoritative. Whether protecting your data comes first or having a streamlined archival system comes first is a chicken-and-egg question. The fact is it doesn’t matter—they can happen simultaneously and be of equal benefit to your organization.

It is a KM responsibility to accentuate the positive about information governance. It is good data management, not simply a bunch of random rules. Since it makes good business sense and should be presented as such, we need to foster a culture of compliance and to have both top down and bottom up support. We should make it easy for people to do the right thing, remove obstacles, build a stakeholder community, and incentivize them to comply. Removing obstacles, however, should not mean removing all obstacles. Policies should still restrict access to those qualified to view the data.

Retention policies should recognize that information has a beginning, middle, and end. It has been created, collected, used internally, shared inside the company and externally, and then it should have a define disposition. Disposition might mean it is archived but it might also mean it is destroyed.

Organizations should comply with legal requirements and not dispose of information too quickly. On the other hand, hoarding information does not help with risk avoidance, either. If you think that information might have long-term implications, possibly to identify trends, you still don’t want that sitting in your content management system. Archiving it and getting it out of a production environment could be the answer, but if and only if you are not saving it simply for the sake of saving it.

Life cycle management of information starts with thinking about how information is created or collected. Did it come from internal sources? Was it gleaned from an external repository? Was it provided by customers? This will differ from company to company and even from one industry sector to another. Next is access policies: who is authorized to access and use the data. 

The point is to strike a balance between being punitive to the point of inhibiting compliance and restricting access to preserve privacy and security. Sharing information is an important component of modern information  management and the cornerstone of KM, but excessive sharing creates more problems than it solves and sharing across national borders raises potential legal issues. Retention policies and disposition practices are integral to good information governance, as is the understanding of what can and should be shared.

Data without information governance practices in place can create operational, privacy, and security gaps that put company assets at risk. Once you know what your data is, where it is, who can access it, and who has accessed it, you can then make decisions about where it should reside. Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet or website.

Depending on your information governance rules, data can be a valuable asset like gold or it can become toxic like asbestos. A true best practice approach requires a sustainable ecosystem where you derive value from the data you hold while protecting company assets.

In organizations around the world, almost every employee is now a content contributor. Social, mobile, and cloud technologies have made it easier than ever to share information both in and out of the organization. This influx of new content, however, brings about new risks. Legal systems and government regulators worldwide are clamping down and demanding greater compliance, particularly on IT systems, requiring that organizations quickly implement risk management protocols. Data is growing too fast to keep up, which creates both great opportunity and risk for all organizations.

Organizations must be vigilant in creating enforceable policies, training programs, and automated controls to prevent and monitor appropriate access, use, and protection of sensitive data, whether they are regulated or not. Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but will also help prevent an unnecessary erosion of employee or consumer confidence in the organization as the result of a breach or the loss of sensitive data.

Understanding Data Lifecycle Management

You can’t secure data you don’t know you have. Thus, a process of identification, value extraction, classification, and archiving needs to occur.

Whether data is generated by your organization or collected from a third party (such as a customer, vendor, or partner), the only way you can effectively protect it is by understanding it. For instance, does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, or financial data?

Implementing a Best Practice Approach

1. Contemplate how data is created or collected by your company. You should think about excessive collection as well as how you will provide notice to individuals about that collection and appropriate levels of choice. You should also understand whether you need to keep appropriate records of that collection and creation.

2. Think about how you are going to use and maintain this data. Here you should consider inappropriate access, ensure that the data subjects’ choices are properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.

3. Consider who is going to share this data, and with whom they are going to share it. You should consider data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.

4. All data must have an appropriate disposition. You should only keep data for as long as you are required to do so for records management, statutory, regulatory, or compliance requirements. You should ensure you are not inadvertently disposing of data while understanding that as long as you store sensitive information you run the risk of breach.

5. Understand the difference between what can and should be shared. A good program must continually assess and review who needs access to what types of information. Privacy and security teams should work with their IT counterparts to automate controls around enterprise systems to make it easier for employees to do the right than wrong or simply neglect the consequences of their actions. Once you have implemented your plan, be sure that you maintain regular and ongoing assessments.

Discovery and Classification

Many companies worry about “dark data” or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks) and is not properly understood. Understanding what and where this data is and properly classifying it will allow organizations to set the appropriate levels of protection in place. 

For example, many companies apply their security controls in broad terms using the same security procedures for everything. But logically, you do not need to put the same security protocols around protecting pictures from your company picnic as you do towards protecting your customer’s critical infrastructure design or build information, or credit card information or your employee’s benefits information.

Data discovery will allow you to determine the origin and relevance of the data you hold, and determine its retention schedule. You be more equipped to effectively implement Data Loss Prevention in a tactical way. Data aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense. 

This provides you with the ability to manage the life cycle of the data within your company, from creation or collection through retention, archiving and/or defensible destruction. You cannot block everything from leaving your company any more than you should encrypt every document you have. When security blocks productivity, employees find a way to go around it. The job of security is to help the business use data productively and securely.

Data-Centric Audit and Protection

Understanding and controlling data flows is a critical component to an effective roll out of information management strategies. Key components of an effective methodology should include:

• Data inventories that help customers understand where their sensitive data resides.
• Classification on structured and unstructured data to ensure sensitive data is clearly identified.
• Governance policies that protect the use of sensitive information by applying data sovereignty requirements, permissions management, encryption, and other data protection techniques.
• Incident remediation and response for sensitive data breaches when they occur.

Report and Audit

Identifying potential risks within your information is just the first step. Take action to quickly and efficiently resolve issues with security-trimmed, pre-prioritized reports that provide guidance to your content owners and compliance teams to target the most critical violations. 

Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources while mitigating risk around digital assets to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.

Intranet in Knowledge Management Strategy

The modern workplace is increasingly spread out in many locations, with employees and expertise spread across multiple offices and areas. This makes it very difficult to know what information exists and where it is kept. 

We can make the assumption that a majority of a company’s information is stored on hard drives, content management systems, file sharing applications and in the minds and memories of employees. This creates a few problems:

• People don’t have access to the information they need to do their jobs effectively.
• The sheer amount of information becomes difficult to manage and measure.
• Information becomes stale or inaccurate because it’s not open for collaboration.
• Constant duplication of work, hampering productivity and crippling the pace of innovation.

On average, a typical employee wastes 2.3 hours per week searching for information. This can cost companies $7,000 per employee per year. Prioritizing a company-wide audit of all knowledge can help companies cut down on wasted time and allocate these resources elsewhere.

Turn Information into Knowledge

Knowledge is power, but only when it is shared. Until then, it is just information without context or meaning. The transformation of information into knowledge occurs only when it is stored in a place where people can talk about it and build upon it. Here are three ways a modern intranet can help.

Knowledge Bases

A modern Intranet supports the creation of many types of knowledge bases (KBs), including standard operating procedures, technical documentation, and best practices. This content, which would typically live in documents stored on drives, can now be published as wiki or blog articles that are easy to organize, search, and update. While a robust KB can lead to quicker decision-making and increased productivity, even the best KB is only effective if people know it is there and how to use it. The key is to make sure the structure is intuitive and that the information is searchable based on permissions so people only see what they need and can see.

Expertise Location

A people directory makes it easy for experts to share what they know with the rest of the organization. Think of it like a baseball card collection. Employees are players, their profiles are cards, and each card is tagged with stats (or an employee’s knowledge, skills, and abilities). Your collection should be searchable so it is easy to find who you are looking for, and it should allow employees to validate each other’s expertise by endorsing each other with badges or rewards. Having a full set makes it easy to trade information and expertise in your organization, and identify gaps or areas that you may need to recruit for.

Forums

Online forums give structure to typical water cooler interactions or brainstorming meetings, helping to surface the information that exists in people’s heads. These types of conversations that would typically happen behind closed doors or on email trails can now be transformed into knowledge that everyone can access. Employees can ask questions, submit ideas, or make requests, out in the open, for everyone to see. Even if they don’t initiate a conversation, employees can still participate by liking, rating, or commenting on someone else’s post. Eventually, forums develop into a library of collective knowledge built upon the exchange of information between people and teams in your company.

Example: Onboarding

To demonstrate these concepts, let’s look at a challenge that faces many growing organizations: onboarding. With a modern intranet, you can create a “newbie zone” to house everything employees need during their first few days. The space should feel warm and welcoming, and not confusing or technical. Starting a new job is overwhelming enough. Give them only what they need so they can spend their time learning about the culture, meeting new people, and acquainting themselves with the company’s products and services.

• Include a knowledge base of all company policies and guidelines that employees should be aware of, as well as any training they need to complete. Direct them to the information that is most relevant to their role and responsibilities and try to avoid overloading them with too much at once.
• Include a forum that addresses any “newbie” questions or concerns. It is a safe space for employees to get comfortable with the company, but it also allows your HR team to gather insights about what information is important to new employees and adjust their knowledge bases accordingly.
• Use the forum to introduce employees to experts, mentors, and other influencers that can teach them about the company, and its culture and processes. Invite these experts to answer new forum topics and ensure all existing topics are up to date.

Onboarding is the first opportunity to establish open knowledge sharing as a cultural norm. By using your modern intranet to demonstrate the value and benefit to your employees, it becomes a mentality that everyone adopts from day one.

The Power of Collective Wisdom

Knowledge should be treated as an internal currency with structures in place to ensure that it is managed wisely and that you are not losing any of it along the way. By continuously converting information into knowledge, you can realize a variety of benefits that will move your organization forward, including:

• Active and constant validation of company information.
• A common language that everyone understands.
• A culture of sharing and collaboration where knowledge belongs to everyone.

A modern intranet brings content and conversations together in one place, promoting active and continuous knowledge sharing across all levels of an organization. 

Galaxy Consulting works with many companies to tackle the challenges facing them, knowledge management being just one. Our goal is to help our customers capture the collective wisdom in their organizations so they can drive productivity, promote innovation, and help their business succeed.