How to establish good information management policies

We often meet organizations with ineffective governance policies, – this could be retention policies, information security policies, or information classification policies. The problems often evolve around one or more of the following areas.

 

So, how do you then establish a good governance policy?

Stakeholder involvement with practical evaluations

Ensure the policy is established with the relevant stakeholders, not only within the department responsible for the policy. This should include representatives from:

Don´t allow a corporate policy to be developed just by one function if the policy will be used across the corporation.

The update or development of governance policy should include the following:

Process with continual improvement

Ensure the policy will enable you to set up a process to ensure compliance, detect non-compliance, and respond to non-compliance. The policy needs to change when the requirements change. This could be changes to technology, lifecycle model, metadata model, policies, procedures, training, communication, etc.

Try to ensure the process is not only for the HQ, but also at local offices. This means the corporate process should cover the toughest local requirements. As an example, if financial information needs to be kept minimum 10 years in the EU, and 7 years in the US, make then 10 years your corporate retention requirement. If HR files need to be deleted maximum 5 years after an employee leaves your business in the EU, and never in the US, make then 5 years your corporate retention requirement.

Training with audits

Ensure the policy can be trained against to ensure correct and consistent behaviour. The policy needs to ensure consistent behaviour by both people and systems. This often include changing behaviours, which takes time and effort. Just publishing the policy won´t cut it.

We achieve this by focusing our training design on:

Technology with metrics

Ensure the policy can be implemented in IT systems and measured. Many enterprises try to use old principles from the paper era to manage information in the digital era, but the growing volume, variety, and velocity of electronic information requires a new approach. Let me give you three examples:

  1. Big buckets retention schedules – don’t waste time creating lots of retention schedules that users and machines will struggle with. The more buckets, the more options, the more errors, the more complexity. Minimize instead the number of retention schedules to make it easier for users and machines to pick the right retention.
  2. Event-based retention – don’t complicate the user experience and waste IT resources on event-based retention unless absolutely necessary. Event-based retention requires users to add unique metadata to identify the relevant records, e.g. employee number, agreement number, and triggers to be established to start the retention, e.g. employee leaving your organization, agreement has expired. Try instead to rely on data-based retention based on information lifespan.
  3. Disposition reviews – don’t waste time on manual disposition reviews at the end of the retention. A manual review may make sense for Iron Mountain boxes, but not individual records. As an example, disposition reviews of 1 mill records with each review taking 15 minutes, is 31,250 days. Do automatic disposition for records that can’t be kept permanent.

The policy should therefore be practical for both business users and machines. Feel free to contact us if you need help establishing a more future proof governance policy.