LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Information Governance Frameworks
From:	Sam McCollum <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Sat, 16 Jun 2012 12:12:33 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (193 lines)
Angela,

  I have read the latest information governance emails with some interest.
There seems to be a lot of confusion around the roles of Information
Governance, Audit, and Risk Management. Hopefully my thoughts on the
subject will be more enlightening then confusing. My comments are drawn
from our experiences at ENMAX Corporation in the development of an
Information governance function at the strategic/corporate level.

  Let me start with our definition of Information Governance -

'An accountability framework ... that includes the people, processes,
policy and technology ... that ensure the effective management of
information ... to enable an organization to achieve its strategic goals
and business programs.'  There are a number of good definitions already out
there in our industry but please bear with me for a moment and just
consider the above definition.

   First, we propose that Information Governance (IG) is a strategic
(accountable) function rather then the operations function of Information
Management. Second, IG must consider the input and effect of people
(culture), business processes, policy, and information technology in
developing an effective governing information function. Third, IG should
primarily be about the proper management of information. Finally, IG has
the responsibility to ensure a proper balance between compliance
requirements (part of corporate strategy), and an organization's business
goals.

   To effectively meet the fourth requirement, IG needs to develop an
information management strategy that is consistent with the overall
corporate strategy. The deliverables from this strategy development would
be a multi-year roadmap (of necessary IM improvement/projects) and a
strategic plan. The process used to develop this strategy should include
using the GARP Principles and Maturity Model as well as other strategic
tools.

  Once that IM strategy has been accepted by all affected parties and
approved by senior management, then the IG function would be responsible
for the policy development, training and education, and adherence to
policy. The IG function should then use Corporate Audit and Risk Management
to assist them in their role of ensuring the proper management of
information by both Information Operations and user departments. In other
words, IG develops the policy and controls, Audit checks for compliance,
and Risk Management determines the risks associated with non-compliance.

  Pat Cunningham rightfully suggested that the roles of Information
Management and Information Technology are different.  We might say that IT
focuses on document management (store, manipulate, and then retrieve
information) and IM focuses on information management (indexing,
classification, retention, disposition, etc). IT also focuses on electronic
information only. IM focused on all information (paper, electronic , data,
etc).

  Information Governance (IG) is vital to getting the 'ear' of senior
management. Most information management groups are concerned with the
'operations' of information management. When talking to senior management,
they tend to talk around 'operations' issues. It has been my experience
that when presenting to senior management, we need to get our point across
in 3 slides or less. These slides should be strategic in nature as opposed
to talking about operations issues. They should be simple as opposed to
complex (refer to GARP rather then D of D standards). Also audits usually
have a problem with the same entity following the rules and also being
responsible for governing their adherence to those rules. That is one
reason for separate information operations and information governance
functions.

   I hope that these few comments will help to clear the air; or at least
prompt more useful discussion.

Sam McCollum, MBA, CRM
SIMC Coaching




On Sat, Jun 16, 2012 at 10:14 AM, Angela Fares <[log in to unmask]> wrote:

> Just to clarify (because email is hard way to express my intent), I am not
> against ARMA attempting to establish information governance criteria, but
> as an auditor and a records manager, I have concerns.  I am not trying to
> pick a fight, but point out things that I have not seen addressed in the
> emails on this subject.
>
> I would hate to see a lot of effort put into a new framework and have it
> die on the vine like SII (which was a great concept in my opinion because I
> badly needed to cross over into IT environments, but the execution was a
> bit confusing for me...I never got what my employers told me I needed).
> This is going to be an expensive effort and will require a great deal of
> strategic planning to promote acceptance outside of ARMA. Historically,
> ARMA has had some opportunities to improve the track record on that score.
>
> I am questioning why so many groups are consolidating their efforts on
> risk management frameworks that are shared by many groups responsible for
> risk management, security, information governance, corporate compliance,
> disaster recovery, business continuity, internal audit, etc.? And, I am
> asking why ARMA thinks that they can do it better when auditing and risk
> management has not been one of the strong core functions although it is
> part of what we should do whether we like it or not? I cannot remember a
> single time when formal education has been offered on the subject of
> writing audit plans, creating audit work papers, or creating strong
> controlled self-assessments. There have been some presentations on the NEED
> to do it, but I have seldom seen presentations on how to do it in
> accordance with generally accepted audit guidelines that would be accepted
> by an internal audit organization.
>
> I recall that many have stated on this listserv that "a record is a record
> is a record..." regardless of the media. So, why does their need to be a
> separate framework for paper records when COBIT, ITIL, and at least four
> other information security/risk management frameworks are addressing
> retention scheduling, record classification, management of output (queries,
> reports, search results, etc.), destruction, and lifecycle management of
> information, alternate media management (paper, disks, fiche, film), etc.?
> And, if our framework is going to address all records regardless of the
> media, including electronic records, why not take a look at what has
> already been adopted for widespread use in the governance industry and make
> strategic alliances to influence changes that address those controls that
> we feel need further refinement? ARMA does have a lot to offer, but I am
> not yet convinced that we should take a "stand alone and apart" approach
> since I've actually worked in compliance and internal audit departments and
> hold some of those credentials. It may be one of the reasons that CRM's are
> not recognized as part of the risk management/compliance "cloud" that is
> forming around these risk management frameworks and driving further
> refinement. Maybe we should consider mainstreaming as part of a larger
> effort to help our organizations perform risk
> management/governance/compliance activities rather than simply functioning
> as a "service" organization as we are often perceived.
>
> If we are going to write a new framework (and I am open to any argument
> that we might a separate framework if there are valid reasons why we cannot
> add on ot the existing frameworks as other groups have done successfully),
> who is qualified to write that framework? This is not an inference that no
> one at ARMA is qualified, but rather I am asking who is qualified to write
> that framework so that it has validity in the eyes of other professionals
> that we are going to market it to as a tool for governance, compliance,
> risk management, diaster recovery planning and business continuity,
> business process planning, etc.? Why will they want to switch nationally
> recognized, accepted models that they are currently using to adopt ours
> instead? Do we have qualified, experienced professionals in those areas at
> ARMA or are we going to develop strategic alliances to bring those areas of
> expertise to the table?  If not, how are we going to gain global acceptance
> of the framework by those professionals in lieu of frameworks that are more
> mature?  How do we plan to get our organization compliance, internal audit,
> IT, risk management, and IT governance groups to use the new criteria?  It
> is one thing to write a framework, and quite another to get other groups
> who are supposed to use it to see the value.  It is why there are multiple
> frameworks already in existence today and many argue the value of one or
> the other depending on which approach to risk
> management/governance/compliance best fits the organization.
>
> Is adding another framework to the mix the only way to achieve acceptance
> of best practice in our industry? I just think that some further
> feasibility studies ought to be done. Whether or not ARMA thinks it is
> qualified to write a new framework is one issue. Whether or not other
> professional groups that are expected to use it in order to measure us
> against best practice are going to give it credibility and use it is
> another. So, as an auditor and a records manager who has used other
> frameworks, I am asking....have we considered other options besides a new,
> standalone framework that might possibly not gain much acceptance outside
> of ARMA itself?  If not, I think that we should consider increasing the
> likelihood of acceptance by joining forces with other groups who also
> control, audit, secure, govern, and manage compliance to see how we can
> encourage acceptance of our profession as part of the risk management
> "cloud" of professionals who work hard to assess their organizations and/or
> close the gaps?
>
> Warmest regards,
> Angie Fares
>
>
> Angela Fares
>
> List archives at http://lists.ufl.edu/archives/recmgmt-l.html
> Contact [log in to unmask] for assistance
> To unsubscribe from this list, click the below link. If not already
> present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the
> message.
> mailto:[log in to unmask]
>



-- 
Sam McCollum, MBA, CRM, ERMm
President and CEO
SIMC Coaching Corporation
[log in to unmask]
*Coaching you on your way to success*

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
ATOM RSS1 RSS2
LISTSERV.IGGURU.US