Best Practices in Information Governance Enforcement
Technology is a necessary piece in an information governance program, but you also need to employ best practices that will help with enforcement.
Most large companies today have implemented an information governance program, hired IG personnel, or have plans to do so in the near future. Those that have taken the step of getting programs up and running have typically spent a sizeable portion of resources to do so, and are accountable to garner some ROI from them.
All too often, even after an investment into IG has been made, many projects are not monitored for compliance and success, or they are not kept evergreen, thus falling short of leadership’s expectations for success.
T. Sean Kelly, FTI
Policy enforcement is a challenging task for most organizations -- more so for those in regulated industries that have a highly complex legal and compliance profile. While technology is a necessary piece in ensuring that IG programs are sustainable and enforceable, there are best practices to implement at the outset of any IG effort that will help toward enforcement. These include:
Cross-Functional Support: To be successful, IG must be a cross-stakeholder initiative with sponsorship from top company leadership. Legal, compliance, security, IT, and records departments should work together to determine enterprise-wide initiatives that need streamlining. Stakeholders can partner to achieve their range of unique goals through the implementation of a single IG effort. But before creating a laundry list of needs, the team members must work together to understand the confines of the internal landscape, such as the corporate attitude toward risk and changing business processes.
Executive Sponsorship: An IG project simply cannot be successfully implemented –--or enforced -- without C-level involvement. The key to gaining that executive buy-in is communicating the program’s benefits that will specifically address their pain points. If the executive sponsor is the general counsel, building the risk case for that person is critical. This includes the risk of not disposing of data that has met its retention requirement, and is not subject to legal hold. Business leaders or board members will be more focused on the costs and overall impact to the bottom line and mitigated risk.
Change Management: In IG, the course of changing business processes should be rooted in compliance. Change is difficult for many people and becomes exponentially more so in large organizations where a wide range of varying priorities and personality types exist. Effectively managing and enabling change -- and approaching it as a journey -- is essential for anyone looking to drive IG.
Training: When rolling out a new IG initiative, such as a legal hold program, or Microsoft Office 365 migration, it is imperative to have a computer-based training module in place for all users. Executive sponsors can be particularly helpful in ensuring that the training is mandatory for everyone in the organization, a key factor in maintaining long-term viability of IG policies. Training collateral should be tailored to the organization’s unique needs and show users what the new policies look like within the context of their work environment.
Strategic Technology Implementation: Every technology evaluation that impacts the company’s data in any way should involve the legal and/or e-discovery team, in addition to records, IT and compliance. The process should start with clear goals for the project, such as, thoroughly retaining data for any custodians that are under legal hold, monitoring activity per compliance requirements and escalating events of non-compliance to stakeholders. The most critical feature a product should offer is the ability to monitor and flag activity. This will make the biggest impact in achieving and maintaining IG enforcement. Best-in-class products that are purpose built for the one thing needed will be more successful in doing a thorough job.
When the IT and records departments work strategically with in-house counsel, they can make a huge impact in implementing technology to enforce and support IG policy and track company-wide compliance thereof. The ability to automate IG as much as possible, and track compliance across the company is absolutely critical in achieving ROI from the precious time and resources that are invested in building out these programs.
T. Sean Kelly is a Senior Director within FTI Technology’s Information Governance & Compliance Services practice. He advises clients on all aspects of e-discovery and information governance, with particular focus on developing and implementing legal hold processes and technology as well as the legal impacts of migrating to Microsoft Office 365.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.