Four Critical Tips to Creating Effective Information Governance Documentation

This blog post is adapted from conversations with Gene McKelvey, CEDS, Internal Auditor and IS Project Manager with e-discovery responsibilities at Michelin USA and Nishad Shevde, Vice President of Professional Services at Exterro.

Most professionals are familiar with the idea that large-scale organizational changes require executive buy-in. The risk, though, with common knowledge like this is that some people may not think deeply enough about how to get buy in that they may “go through the motions” of getting buy-in without understanding what it really takes.

If you’re implementing an effective information governance program, you need to start at the top of your company’s org chart—and creating an executive steering committee is a good start. Typically comprised of c-level stakeholders representing Corporate IT, Risk Management, Compliance and Legal, this group serves as the governing body of your IG program. Functionally, they provide strategic direction and a decision-making body responsible for overseeing the program.  Practically, the Steering Committee arbitrates competing priorities and supports the necessary organizational behavior changes.

For the highest levels of stakeholders, you need to speak to strategic, high-level metrics that they need to understand IG’s value to the company and to steer the program appropriately. What are the high-level themes they need to understand? Does litigation risk management drive the program? Protecting intellectual property? What are the costs or potential liabilities of unnecessarily preserved data becoming discoverable?

But if you look one or two levels down the org chart, say at the leadership of the risk management or compliance group, what are the operational metrics they need to manage the program effectively? Is there an audit program in place? How do we audit? Identify groups that need more support to meet targets? The foundation of a successful information governance (IG) program is the documentation that lays out the policies that members of the organization will be expected to follow. But in a technical field like IG, where policies often attempt to balance multiple goals (such as regulatory compliance, knowledge management, and defensible disposition of data), it's all too easy to get the document wrong. You could end up with something that's not practical or contradicts itself and ends up shoved in the digital equivalent of a bottom desk drawer.

Thankfully, we've got some tips for you to keep in mind when crafting IG policies to make sure they end up useful and, more importantly, followed.

Simple, clear information governance policies are best

When developing your policy documentation, keep it simple. The goal isn’t to have the most authoritative IG document ever; it’s to have the document read and used by your team members. If you write the policies and procedures equivalent of War and Peace, no one will read and follow your IG policies. If you can't explain your policies and goals in a succinct and persuasive elevator pitch, chances are people won't understand them--and they won't follow them. 

Don't try to cover everything with your IG policies

If you do, chances are you won't be doing anything well. Pick and choose what is most important for your organization to manage. Focus on the items with the largest risk or benefit to your organization. You’ll get more buy-in, from both executives and team members, and you’ll make a disproportionately large impact with your efforts. Trying to manage everything from paperclips to corporate records will only serve to divert you from your core mission.

Understand the particulars of your organization

Depending on your organization’s industry, your legal, regulatory and compliance needs may differ. Financial firms may need to preserve certain types of data for much longer than retail organizations. While IG isn’t just about the legal and regulatory needs, you may have knowledge preservation needs. Think actively about what types of knowledge provide the highest business value to your company? They might be worth preserving longer to reap the full benefit of accumulating the data. On the other hand, what sorts of data can you afford to dispose of as soon as legal or regulatory requirements are met? 

Make sure to address data security

Data breaches compromising customer data like credit cards and health information have become commonplace, so your policy should also address the necessary protections of privileged data, as well as its creation, management and disposal. It’s important to make sure you’re disposing of private or privileged data in a secure manner, but it doesn’t remedy the real issue if the information has been insecure throughout its useful life.