Importance of Information Governance

The fact is that most people will either embrace or decline information governance depending on their individual situation at a certain point in time. Information governance is closely allied with privacy and security. Knowledge as internal currency that needs to be managed wisely, which is where a governance procedure would be helpful.

It is entirely possible that someone might curse a rule as arbitrary while simultaneously recognizing the necessity of it from a security standpoint. Someone else could easily applaud relevant search results without actually realizing the role information governance played in facilitating that relevance. And there’s always “that guy” who complains regardless of whether the complaint is justified.

Information governance is an important and necessary component of modern organizations’ information infrastructure. It is our job, as information specialists and knowledge managers, to combat any negativity about information governance within our organizations and to manage expectations. Information governance is an integral part of both information technology and knowledge management. Together, they bring information governance forward onto that center stage.

With almost everyone in an organization contributing content, the role of information governance is ever more critical. Information governance is hardly an impediment to productivity; it’s actually a productivity enhancer. Risk management in the form of information governance, data security processes, and legal compliance stands center stage for organizations of all sizes and types.

Information governance is not just a good idea, created by computer geeks or imposed by legal departments. It is tied to international legislation about privacy and that affects all organizations, whether they are involved in international trade or not. 

Companies should be looking at information governance not in reaction to legislation but as an opportunity to reflect on what is good information life cycle management. 

Take archiving, for example. If data is archived in five different places, your potential exposure is multiplied by five. It’s also harder to determine which version is the most current and the most authoritative. Whether protecting your data comes first or having a streamlined archival system comes first is a chicken-and-egg question. The fact is it doesn’t matter—they can happen simultaneously and be of equal benefit to your organization.

It is a KM responsibility to accentuate the positive about information governance. It is good data management, not simply a bunch of random rules. Since it makes good business sense and should be presented as such, we need to foster a culture of compliance and to have both top down and bottom up support. We should make it easy for people to do the right thing, remove obstacles, build a stakeholder community, and incentivize them to comply. Removing obstacles, however, should not mean removing all obstacles. Policies should still restrict access to those qualified to view the data.

Retention policies should recognize that information has a beginning, middle, and end. It has been created, collected, used internally, shared inside the company and externally, and then it should have a define disposition. Disposition might mean it is archived but it might also mean it is destroyed.

Organizations should comply with legal requirements and not dispose of information too quickly. On the other hand, hoarding information does not help with risk avoidance, either. If you think that information might have long-term implications, possibly to identify trends, you still don’t want that sitting in your content management system. Archiving it and getting it out of a production environment could be the answer, but if and only if you are not saving it simply for the sake of saving it.

Life cycle management of information starts with thinking about how information is created or collected. Did it come from internal sources? Was it gleaned from an external repository? Was it provided by customers? This will differ from company to company and even from one industry sector to another. Next is access policies: who is authorized to access and use the data. 

The point is to strike a balance between being punitive to the point of inhibiting compliance and restricting access to preserve privacy and security. Sharing information is an important component of modern information  management and the cornerstone of KM, but excessive sharing creates more problems than it solves and sharing across national borders raises potential legal issues. Retention policies and disposition practices are integral to good information governance, as is the understanding of what can and should be shared.

Data without information governance practices in place can create operational, privacy, and security gaps that put company assets at risk. Once you know what your data is, where it is, who can access it, and who has accessed it, you can then make decisions about where it should reside. Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet or website.

Depending on your information governance rules, data can be a valuable asset like gold or it can become toxic like asbestos. A true best practice approach requires a sustainable ecosystem where you derive value from the data you hold while protecting company assets.

In organizations around the world, almost every employee is now a content contributor. Social, mobile, and cloud technologies have made it easier than ever to share information both in and out of the organization. This influx of new content, however, brings about new risks. Legal systems and government regulators worldwide are clamping down and demanding greater compliance, particularly on IT systems, requiring that organizations quickly implement risk management protocols. Data is growing too fast to keep up, which creates both great opportunity and risk for all organizations.

Organizations must be vigilant in creating enforceable policies, training programs, and automated controls to prevent and monitor appropriate access, use, and protection of sensitive data, whether they are regulated or not. Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but will also help prevent an unnecessary erosion of employee or consumer confidence in the organization as the result of a breach or the loss of sensitive data.

Understanding Data Lifecycle Management

You can’t secure data you don’t know you have. Thus, a process of identification, value extraction, classification, and archiving needs to occur.

Whether data is generated by your organization or collected from a third party (such as a customer, vendor, or partner), the only way you can effectively protect it is by understanding it. For instance, does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, or financial data?

Implementing a Best Practice Approach

1. Contemplate how data is created or collected by your company. You should think about excessive collection as well as how you will provide notice to individuals about that collection and appropriate levels of choice. You should also understand whether you need to keep appropriate records of that collection and creation.

2. Think about how you are going to use and maintain this data. Here you should consider inappropriate access, ensure that the data subjects’ choices are properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.

3. Consider who is going to share this data, and with whom they are going to share it. You should consider data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.

4. All data must have an appropriate disposition. You should only keep data for as long as you are required to do so for records management, statutory, regulatory, or compliance requirements. You should ensure you are not inadvertently disposing of data while understanding that as long as you store sensitive information you run the risk of breach.

5. Understand the difference between what can and should be shared. A good program must continually assess and review who needs access to what types of information. Privacy and security teams should work with their IT counterparts to automate controls around enterprise systems to make it easier for employees to do the right than wrong or simply neglect the consequences of their actions. Once you have implemented your plan, be sure that you maintain regular and ongoing assessments.

Discovery and Classification

Many companies worry about “dark data” or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks) and is not properly understood. Understanding what and where this data is and properly classifying it will allow organizations to set the appropriate levels of protection in place. 

For example, many companies apply their security controls in broad terms using the same security procedures for everything. But logically, you do not need to put the same security protocols around protecting pictures from your company picnic as you do towards protecting your customer’s critical infrastructure design or build information, or credit card information or your employee’s benefits information.

Data discovery will allow you to determine the origin and relevance of the data you hold, and determine its retention schedule. You be more equipped to effectively implement Data Loss Prevention in a tactical way. Data aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense. 

This provides you with the ability to manage the life cycle of the data within your company, from creation or collection through retention, archiving and/or defensible destruction. You cannot block everything from leaving your company any more than you should encrypt every document you have. When security blocks productivity, employees find a way to go around it. The job of security is to help the business use data productively and securely.

Data-Centric Audit and Protection

Understanding and controlling data flows is a critical component to an effective roll out of information management strategies. Key components of an effective methodology should include:

• Data inventories that help customers understand where their sensitive data resides.
• Classification on structured and unstructured data to ensure sensitive data is clearly identified.
• Governance policies that protect the use of sensitive information by applying data sovereignty requirements, permissions management, encryption, and other data protection techniques.
• Incident remediation and response for sensitive data breaches when they occur.

Report and Audit

Identifying potential risks within your information is just the first step. Take action to quickly and efficiently resolve issues with security-trimmed, pre-prioritized reports that provide guidance to your content owners and compliance teams to target the most critical violations. 

Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources while mitigating risk around digital assets to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.

Intranet in Knowledge Management Strategy

The modern workplace is increasingly spread out in many locations, with employees and expertise spread across multiple offices and areas. This makes it very difficult to know what information exists and where it is kept. 

We can make the assumption that a majority of a company’s information is stored on hard drives, content management systems, file sharing applications and in the minds and memories of employees. This creates a few problems:

• People don’t have access to the information they need to do their jobs effectively.
• The sheer amount of information becomes difficult to manage and measure.
• Information becomes stale or inaccurate because it’s not open for collaboration.
• Constant duplication of work, hampering productivity and crippling the pace of innovation.

On average, a typical employee wastes 2.3 hours per week searching for information. This can cost companies $7,000 per employee per year. Prioritizing a company-wide audit of all knowledge can help companies cut down on wasted time and allocate these resources elsewhere.

Turn Information into Knowledge

Knowledge is power, but only when it is shared. Until then, it is just information without context or meaning. The transformation of information into knowledge occurs only when it is stored in a place where people can talk about it and build upon it. Here are three ways a modern intranet can help.

Knowledge Bases

A modern Intranet supports the creation of many types of knowledge bases (KBs), including standard operating procedures, technical documentation, and best practices. This content, which would typically live in documents stored on drives, can now be published as wiki or blog articles that are easy to organize, search, and update. While a robust KB can lead to quicker decision-making and increased productivity, even the best KB is only effective if people know it is there and how to use it. The key is to make sure the structure is intuitive and that the information is searchable based on permissions so people only see what they need and can see.

Expertise Location

A people directory makes it easy for experts to share what they know with the rest of the organization. Think of it like a baseball card collection. Employees are players, their profiles are cards, and each card is tagged with stats (or an employee’s knowledge, skills, and abilities). Your collection should be searchable so it is easy to find who you are looking for, and it should allow employees to validate each other’s expertise by endorsing each other with badges or rewards. Having a full set makes it easy to trade information and expertise in your organization, and identify gaps or areas that you may need to recruit for.

Forums

Online forums give structure to typical water cooler interactions or brainstorming meetings, helping to surface the information that exists in people’s heads. These types of conversations that would typically happen behind closed doors or on email trails can now be transformed into knowledge that everyone can access. Employees can ask questions, submit ideas, or make requests, out in the open, for everyone to see. Even if they don’t initiate a conversation, employees can still participate by liking, rating, or commenting on someone else’s post. Eventually, forums develop into a library of collective knowledge built upon the exchange of information between people and teams in your company.

Example: Onboarding

To demonstrate these concepts, let’s look at a challenge that faces many growing organizations: onboarding. With a modern intranet, you can create a “newbie zone” to house everything employees need during their first few days. The space should feel warm and welcoming, and not confusing or technical. Starting a new job is overwhelming enough. Give them only what they need so they can spend their time learning about the culture, meeting new people, and acquainting themselves with the company’s products and services.

• Include a knowledge base of all company policies and guidelines that employees should be aware of, as well as any training they need to complete. Direct them to the information that is most relevant to their role and responsibilities and try to avoid overloading them with too much at once.
• Include a forum that addresses any “newbie” questions or concerns. It is a safe space for employees to get comfortable with the company, but it also allows your HR team to gather insights about what information is important to new employees and adjust their knowledge bases accordingly.
• Use the forum to introduce employees to experts, mentors, and other influencers that can teach them about the company, and its culture and processes. Invite these experts to answer new forum topics and ensure all existing topics are up to date.

Onboarding is the first opportunity to establish open knowledge sharing as a cultural norm. By using your modern intranet to demonstrate the value and benefit to your employees, it becomes a mentality that everyone adopts from day one.

The Power of Collective Wisdom

Knowledge should be treated as an internal currency with structures in place to ensure that it is managed wisely and that you are not losing any of it along the way. By continuously converting information into knowledge, you can realize a variety of benefits that will move your organization forward, including:

• Active and constant validation of company information.
• A common language that everyone understands.
• A culture of sharing and collaboration where knowledge belongs to everyone.

A modern intranet brings content and conversations together in one place, promoting active and continuous knowledge sharing across all levels of an organization. 

Galaxy Consulting works with many companies to tackle the challenges facing them, knowledge management being just one. Our goal is to help our customers capture the collective wisdom in their organizations so they can drive productivity, promote innovation, and help their business succeed.

Improving User Adoption

Many organizations that deployed a content management system have gone through phases of deployment, development and upgrades without leveraging common practices around information architecture and usability. 

In some cases, a well-intentioned IT department holds user requirements sessions, only to implement the technical features without truly understanding core principles of usability. In other situations, a particular process will be enabled and user tested with good design principles but employing the “build it and they will come” deployment plan. 

In other words, let users just start using the system. In rare cases, organizations do get those elements right but then after the deployment is completed, there is no organizational design to maintain the system, continue to train users, and update design and functionality as user needs change.

The reasons for a lack of user acceptance break down into numerous categories ranging from lack of user involvement in the development process to inadequate content.

For these reasons, many users of content management systems are frustrated and long for a well-designed, maintained, highly functional system with well-organized information and search that gives them what they need when they need it. They blame the technology rather than the way that technology has been configured and managed.

The challenge is that everyone wants everything to be user friendly and intuitive. Users want tools that help them do their jobs without requiring that they jump through hoops to upload and access information. If the system is awkward and poorly designed, users do not want to spend the time to learn how to get the most from the system. However, even when the tools are sophisticated and well designed, fluency is still necessary to leverage them effectively.

When adoption is poor, it is difficult for an organization to get the majority of users needed to achieve the good collaboration, where the knowledge is producing real value and triggering successful cycles of participation and contribution. So moving to a new platform, rather than solving core issues, seems to be the preferred approach that many organizations take, though that will lead to a recurrence of the core challenges. It is best to get to the root of the problems and address them.

Even with a perfectly configured system and design that is user tested, validated, refined, tested some more and validated again, there is no guarantee that the system will be adopted and embraced. Taking an intentional approach to the system requirements and design will go a long way toward increasing the likelihood of user adoption. User adoption requires a thoughtful, intentional approach to a number of areas.

Here are some ways to maximize the chances for success of user adoption.

In many cases, users don’t have a voice in the design decisions and are not sufficiently kept in the loop through ongoing communications from leadership. Involve users in the development process. Socialization should be part of a project from the beginning and continue throughout the life of the project.

Perform user acceptance testing. It is very important to give users a chance to test the system before asking them to use it.

Create realistic expectations for how intuitive the system can be. No matter how user friendly the system is, it may never be completely intuitive to all. The nature of work processes and the information to support those processes can be complex. 

The nature of the task might require understanding terminology that is not part of everyone’s vocabulary. If the job itself requires training and skill development, the information may also require a degree of socialization. Some systems can be very complex.

Allow users time to develop a mental model. When learning to use an application of any sort, users need time to grasp the big picture and become fluent in the details. This means that it would be better to show users the details over time as opposed to in a one-shot training. Doing that at the scale of any enterprise requires planning and development of just-in-time learning that people can move through to get the big picture and can access in the context of their work processes. 

Provide users with the consistency they need. A consistent taxonomy and information architecture will help improve usability in the first place but also increase the learnability of the system. Once users learn about one part of an information structure, they can more quickly understand and internalize other areas if the same terminology is used.

Update functionality often enough to keep up with changes in user requirements. No information environment is static, so ongoing feedback that drives new functionality and capabilities is required. It is important to keep users updated on features in each new release. 

Without updates to functionality, continued testing and adjustments, the delta between what users need and what the application provides will get larger and lead to greater dissatisfaction.

Provide high-quality content. A system deployment should begin with value for the user. That means populating repositories with curated, tagged quality content that they will find valuable. Too often there is a “lift-and-load” migration in which poorly organized content filled with redundant, outdated and trivial content is presented to the user in a new environment. No matter how good the design is, the content will not be viable if it does not meet the users’ work requirements, and it will not be accessible if it is not tagged and organized.

User acceptance of a system will be improved when the right information is available for the tasks and the right processes are reflected in the application.

Offer users an easy way to contribute content. Another barrier to acceptance is a difficult process for uploading content. Too many metadata fields, long lists of choices or fields that don’t apply to the content will keep people from content uploading. The process for uploading content should be as painless as possible. Frequently the best answer is machine-assisted tagging where an auto-classifier tuned to the content and taxonomies appropriate for the process presents the user with suggested values, and the user either accepts them or selects a different value.

Establish a robust governance process. A content management system lives in an ecosystem that is continually changing. There are multiple upstream and downstream processes, and resources need to be allocated with a view to the larger picture of the information environment. 

The system owners and sponsors must make decisions in that context as well as within the context of the system environment. Therefore, they should have a seat at the table in the enterprise information governance decisions and the institution of controls, standards and compliance processes all the way down to the level of content repositories. If sites and content do not have ownership, they will quickly become outdated. If policy decisions are made without compliance mechanisms, they will not be implemented.

Users don’t hate content management systems. They hate poorly designed applications. In reality what they don’t like is the lack of functionality, the poorly constructed taxonomies, confusing navigation, endless fields to fill out and poor-quality content. With the correct approach to design and deployment and with adequate training and ongoing updates, people like and in many cases like a content management system. It helps them do their jobs, makes tasks easier to accomplish, improves efficiency and lets workers redirect their efforts to the more challenging and fulfilling parts of their jobs.

Challenges of Records Management

Records management is very important for companies. There are many electronic records management systems that can optimize the process of records management. However, the huge amount of data is raising new challenges about how records management should be handled. 

A few of the ongoing issues include big data, master data management (MDM) and how to deal with unstructured data and records in unusual formats such as graph databases.

Records are kept for e-discovery, compliance purposes, for their business value, and sometimes because no process has been implemented for systematically removing them. This might be a double-edged sword: getting rid of data makes IT nervous, but there are times when records should be dispositioned.

Data stored in data lakes is largely uncontrolled and typically has not had data clean up processes applied to it. Data quality for big data repositories is usually not applied until someone actually wants to use the data.

Quality assurance might include making sure that duplicate records are dealt with appropriately, that inaccurate information is excluded or annotated and that data from multiple sources is being mapped accurately to the destination database or record. In traditional data warehouses, data is typically extracted, transformed and loaded (ETL). With a data lake, data is extracted (or acquired), loaded and then not transformed until required for a specific need (ELT).

MDM is a method for improving data quality by reconciling inconsistencies across multiple data sources to create a single, consistent and comprehensive view of critical business data. The master file is recognized as the best that is available and ideally is used enterprise-wide for analytics and decision making. But from records management perspective, questions arise, such as what would happen if the original source data reached the end of its retention schedule.

As a practical matter, a record is information that is used to make a business decision, and it can be either an original set of data or a derivative record based on master data.  Therefore the “golden record” that constitutes the best and most accurate information can become a persistent piece of data within records management system.

Unstructured data challenge

A large percentage of records management efforts are oriented toward being ready for e-discovery. 

There is the more of a problem in the case of unstructured data than in MDM. MDM has gone well beyond the narrow structure of relational databases and is entering the realm of big data, but its roots are still in the world of structured databases with well-defined metadata classifications, which makes records management for such records a more straightforward process.

The challenge with unstructured data is to build out the semantics so that the content management or records management and data management components can work together. In the case of a contract, for example, the document might have many pieces of master data. It contains transactional data with certain values, such as product or customer information, and a specialist data steward or data librarian might be needed to tag and classify what data values are represented within that contract. 

With both the content and the data classified using a consistent semantic, it would be much simpler bringing intelligent parsing into the picture to bridge the gap between unstructured and structured data. Auto-classification of records can assist, although human intervention remains an essential element.

Redundant, obsolete and trivial information constitutes a large portion of stored information in many organizations, up to 80%.  The information generated by organizations needs to be under control whether it consists of official records or non-record documents with business value. Otherwise, it will accumulate and become completely unmanageable. On the other hand, if organizations aggressively delete documents, they run the risk of employees creating underground archives of information they don’t want to relinquish, which can pose significant risks. Companies need to approach this with a well thought out strategy.

The system should allow employees to easily save documents using built-in classification instead of a lot of manual tagging. It is important to make the system intuitive enough for any employee to use with just a few seconds of time and a few clicks of the mouse. 

The value of good records management needs to be communicated in such a way so that employees understand that it can actually help them with their work rather than being a burden. A well-designed system hides the complexity from users and puts it in the back end. 

Studies of records management consistently show that only a minority of organizations have a retention schedule in place that would be considered legally acceptable and that some organizations have no retention schedule at all. Even if a schedule is in place, compliance is often poor.

A strategy should be developed to reconcile dilemma between keeping everything forever in order to extract business value from it and using records and information management to effectively get rid of as much information as soon as possible.

From a business perspective, the potential upside of retaining corporate records so they can be used to gain insights into customer behavior, for example, may outweigh the apparent risks that result from non-compliance. 

The highest value is within records management framework for understanding and classifying information so that its business value can be utilized. 

If organizations view records management as a resource rather than a burden, it can contribute to their success. In many respects, the management of enterprise information is already becoming more integrated and less siloed. For example, most enterprise content management (ECM) systems now have records management functionality. The same classification technology used for e-discovery is also used for classification of enterprise content. Seeing records management as part of that environment and recognizing its ability to enrich the understanding of business content as well as ensuring compliance can support that combination.

Governance can be a unifying technique that provides a framework to encompass any type of information as it is created and managed. Governance is a set of multidisciplinary structures, policies and procedures to manage enterprise information in a way that supports an organization’s short term and long term operational and legal requirements. It is important to consider the impact of all forms of information, from big data to graph data. Within a comprehensive strategy of governance, records management is successful.