This article is the part two of a seven part series on successful information governance programs. Read part one.
Companies that have effective information governance programs always have what I call “the committee:” a cross functional team from different departments working together. This is counterintuitive, as one would believe that more people with different agendas would tend to slow down a records management, litigation readiness or data privacy project. Why become encumbered by a cross-functional committee with different agendas? Isn’t a smaller, more focused group better and faster at tackling these projects?
Actually, no. While getting a project started with a committee can be harder, in my own experiences in working with hundreds of companies, those that have a committee with the “right” members drive their information governances programs faster, develop better senior management support and succeed much more often than those whose programs that are run by only one group such as legal or IT.
Your information governance committee should include the following:
- Legal: The legal department, along with IT, is often one of the key stakeholders in these projects. Legal is often driven by policy issues such as compliance and privacy as well as reducing costs and risks for e-discovery. Typical participants might include AGCs, litigators, paralegals and others concerned with effective legal holds and defensible deletion.
- Records/Compliance/Audit: The records management function, whether reporting to the legal group or operations, care about records compliance, document workflow and archiving strategies, and ensuring these policies are followed enterprisewide. Internal audit also is concerned about information governance, especially around controlling sensitive information.
- IT: Sometimes a willing participant, and in other cases reluctant, IT is a key stakeholder, as more than 90 percent of an organization’s records are electronic. IT has a vested interest that the policies developed can be realistically executed. IT also wants to reduce the burden of e-discovery, as well as drive defensible data deletion. Include key stakeholders such as the CIO or director of storage or messaging infrastructure from the beginning. Don’t create a policy independently to be handed off after the fact to IT.
- Information Security: A relatively new member of the committee, increasingly we are seeing the information security function being addressed, or at least in sync, with information governance programs. Information security managers are concerned that sensitive data is being held in secure repositories, and this data does not “leak” to unsecure areas.
- Business units: Key yet often overlooked committee members are business units, including finance, HR and engineering. Some fear including these business units, believing they will only advocate a “save everything forever” policy. Rather, we have seen that when the business units are brought into the discussion early and become familiar with e-discovery and other issues that shape policy, they are not only reasonable, but can become the biggest supporters of information governance policy. Really. On the other hand, when excluded from the policy development process, business units do a pretty good job of slowing or halting programs.
Many companies create a “working committee” with these players, which reports up to an executive steering committee that includes the GC, CIO, CFO, etc.
Larger organizations face a contradiction: With higher litigation profiles and greater visibility for compliance, they have more need for effective information governance. Yet the larger the organization, the more likely that legal, IT and other groups are “siloed” and find it difficult to work on joint initiatives.
Usually during the first meeting with clients I can determine those companies whose information program are likely to be on time, within budget and effective. I only need to look across the table and see who is on the committee.
The next article in the series will discuss which group should own information governance, legal or IT.