Principles of Holistic Information Governance

Posted on April 1, 2013 by

This previous post was about the need for holism in information governance. This post brings up topics that you’ll have to deal with in defining holistic information governance. (I think I’ll refer to these as PHIGs – Principles of Holistic Information Governance). This isn’t going to be exhaustive or ultra-detailed; it’s just a list to guide where you need to pay attention.

Principles of Holistic Information Governance

Figs

1 – Information is an organizational asset.

In the course of our employ we produce and receive information. It doesn’t belong to us, it belongs to our employers. As such, we need to treat it like any other corporate asset. Even if you use a personal device to produce the information, it still belongs to the organization.

Assets have acquisition costs, maintenance costs, residual value (sometimes), and get disposed of at the end of their useful lives. Tell me how this doesn’t apply to information.

If you do not understand this, stop reading and go away. There is no hope for you.

2 – Understand what you’re using information for.

How does information help you achieve strategic objectives? A government entity and a direct-to-consumer sales organization may use some of the same information, but they will use it differently and for different purposes.

Understanding what you’re using information for ought to help you understand what information you actually need.

3 – Understand where it’s coming from and where it’s going to.

Information doesn’t just magically appear; it comes from somewhere. You need to identify your internal and external information sources.

Most organizations don’t just fire information out willy-nilly. Information is intended for specific audiences, for specific purposes. You need to understand what effect your information is intended to have, and who you want/need it to effect.

4 – Understand when you need it.

The next person that says “I need this yesterday.” wins a smack in the head with a frozen mullet (the fish, not the hairstyle).

Information is needed at various points in business and decision making processes. Is real-time information really necessary or can you wait a few minutes or hours for it? Figure out when you actually need the information in order to make a decision.

5 – Understand who can and should be using it, and for what.

This is not just about security, though that’s a big piece. This is also about getting the information out to those that need it or to those that you want to influence with it. Think about it in terms of getting your message out to your target audiences.

Once the information has found its way to the audience, what are they going to do with it? Are they going to make a decision, buy something, receive a benefit…?

6 – Understand your social, regulatory, and compliance obligations.

Depending on what you do and for whom you do it, you have information related obligations. Some of these are imposed by statute, some by convention, and some are self-imposed. These obligations determine how long you must keep information, what you can do with it at the end of its life, and to whom you may or must disclose it when asked.

7 – Understand your information related risks (too much, not enough, disclosure, etc.).

If some of your information leaks, what’re the consequences and can you live with them?

If you’re overwhelmed by information how does it impact performance?

If you’re missing information can you still get stuff done?

How likely are you to be sued?

8 – Understand how stakeholders are interacting with it.

It’s not enough to know what your stakeholders are doing with information. You need to figure out how they’re doing it. It’s not enough to identify the types and locations of devices that stakeholders are using; you also need to find out if the interactions are passive or active.

9 – With few exceptions, information has a finite useful life.

Unless your information has historical/archival/archeological value, get rid of it as soon as you can. It’s not just about the whole discovery/litigation thing; it’s also about de-cluttering and being info-efficient.

Information is a perishable good; once it’s stale or rotted, get rid of it.

10 – Make someone accountable.

Overall organizational performance, financial performance, legal, technology … they all have single-role accountability and responsibility. As, arguably, the second most important asset of an organization, information deserves at least the same level of attention as finance, IT, HR, legal, etc.

A C-level executive needs to be accountable for how information is governed and managed across the organization.

The End

None of these ten “principles” is much good on its own; they only work as a whole. Other than the first and last, the key is to go only as deep as you need to in order to make things work for your organization. Nobody is expecting perfection; things just need to be good enough.

I’m not trying to downplay the difficulty in formulating information governance policies and procedures. However, much complexity can be avoided if common sense is applied and business objectives remain the primary focus.

PHIGs  - the slide deck …

Posted in ECM, General, Governance, Information Management, Planning, Records Management, Requirements | Tagged , , , , , , , , , , , , | 7 Comments

Supreme Court of Canada Gets Privacy Call Right: Let’s Keep Going

Posted on March 28, 2013 by

Please note, I am not a lawyer, nor have I played one on TV (though I really liked Boston Legal). I’m also not a privacy expert, but I really value mine. Like, really value it. I mean it.

Earlier this week, March 27th to be precise, the Supreme Court of Canada ruled that authorities need a wiretap warrant to “intercept” text messages, the same as they need for listening in on phone conversations. You can read the full ruling here and you can check out CTV’s take on it here. For you non-Canadians, CTV is one of our national broadcasters.

In essence, the court opined that text messages are equivalent to an electronic conversation and should be afforded the same level of privacy. So far so good, but what I want to know is what makes communication a conversation? To my mind, a conversation occurs when one or more parties are interactively using their words and their ears. Whether the conversation occurs on the phone, in person, over computers … whatever, makes absolutely no difference. At the same time, what excludes electronic communication from being a conversation?

Is a chat via instant messaging not an electronic conversation much like text messaging? True, the devices may be different, but it was the court that stated that the technology should not matter. Are private/direct messages via social networking sites not private conversations? Is an email thread between specific individuals not sometimes a private, electronic conversation?

My point is this …

If we’re going to hold the authorities to a higher standard when they want to “listen in” on our conversations, we need to be very clear about what a “conversation” is. If text messages require a wiretap warrant (btw, what about texts stored on the device?), then so too should instant messages, private/direct messages, and some emails.

I’m in favour of providing the authorities with the tools they need to effectively deal with crime and criminals, but not at the expense of my privacy.

Posted in Communication, General, Privacy | Tagged , , , , | Leave a comment

Policies First – Holism in Information Governance

Posted on February 20, 2013 by

If it doesn’t work manually, automating won’t do diddly for you; policy comes before procedure.

Somebody asked if auto-classification and retention / disposition processing had been tested in court. I’ve not been directly involved with any cases, but yeah, these things have been tested. Sometimes they passed the test, other times not. So what? The issue was not with the technology.

The thing is, if the tools you’re using are automating or supporting policies and procedures that won’t stand up in court, the tools aren’t going to help you. The purpose of tools is to implement sound policies, not to define them. They’re tools, for pity’s sake; they’re dumb. If your policy’s flawed the only thing that automation will do is allow you to make more mistakes in less time.

Back in November of 2012 I attended a Contoural event in Chicago to take part on a technology panel. As I was listening to some of my fellow panellists, something struck me (no, not a projectile from the audience) …

Silo’s and point solutions (as concepts) were mentioned a few times. Now, the focus of the panel discussion was about how to get rid of evidence in case there was any inkling your organization would end up in court as defendant. Yes, we were advocating defensible disposition and not the Ollie North method of litigation preparation. We were five techno-numpties at the front of the room, talking about how to prepare for legal action. This, my friends, is a silo’d approach. Yes, I understand that you can’t go back and start from scratch, but you can set things up for the future so that you don’t need to scramble.

The key is to define holistic Information Governance (IG) policies. By holistic I mean policies that not only cover your keester in court, but also ensure that your information is useable on a day-to-day basis. Anyone who thinks that IG is only about risk is wrong. W-R-O-N-G, wrong.

Pop quiz: What’s more risky to your organization? Not disposing of content when you can, or not having the right information to make sound business decisions?

Governance done right not only keeps you out of jail, it also helps you run your business. An holistic Information Governance model has to cover what corporate users can do with corporate IT assets (acceptable use), who can access information, how information is organized, how and when information is disposed of, whether or not user provisioned devices are allowed, etc. IG does not only cover content that’s stored in ECM-type repositories; IG covers any and all content under an organization’s custodianship (including stuff you’ve sent off to 3rd party storage providers), regardless of location or format. Yes, IG covers your ERP, CRM, LOB, and other systems. If you’re responsible for it, your IG model better address it.

Don’t get all freaked out and start thinking that IG is there to control the business and run the entire show. It’s not. IG is there to make sure the business has the best information possible to conduct core business activities. That’s it. IG supports the business, IG doesn’t run the business. IG doesn’t even dictate what technologies to deploy. It does, however, define what many of the functional and non-functional requirements are for managing an organization’s information.

Because I know some of you are gonna harp on the legal aspect …

Done right, Information Governance will help you prepare for litigation. Being in a position to defensibly dispose of content is a benefit of IG. But, defensible disposition should not be achieved at the expense of being able to conduct business and making good decisions. IG helps by balancing the need for risk mitigation against the information requirements of the core business. E.g.: It may be completely (legally speaking) permissible to turf those invoices, but is there information contained in the invoices that ought to be extracted and stored in a data warehouse for future use? If you approach IG in a fragmented fashion you’ll never know. Or you’ll know and never sort it out because all your stakeholder groups will be arguing about it forever until legal finally wins but compromises your ability to successfully run your business.

True Enterprise Information Governance (EIG) takes an holistic approach to identifying what an organization’s information needs, risks, and responsibilities are. Risk mitigation is balanced against business need and the likelihood that a risk becomes an issue. Information is organized so that those who need it can get it when they need it, but the information is also secure. Information that is outdated and no longer relevant is disposed of, defensibly. Information is an asset; Information Governance ensures that the asset is managed appropriately.

And lest ye think that Information Governance applies only to large corporations and governments … you’ve got another thing coming. The only organizations that don’t need IG are those that don’t use or produce information.

For a little more about my thoughts on IG, read this post from Sept. 2012; it’ll give you a bit more insight into where my head’s at.

Posted in ECM, General, Governance, Information Management, Requirements | Tagged , , , , , , , , | 1 Comment

A List – 10 Anti Predictions for 2013

Posted on January 2, 2013 by

Here’s a slideshare version of this post … http://www.slideshare.net/ChrisWalker7/a-list-10-anti-predictions-for-2013

  1. We’ll stop talking about social as if it’s something new.
  2. Everyone will understand the cloud.
  3. No one will buy anyone.
  4. Social networks’ terms of service will be transparent, easy to understand, and favour the user.
  5. People will stop caring about the Kardashians, Honey Boo Boo, and the Royals.
  6. RIM will be sold off in pieces, like black market organs.
  7. No one will dust off an idea from 20+ years ago, give it a new acronym, and call it new / the next big thing.
  8. Procurement departments will focus on value instead of cost.
  9. No one will sue anyone.
  10. BYOD

Pen & Notebook

Posted in ECM, General, Rants, Social Business, Social Media | Tagged | Leave a comment

BPM vs Workflow – Which to Choose

Posted on November 14, 2012 by

Workflow is the steak, BPM is the whole frickin’ cow (or some such silly comparison).

FYI – I work at OpenText and I used to work at Oracle. This post is neither endorsement nor condemnation of either company. Actually, I’m not endorsing or condemning anything or anyone. Except hot dogs, I really like hot dogs. I fully endorse hot dogs. Oh, I condemn sweet potatoes, beets, and Justin Bieber.

At the end of October I was in Vancouver at an Enterprise Information Management (EIM) 101 breakfast thingy being put on by OpenText. Part of the seminar dealt with OpenText’s Business Process Management (BPM) solutions (yes, there’s more than one). After the BPM spiel some guy asked if he needed workflow or BPM, or words to that effect. His question is one I’ve heard often over the years in seminars, on projects, during sales pitches, in training, etc. Many people that I’ve spoken to & overheard are thoroughly baffled by what the differences are between workflow products and BPM products, never mind trying to figure out which they need.

In part, this bafflement is caused by people not understanding the differences between processes, workflows, and activities (tasks), from a non-technology perspective. The bafflement is also caused because we (vendors) have done a crappy job in articulating the differences between BPM tools and workflow tools, and that BPM tools can execute workflows, but workflow tools pretty much suck at BPM but can execute a business process.

Before I provide an answer and my take on it, here are some definitions that I’ve been using (I didn’t make them up) for many years:

  • (Business) Process – a series of related workflows that produce value for an organization. Typically involves multiple roles & multiple business units
  • Workflow – a series of related tasks required to complete a portion of a process. May involve multiple roles & multiple business units
  • Activity – a single piece of work that must be completed in order to allow a workflow to progress. Involves single role & single business unit

Within the context of ECM a workflow takes place wholly within the ECM toolset. A workflow is used to route content through some path, usually for some sort of approval, review, editing, and so on. Typical scenarios include routing contracts, approving and editing press releases, updating policy documents, etc. These flows may cross departmental boundaries, but they don’t cross application boundaries (i.e.: they are executed entirely within the ECM toolset.). Don’t think that just because they stay within the confines of an ECM tool that workflows are by default simple. I’ve designed SOX compliant contract approval workflows for a Canada based biotech firm that were freaking complicated, but could easily have been contained within ECM workflow from most of the Gartner ECM MQ upper right quadrant residents.

BPM is more involved than workflow. If done correctly, BPM takes an holistic approach to defining, analyzing, simulating, executing, and monitoring an organization’s business processes (yes, multiple processes because a BPMS can manage inter-process interactions) from end to end. A Business Process Management System (BPMS) contains multiple pieces, in addition to the simple ability to define and execute business processes. In my opinion, the most important pieces of a BPMS are the enterprise service bus (ESB – allows communication between various applications), the rules engine, and the ability to constantly monitor and improve.

So, back to the Vancouver dude’s question … You need both BPM and workflow if yours is an organization of a size and complexity just a little above any mom and pop pizza shop & herb outlet. You already know (‘cause I just told you) that your ECM workflow engine can’t do BPM for you. What you need to ask is if your BPMS can do workflow that leverages the content in your ECM system.

Point to Ponder: Why do you think ECM vendors have acquired BPM companies? I’m not answering for you; I just want you to think about it a bit.

Posted in BPM, ECM, Workflow | Tagged , , , | 6 Comments