As businesses finish another financial year one area that receives a lot of attention around this time is compliance. However, this is only one component of something much larger that businesses of all sizes should be giving attention to: information governance.
[easy-tweet tweet=”Information governance is much more than compliance – it’s the strategy for the entire information lifecycle”]
Rather than being a one off catch up activity done at year end, information governance should be an on-going, critical initiative that runs throughout the year. Short-term solutions that only address particular mandates, and the specific needs at that time, can lead to costly decisions in the long-term.
Putting good practices into place has the potential to be transformational for businesses. It can help pave the way for a more successful year and help future proof the business against on-going change. It’s time for organisations to shift their perspective and put systems in place to address information governance.
Taking notice of information governance
Information governance is much more than compliance and should not be used interchangeably. It is the strategy behind the entire information lifecycle, including effective management of information’s authority, control, accessibility, and visibility. Furthermore, information governance can bring much greater value to organisations as it has the potential to uncover business opportunities and protect them from security threats. Businesses should see compliance as the end goal and information governance as the way to achieve it.
Answering these simple questions helps you on your path to good information governance:
- Do you know how your employees are working and what applications they use?
• Do you know where your business’ information is being stored?
• Do you know if you have full control of your business information?
How would you answer that last question? Unfortunately, most organisations would answer ‘no’. A recent Association for Information and Image Management (AIIM) study found two-thirds of organisations had some level of information governance policy in place but nearly one-third admitted that their inferior electronic records kept causing problems with regulators and auditors. So what are the hurdles and how can they be overcome?
There are common pitfalls
Poor information governance varies from the unfortunate to the catastrophic. At worst, hackers get a hold of sensitive information. At best, out-of-date information may be used and then commitments have to be honoured based on this inaccurate information. While in between is a range of incidents of information mismanagement and examples of employees using unsanctioned tools, all of which can be prevented.
One great example is email. Its very nature puts valuable information at risk on an hourly basis. Potentially confidential information contained within an email is frighteningly susceptible to interception and vulnerable to security threats. Yet countless employees use email as a method for sharing sensitive information. But worse still employees use both approved work email accounts and unsanctioned private email accounts. A recent Alfresco survey found that over half (54 per cent) of end users have turned to their private email for work, most likely due to the limitation of enterprise email.
Many knowledge workers have turned to consumer solutions to provide collaboration and access capabilities not enabled within the enterprise. None of these applications are approved or controlled by corporate IT. These ‘Shadow IT’ solutions can pose a serious security risk for organisations, leading to information leaks from unsecure practices and the failure of compliance regulations.
Another critical challenge is implementing policies for the use of other tools such as instant messaging and social media. This is born out by the results of a recent AIIM study that highlighted that less than 15 per cent of organisations included social postings in their information governance policies. While some conversations are essential to business growth, 37 per cent of respondents agreed that there are important social interactions that are not being saved or archived due to a lack of information governance.
Rather than being a one off catch up activity done at year end, information governance should be an on-going, critical initiative that runs throughout the year
Good information governance can be achieved
A lot of organisations have a focus on compliance, management, and security controls in place, but what is really required is information governance. Here are some simple steps organisations can take:
Understand the range of information you have and how it needs to be managed and where it is currently being stored.
Rank your information and the associated processes to assess the level of risk: compliance risk, regulatory risk, and reputational risk. For ease consolidate this to a minimum.
Policies need to be decided. What needs to be kept, for what purpose, which employees need access, and for how long? The information should be stored where it can be most effectively used, while also addressing business objectives and risks.
Once these protocols are set, there should be regular checks of what information is maintained. Archiving or deleting content once it has outlived its useful life should be encouraged. Pruning old data will reduce storage costs and the associated management costs.
Keep Shadow IT in check. Where you can restrict access to unsanctioned tools and stop employees using personal accounts for business.
Most importantly, develop an information management system with people at the heart of it. Implementing tools to support your employees – ones they find easy to use – so that they will, indeed, use them.
[easy-tweet tweet=”Organisations may focus on compliance, management, and security controls, when information governance is needed”]
Following these steps will enable organisations to take information in any format; analyse what needs to be preserved and protected, and delete what is unwanted. Content can now be easily sorted and managed, access and monitoring controls can be easily implemented where needed. Being able to say you know how your employees are working, where your information is being stored and that you have full control of that information will lead to a boost in efficiency and productivity.