by Martin Atherton
Governance is a term you’ll have heard bandied about a lot, usually with ’risk’ and ’compliance’ in tow. It has been used so much there was always a danger it would become just another piece of worn-out jargon.
But recent Freeform Dynamics research suggests that, for many organisations, empty words have been replaced by action.
Governance is no longer a dusty corporate mantra or an overused buzz-word but is something that actively influences strategy and decision-making.
Think of it as an old word given new relevance at a time when doing the right thing has never been more important and more transparent.
But what are we supposed to be governing? The answer is ourselves and our business. How do we know we are achieving what we set out to achieve? By ensuring that we know what we’re supposed to be doing in the first place.
Then, by ensuring that we have the right level of control over what we do as a business, and most importantly, what we do business with. What is the common element you cannot do without to be in business, or be without to know if you are doing business properly? You already know the answer: information.
Business intelligence (BI) fulfilled corporate performance management requirements for some. But now that entire businesses can live or die by having or lacking the right controls to capture and exploit information, the original premise of BI suddenly looks inadequate for the needs of modern businesses.
So can a broader approach to governing information help a business use its resources more effectively? More importantly perhaps, what activity should such an approach stimulate?
Scratch below the surface, and a governance-led approach to information immediately butts up against its symbiotic twin – information management.
Information management enables a governance-led approach to information, which in turn dictates information management. But this is where things can certainly get difficult for most organisations. Capabilities have fallen behind modern needs.
Research findings suggest that the leaders and laggards are not yet separated by much distance, such is the relative novelty of taking a broad, organisation-wide approach to information governance.
Forward-looking organisations tend to take a broader view of risk when conducting business planning, which helps focus on areas outside of regulation and compliance. These firms are starting to capture information-related breaches dictated by rudimentary policies.
But at a capability level, most organisations find themselves wanting. To comply with information delivery requests is problematic, time-consuming and – for 50 per cent of organisations involved in litigation – considered a bad experience.
Information retention policies are either non-existent or all-encompassing. Keeping everything isn’t really a practical policy, especially if there are no policies and tools in place to identify, locate and control sensitive information.
Indeed, information classification is a prime example of an under-resourced area. Few organisations have the capability to do this.
As a pivot point between causes of problems and a source of relief from them, it could almost be the poster child for a campaign to remind organisations of the critical nature of getting to grips with their information: if you don’t even know what information you have, how can you manage it and protect yourself as a business?
Yet there is a way round this that doesn’t involve starting from scratch. Many organisations have made investments in specific areas to enable compliance to the multitude of industry and regional regulations that are a condition of doing business.
Indeed, most organisations do have areas of excellence when it comes to capturing, storing and making sense of specific types of information. It’s just that the goodness was never spread further than was absolutely necessary to meet a given compliance mandate.
If you fix lots of things on the ground, it is difficult to know what you are building until you’ve finished. If you drive policy and guidance from the top down, and seek to instil commonality, repeatability and consistency, you can then hive off tasks to regional, departmental or line-of-business activities because the goals are consistent with the broader strategy.
An information governance approach needs to be driven from the top. This is the difference between creating yet more islands of automation, and being able to apply guiding principles across an entire organisation.
So higher level ownership is vital, as is the need to seed the capabilities gained from addressing stringent compliance mandates into everyday working life. Thus the increasing volumes of potentially sensitive information can be gradually brought under control.
Ultimately, if your organisation is considering governance but is unsure of where to start, a focus on information is an area that is likely to show up multiple areas of exposure to risk. By default then, it offers numerous opportunities for improvement.