The first part of this post described how Information Governance consisted of two domains: the first, Performance, concerns itself with the contribution of Information Technology to the organization’s competitive position, the second, Conformance, concerns itself with the compliance of the organization’s Information Technology to laws, regulations as well as the voluntary compliance standards the firm may adopt.
These two domains, while largely different, share commonalities, but more important, it is the CIO who is responsible for melding both aspects of governance into a single strategy and executing against it. It is this balancing of what are often opposite forces that requires a CIO to master the Yin and Yang of Information Governance.
The second part of this post deals with how to successfully balance the Conformance and Performance aspects of Information Governance.
How the Conformance and Performance functions differ:
Information Governance Performance exists on a continuum of return on value. It is judged based on its enablement of the firm’s strategy. Does the governance of IT result in a price advantage to the firm or provide a differentiating strategic capability to the firm? There is a clear opportunity cost to IT Performance. Most of the IT budget will be allocated to maintaining shared functions, so only a small portion of the budget is available to be used for enabling differentiating capabilities. Assuming a cost leadership strategy based on IT is also difficult since most IT capabilities are readily available for adoption by your competitors. In the end, IT leadership is as difficult and as rare as business leadership. In devising your IT governance strategy you have complete freedom bounded only by your imagination, budget and capacity to create change in your organization and in your market.
Information Governance Conformance is closer to a binary test, does the IT function comply with the required regulations and laws for IT in your industry and in the jurisdictions in which you do business? In most firms, there are far more compliance needs than there is available budget to deal with compliance. Compliance needs must be filtered through a risk assessment to deal with the most serious risks first. The risks themselves should be filtered through the firm’s ‘risk appetite’. If your business has been found in violation of a requirement to retain records or protect privacy, you will likely be judged more harshly for subsequent violations. In devising strategies to achieve compliance, you are more limited in your choices. In the end, your choices are those that will be accepted by regulators, judges and juries.
How the Performance and Conformance functions are alike
Notwithstanding the differences between Performance and Conformance, they share three common foundational approaches as well as the need for some common tools. Here is where the Ying and Yang balance comes into play.
As the old adage says, “You can’t manage what you cant measure, you can’t measure what you don’t understand, you can’t understand what you haven’t defined.” You would not try to manage a business’s funds without a complete dynamic knowledge of the firm’s cash flows in and out. You would not try to manage the firm’s human resources without a dynamic knowledge of its employees. You would not try to manage a supply chain without a complete list of your vendors. So how in the world do you think you can manage a firm’s IT without an inventory of what information you have and where it is? I am amazed how often my clients have no clear picture of their Information and IT resources.
An IT Inventory is required to support both the Performance and Conformance domains of Information Governance. You cannot begin to measure the benefit of information or its compliance without a current inventory of Information, Hardware and Software assets.
A series of overlapping inventory measures are needed to assure the conformance of IT, among these are:
- Data Map: A Data Map is a requirement for eDiscovery. Counsel need to be prepared to identify where potentially relevant ESI resides and who the custodians of that ESI are. For the purposes of both discovery and to comply with cross-border data transfer prohibitions, you need to know the geography/jurisdiction in which the data resides.
- Records Retention Schedule: Every firm needs a Records Retention Schedule, but that is just the beginning. You can’t manage the retention of electronic records without knowing the applications that contain the records as well as the custodians responsible for managing it.
- Private Information Inventory: Given the requirements to protect private information, you need to know where the private information is.
- Essential Information Inventory: The foundation of a functioning disaster recovery plan requires knowing what information and applications are essential and insuring that provisions for backup and recovery of these are sufficient for your purposes.
Tools available for creating and managing information and IT inventories are not as mature or integrated as we would like, but are getting better all the time. Mature application portfolio management suites are available from IBM, CA, HP and others. Most of the functions in these tools are geared more to the Performance than the Conformance domains. To these tools you can add and integrate Conformance Management tools from vendors such as PSS and Exterro. The latter tools provide functions for Information Policy Management, Data Mapping, Litigation Hold and Privacy Mapping (though to implement privacy mapping you may well need a Data Leak Protection application). One of the most difficult tasks in bringing your applications under control is to identify the actual contents of your applications, tools such as IBM’s Automated Content Assessment suite and IBM’s Data Discovery suite can be used for these purposes.
As Frederick the Great said, “He who defends everything, defends nothing”. A Balanced Scorecard is the best means I know of to focus on those things that are most important to a business — including the value management of its Information portfolio as well as its information compliance efforts. The Balanced Scorecard was developed by in the early 1990s by Robert Kaplan and David Norton (KPMG Peat Marwick/Nolan Norton & Co., where I worked during the time it was developed.) The Balanced Scorecard is imperfect, but the best tool available to translate strategy into action.
There is so much information about Balanced Scorecard available that I won’t go into detail here. Suffice it to say that the two elements that make a Balanced Scorecard so valuable for both the Performance and Conformance functions is that the Balanced Scorecard requires you to prioritize your objective into a small, actionable list and to devise a set of metrics to achieve these objectives. A Balanced Scorecard forces one to filter their strategic priorities and measures the progress towards success through a combination of quantitative financial,operational and satisfaction measures. As Kaplan recently noted in an interview, the recent financial crisis underscores the requirement to supplement these measures with a set of ‘Risk” metrics with account for a range of business risks including those risks which though rare can have a material impact on the business — what the author Nick Taleb calls “Black Swans”.
It is no surprise that while Balanced Scorecard is the most widely used strategic framework in the Fortune 1000 with more than 53% of firms using it, according to a recent Foster Research paper on the transformation of the CIO function, the most widely used IT strategy tool is ITIL:
What could say more about the disconnect between business leadership and IT leadership than their divergence on the tools used to run their respective domains? Moreover, while a balanced scorecard is highly customized to a business’s particular competitive environment, ITIL is a cookbook for IT.
According to a recent Forrester survey, half of IT shops have no mechanism at all to charge back IT costs to business units and only 25% charge back all of their IT costs to business units. It’s no wonder that IT budgets are out of control and business units prioritize all IT needs as “high” thereby frustrating both Performance and Conformance efforts. I have seen this in practice in my consulting work. You talk to the business unit representative and they tell you that they need to keep every bit of information forever, yet when you talk to their IT support people they tell you that the business never asks for any information more than a year old and relies on the data warehouse for long term views. These same organizations now have warehouses full of tapes, not to mention Records Management and eDiscovery nightmares.
IT Chargeback underscores how Performance and Conformance can be brought into a complementary balance. Reducing information to only that which provides real value to the business reduces the cost to the business which frees up funds to spend on IT capable of providing differentiation. At the same time, reduction of information simplifies most compliance tasks. IBM and AIIM both refer to something they call “Information in the Wild” or uncontrolled information. Information which is worth being retained is worth bringing under control. If the information is not worth bringing under control, then the only question is if you have a compliance need for it.
IT chargeback is where you will find the money to pay for the Performance and Conformance improvements you want to make as well as the lever to accelerate the change to governable information. The movement to Cloud Computing will make it easier to implement chargebacks. Most internal IT shops have neither the time or inclination to develop robust IT provisioning and chargeback infrastructures, most Cloud vendors have spent considerable resources developing the means to support multiple flavors of chargebacks.
The Yin and Yang of Information Governance is all about carefully selecting those handful of initiatives which yield improved information governance performance and then quantitatively measuring your success against your goals. Jazz musicians often say, “It’s not about the notes you play, it’s about the notes you don’t play”. The same is true of information governance strategy, you can only afford to play a few notes so choose them very carefully.