Tip: Ctrl +/- to increase/decrease text size.
The need to mitigate glaring exposures has caused organizations to act in haste, implementing information risk management (IRM) strategies that are technology-led, narrowly focused on emails and lack a comprehensive view of broader requirements.
Audits and studies within most organizations will clearly demonstrate to executive leadership that millions of electronic records are not being managed, exposing the organization to unnecessary risk. Pressure from legal, compliance, records management and business lines have created a sense of urgency among CIO's to address this problem. As such, a mandate will often trickle down from the top IT executive in the form of the following edict:
"We need to manage our electronic records and we need to do it now."
This perceived need to 'do something' will lead to a project that is defined, funded and kicked off with a firm 14 month schedule. The project will be heavily technology-laden with clear plans for infrastructure and applications (often wired based on legacy email or document management systems).
At the July 28 Peer Incite research meeting we heard four practitioners underscore that the starting point for an information management strategy should not be the technology implementation, rather CIO's need to develop an information and records management (IRM) strategy and roadmap before allocating funds for technology.
Specifically, CIO's need to appoint an information management head who will lead the formation of an electronic records roadmap that envisions managing different types of unstructured data (e.g. email, IM's, documents and other business records). The roadmap should articulate the following:
- Basic principles and objectives,
- A methodology to automate data classification,
- Records management policies and procedures.
- Educational materials (for communicating 'the why'),
- Training materials (for transferring knowledge of 'the how'),
- Auditing and compliance parameters and metrics,
- A lifecycle strategy/plan for continuous improvement.
CIO's need to recognize that maturity levels and requirements will differ between various divisions and departments, and as such the outcomes will likely be a set of system and user deliverables that are diverse but share a common set of fundamental capabilities.
Out of this sequence a technology strategy becomes apparent and implementations have a higher degree of meeting business expectations.
Action Item: For the past five years, knee-jerk reactions to information risk have led to technology implementations that are built on fragile or non-existent IRM roadmaps. The result has been flawed technology implementations that don't adequately address fundamental risks. In order to reduce wasteful spend, lower organizational risk, and develop systems that scale, CIO's must initiate the development of clear IRM strategies as the starting point. This effort will provide a credible means of guiding subsequent technology investments and improve overall business value.
Footnotes: Contributions for this piece came from:
- Jennifer Winch - Pacific Gas & Electric Company
- Sam McCollum - Enmax
- Fareed Hosain - Standard Chartered Bank
- Michael "Mick" Talley - University Bank