How to implement good information governance

At the beginning of a new year, most people turn reflective, assessing the year that just ended and planning for improvements in the year ahead. One area that receives a lot of attention around this time is compliance, as businesses finish another financial year. However, compliance is only one component of something much larger which businesses should be giving attention to: information governance.

Information governance should be a critical initiative all year, every year, as looking to short-term solutions that only address particular deadlines and mandates can lead to costly decisions in the long-term.

It’s time for organisations to shift their perspective and put systems in place to address information governance (and required mandates) both now and for the years to come. Like all good New Year’s resolutions, making this change has the potential to be transformational, but only if organisations stay the course. Putting some good practices into play now can help pave the way for a more successful 2016 and beyond.

Why should you take notice of information governance?

While the term is often used interchangeably with compliance, information governance is much more. It is the strategy behind the effective management of information’s authority, control, accessibility, and visibility throughout the information lifecycle. Furthermore, information governance brings much greater value to organisations as it can uncover business opportunities as well as protect them from security threats. In short, compliance is the end goal and information governance is how you achieve it.

Good information governance comes back to these simple questions:

• How are your employees working?
• Where is your business’ information being stored?
• Do you have full control of that information?

Unfortunately, most organisations would answer 'no' to the last question. A study conducted by the Association for Information and Image Management (AIIM) found that while around two-thirds of organisations had some level of information governance policy in place, nearly one-third admitted that their inferior electronic records kept causing problems with regulators and auditors.

What are the common pitfalls?

The risks associated with poor information governance vary from the unfortunate to the catastrophic. At best, out-of-date information may be used and then commitments have to be honoured based on this inaccurate information. At worst, hackers gain access to your network and get a hold of sensitive information. In between are the all-too-often incidents of information mismanagement and employee use of unsanctioned tools.

Consider the old workhorse of communication: email. The very structure of email systems puts valuable information at risk. Servers pass data back and forth confidential information, and then store it for specific account holders. Once an email leaves the sender’s server on its journey to the recipient’s server, the information contained within the email is frighteningly available for interception. Emails are notoriously unsecure and vulnerable to security threats and yet countless employees use email as a method of sharing sensitive information. And it gets worse: a recent survey conducted by Alfresco showed that fifty four per cent of end users have turned to their private email for work, likely due to the limitation of enterprise email.

While email is usually controlled through an organisation’s network, there are other methods of information sharing that are not controlled by the IT department. Many knowledge workers have turned to consumer solutions to provide collaboration and access capabilities not enabled within the enterprise. These 'Shadow IT' solutions can pose a grave security risk for organisations from information leaks enabled by unsecure practices to failing compliance with regulations governing information management.

Another pain point is the lack of having policies in place around other tools such as instant messaging and social media. A recent AIIM study reported that thirty seven per cent of respondents agreed that there are important social interactions that are not being saved or archived, while less than fifteen per cent of organisations included social postings in their information governance policies, opening up the enterprise to risk.

How to turn your information governance around

Most organisations have focused on putting compliance, management, and security controls in place, but what is really required is information governance. With some simple steps, organisations can be in good stead for the rest of the year and beyond.

1) Audit: Dig in and understand the range of information that needs to be managed and where it is currently being stored.

2) Prioritise: Organisations then need to prioritise this information and the associated processes to assess the level of risk: compliance risk, regulatory risk, and reputational risk. For ease of management, this should be consolidated to a minimum at this stage.

3) Define: Next, retention policies need to be decided: what needs to be kept, for what purpose, which employees need access, and for how long. The information should be stored where it can be most effectively used to address both business objectives and risks.

4) Clean: There should be regular check of what information is maintained; pruning old data will reduce the costs required to store it and deleting or archiving content once it has outlived its useful life should also be encouraged.

5) Control: Finally, get a good handle on Shadow IT. Restrict access to non-approved tools and stop the uncontrolled copying of content as employees save files to personal file-sync services.

6) Create: Most importantly, create an information management system and employ the tools to support it that your employees find easy to use, so that they will, indeed, use them.

With a good information governance system in place, organisations can take information in any format; analyse what needs to be preserved and protected and what can be permanently discarded; sort and inventory it; and provide management, access and monitoring controls. Being able to say you know how your employees are working, where your information is being stored and that you have full control of that information will lead to increased efficiency and productivity in 2016.

Paul Hampton, Senior Director of Product Marketing at Alfresco

Image Credit: Shutterstock/Maksim Kabakou