Why Establish an Information Governance Strategy for M365 and Beyond?
Updated: Sep 6, 2020
Many organizations are now using Microsoft Office 365 (M365) for collaboration, but with lacking or sub-optimal information protection and governance. The consequence of this is poor information findability, trustworthiness, and completeness for users, and operational, legal, and financial risks for the organization. As an example, GDPR compliance requires data minimization and storage limitation, which means storing personal identifiable information forever in M365 will create a legal risk when (not if) you have a GDPR audit.
Know your goal before starting the journey
While working for AIIM (Association for Intelligent Information Management), I researched success factors for implementing content and records management systems. Below are some of the findings.
Image source: AIIM
Many organizations realize that they should have better defined a strategy outlining their goal and to-be state before starting the journey. If you don´t know where you want to be, how do you know that you are going in the right direction? Based on the strategy, it is then important to understand your critical success factors, use cases, and requirements. Without a clearly defined strategy, you will often waste time and energy researching and discussing different options and requirements.
Success is 80% about people, 15% about processes, and 5% about the technology. If it doesn´t provide value, it will fail. If users don´t like it, it will fail. An effective Information Governance program can´t therefore just been seen as a technology implementation, - it has to be a joint effort with the business.
Strategic Benefits of Information Governance
When companies buy software as a service, then the only lasting asset is the information. Effective customer engagement, business operations, and compliance all rely on one thing: effective information management. Information Governance seeks to meet the needs of the total organization (line of business, IT, and Compliance) with optimized information management practices. Our engagement with clients therefore start by identifying business goals and user frustrations to ensure we establish an information governance program that provides value to the business, not only ensuring compliance.
Benefits to consider:
Establish a foundation for digital transformation - using master data as metadata for unstructured information enables you to connect information across your organization. It will then be easier to start business transformation initiatives.
Add value - better connecting people, information, and knowledge will improve customer engagement and create a more effective workforce. This results of this could be increased sales (McKinsey claims that 35% of Amazon´s revenue comes from recommendations) and/or increased workforce productivity (e.g 5%+).
Identify new opportunities - historic information may be used to predict - and change - the future. This could be estimating when a customer may decide to cancel their subscription, when crime will happen, when a student may decide to drop out of college, etc.
Minimize risks - it could take 10 years to establish your company as a solid brand, but only 10 minutes to destroy it if sensitive information is lost or misplaced. We need to implement retention and disposition to meet GDPR requirements for data minimization and storage limitation.
Reduce costs - better information management will help to improve and automate information intensive processes. It reduces the process and transactional costs, e.g. cost to process a claim, service a customer.
Operational Benefits of Information Governance
Our client engagements focus on identifying uses cases and requirements that an information governance program must support, but also the operational benefits of better better information protection and governance. This provides you with a business case for establishing a new information governance program. Some sample benefits:
Improve search - better access to information will reduce the time knowledge workers have to spend looking for information.
Improve knowledge sharing - better control of your sensitive information means you can open up access to non-sensitive information.
Single source of the truth - better information governance means knowledge workers can trust the information they find. They know it is the right file, right version, etc.
Improve business continuity - better information governance means that information assets are locked and protected. You are only able to recover deleted or old versions for 90 days with the Microsoft E3 license (365 days with the E5 license), and you avoid this being an issue with record labels in Office 365.
Improve information security - knowledge workers collaborate with people both inside and outside your organization. better information governance means that sensitive information is protected wherever it may go (e.g. automatic encryption), or you can stop if from leaving your organization.
Reduce IT costs and risks - Microsoft E5 Information Protection and Governance is not only found to be better to manage information in Office 365 than many 3rd party content management systems, but it is also sometimes 10x cheaper. This is therefore an opportunity to reduce technical dept and operational costs and risks by replacing and sunsetting 3rd party content management systems with Office 365.
Legal Benefits of Information Governance
Information governance will ensure compliance with legal regulatory requirements for record keeping, but also privacy requirements for security by design, data minimization, and storage limitation. Benefits to consider:
Ensure regulatory compliance - there are a myriad of regulations that require an organization to keep information for a minimum set of years, but privacy regulations that require some information to be deleted when customers or staff leaves to meet principles of data minimization and storage limitation. Storing information forever in Office 365 is therefore not compliant with GDPR and similar privacy regulations. Better information governance will ensure you meet legal reguirements for both minimuim and maximum retention.
Reduce eDiscovery costs - research by CGOC some years ago found that 68% of information kept by organizations is ROT - redundant, trivial, and outdated. Better information governance allows you to automate the deletion of ROT, which will significantly reduce your eDiscovery costs.
How do you achieve this? Based on the above goals and requirements, we develop a governance program for continuous improvement with KPIs, roles and responsibilities, change management, and technology improvements. The goal is often to better connect people, information, and knowledge while making information protection and governance transparent and inherent for users. The technology blueprint and plan usually covers the following:
Information protection and governance for M365 and beyond - Microsoft has a number of tools for information protection and governance. Based on the client´s requirements, we often end up with a technology blueprint that covers M365 site configuration/provisioning with default metadata to improve search and governance, script to get default metadata on pre-existing sites, retention and record labels for ensuring compliance, sensitivity labels for protecting information, and retention policies for automating records management and protection.
Replacing legacy systems with M365 - Cloud platforms like Office 365 configured the correct way is an opportunity to move away from important information being stuck in a myriad of content silos. My old colleague Hanns Kohler-Kruner's team at Gartner said a few years ago: "Enterprise Content Management is dead, long-live Content Services Platforms". During my almost 15 years at AIIM, I also realized that ECM means for most customers Expensive, Complex, and Minimal. Expensive since it cost an arm and a leg to buy and implement, complex since it was difficult to implement and use, and minimal since users found it difficult to use and therefore ended up storing documents and records in other systems. Organizations need instead secure and compliant platforms that manage information with apps and components on top of it. It doesn't make sense in the cloud era to install a new information silo based on purpose (e.g. publish to web) or value (e.g. records management). A connected platform will make it easier to manage and protect the information, users will benefit from better information discovery, and the business will benefit from a more effective workplace in addition to possible cost savings from sunsetting legacy systems that the platform can replace.
How good is M365 for managing and protecting documents and records? Can it replace your legacy ECM systems? Let me give you two examples.
One of our global clients operating in a highly regulated industry with almost 40,000 users assessed several of the leading content management systems for the best approach to manage documents and records in M365 and beyond. SharePoint Online with record labels was the clear winner as it was native and the most integrated of all the solutions. This allows for “compliance by design” to embed compliance into the Microsoft cloud platform. Users continue to work with information (e.g. tag a file as an NDA, business workflows), and retention policies with record labels provides compliance by applying the right retention and disposition automatically. This automates records management with SharePoint Online and record labels.
Another global client highly with over 80,000 users has already come to this conclusion. M365 is the new corporate content and records management system. They have now replaced both OpenText and HP with M365 – which has improved access and significantly reduced their operating costs. As an example, the annual cost of a leading content management system for 2,000 staff often costs more than M365 E5 Information Protection & Governance add-on license for 20,000 staff.
Feel free to contact us if you need help establishing an Information Governance Strategy. Let us help you establish a business case for change and ensure support from both business executives and users. Some other relevant blog posts: