LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Thornton May: The time is now for information governance. But do you even know what it is? - Computerworld
From:	Robert Smallwood <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Mon, 9 Jun 2014 22:18:34 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (147 lines)

Glad to see my friend and colleague Thornton May weighing in on IG. He
highlights the biggest problem with IG, which is having a clear definition.
This was borne out in a recent survey of large law firms by ILTA as reported
by the IG Initiative:

http://www.iginitiative.com/blog/2014/5/2/ilta-survey-finds-that-uncertainty-over-the-meaning-of-information-governance-is-behind-some-law-firms-lack-of-action-on-ig

There is no 'elevator pitch' definition of IG (so far) and everyone has a
slightly different one. When I spoke recently to the Greater L.A. chapter of
ARMA, and also the San Francisco chapter of AIIM, I asked if anyone had a
clear definition of IG. No one raised their hand.

Part of the problem arose initially when ERM vendors latched on to the term
and virtually overnight they had an "IG solution" and had made no
significant changes to the software. And also, the RM community claimed the
term and created their definition, while the legal community developed a
similar but differing view. IT people mostly confuse IG with data
governance, as that is their milieu. There is a difference. And there is
also a difference between IG and IT governance. I wll clarify this in a
separate post.

Looking back, we see how the confusion started, Gartner defined IG as:

"the specification of decision rights and an accountability framework to
ensure appropriate behavior in the valuation, creation, storage, use,
archiving and deletion of information. It includes the processes, roles and
policies, standards and metrics that ensure the effective and efficient use
of information in enabling an organization to achieve its goals."

Got it?

That definition must've been created by a committee. It's just too long.

OK, sure, if you put enough words together maybe you cover all the bases,
and accountability is at the heart of IG, and certainly processes, roles and
policies, standards and metrics are key, but this verbose definition really
doesn't help, and it lacks focus. What about legal and regulatory
requirements? Control? Risk? Security? Privacy?

Then ARMA took a shot at it, stating, IG is:

"a strategic framework composed of standards, processes, roles, and metrics
that hold organizations and individuals accountable to create, organize,
secure, maintain, use, and dispose of information in ways that align with
and contribute to the organization’s goals.”

Better, but still too long, and it does not mention legal or regulatory
requirements, only an organization's (business) goals, with no mention of
controls or risk or privacy.

If we look at the 5 key impact areas of IG, based on the IG Reference Model
(RIM, Legal, IT, Privacy & Security, and Business), and the fact that risk
is a key aspect in managing most of those, it seems there is still work to
do in getting to a viable, yet succinct definition.

What does Wikipedia say? IG is:

"the set of multi-disciplinary structures, policies, procedures, processes
and controls implemented to manage information at an enterprise level,
supporting an organization's immediate and future regulatory, legal, risk,
environmental and operational requirements."

Pretty good. This definition was derived from 4 sources. And its great that
it has 'multi-disciplinary' in there since this is at the core of IG -
gaining support from the key stakeholders in those 5 impact areas of the
IGRM. And IG certainly involves policies, procedure, processes and controls.

But it's still too long.

After I wrote my textbook on IG ("Information Governance" [Wiley, 2014]),
this problem still bothered me. We can offer several definitions, and be all
over the map, but what about boiling it down to a practical, succinct,
working one - in ONE sentence.

As Mark Twain said, "I wrote a long letter because I didn't have time to
write a short one."

So here is what I came up with, IG is:

"Control of information to meet legal, regulatory, and business demands."

10 words! Something people can digest, and remember.

To explain: By "control" I mean all the policies, processes, audit
procedures, and security of information, which is accomplished by leveraging
information technologies to enforce policies.

By "legal demands" I mean not only following the FRCP in civil litigation
and complying with laws and especially privacy laws, but also deploying
enabling technologies like predictive coding that can assist in cutting
costs and making early case assessments (ECA), which are also partly
business considerations.

By "regulatory demands" I mean primarily retention and privacy requirements
required by statues and regulations, such as are found in the CFR.

By "business demands" I mean cutting out that roughly 69% of irrelevant or
outdated data debris (according to OCEG) and bringing those dollars to the
bottom line, increasing profits. As Thornton states in his article,
approximately $18K/year is saved for every 1GB of data that is cut.

The key is to focus on that remaining 31% (roughly) of high value info using
high value resources - then the organization not only gets cost benefits
abut also a competitive advantage can be derived though insights gained
using business analytics and business intelligence.

My esteemed colleague Rich Medina recently wrote a paper on IG for AIIM and
also posted on his blog (http://www.richardmedinadoculabs.com/) a suggested
addition to my definition, which is to add the word 'risk' after 'business'
- this is GOOD thinking, and I applaud it.

Risk is at the core of IG. Although in my view and initial thinking,
"business demands" also include risk. But for the sake of completeness, and
as a tip of my hat to Rich, I have added in risk as a separate word, since
it applies to legal, privacy & security, RIM, and to a degree, IT. The key
focus of 'business' is 'profit' as depicted in the IGRM. So here is where I
am, IG is:

"Control of information to meet legal, regulatory, risk, and business demands."

11 words.

I invite your comments as this is the time to hammer out a clear definition
of IG as the industry springs forward with increasing velocity.

Also, I would like to quote Thornton May's assessment of my first book on
IG, "Safeguarding Critical E-documents: Implementing a Program for Securing
Confidential Information Assets" (Wiley, 2014), where he said,

"There is no better of timely book about IG on the shelves today. Robert has
penned a readable, actionable-and get this-enjoyable must-read book for
information age executives."

With the link below you can preview the book and confirm this quote and read
more quotes such as Julie Colgan's, "Fantastically thorough and practical...."

http://www.amazon.com/Safeguarding-Critical-E-Documents-Implementing-Confidential/dp/111815908X/ref=la_B006LTJ39S_1_3?s=books&ie=UTF8&amp;qid=1402366478&sr=1-3

Robert Smallwood
E-records Institute at IMERGE Consulting
San Diego, CA

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US