Vital Steps of an Information Governance Plan – Part 3
In this next blog, Part 3, I want to go over some important supporting topics for implementation, how this can speed up your progress for compliance and how an IGP can help you in other ways.
Information Access Points – Pull it Together in a Diagram
One thing that can help you speed up the IGP process and give you more control over all these different aspects is to map things out.
What you can look for is any and all access points from a document or piece of information from a staff member or the public. Map out all of these routes and you can see a network of who ‘touches’ what and where. Note who is supposed to be accessing and who is not supposed to be accessing information but CAN access it anyway, etc.
You need to know what is authorized and what is not fully secure for risk assessment. This may include a lot of conversation with your IT department. You may get to know them really well through this process, if not already.
This is just an example, find a way to visualize a map of your target topics to help you form a plan.
Each point of access in your mapping can hold potential for:
- New or updated vital record definition and risk management plans.
- Lifecycle mapping, updating requirements, and researching governance controls.
- Implementation of solutions to cover those requirements if not already reasonable covered.
- Possible redefinition or updated security permissions, access, and sharing.
- New or updated policies and procedures around “use of” and “access to.”
- Training on these new updates or even old policies in a new unit of time.
- Audit and continuity plans that need to be made if not already there.
- And, last but not least, Records Management controls that may not have previously been considered. For instance, adding metadata to content so it can be tracked or labeled for future disposition actions.
Cover Your Assets and Help Yourself in Many Other Ways
If there is anything that is a huge CYA on information management, that would be the IGP. But that is only if the plan is thoroughly covered, fully implemented, and kept up with. But truth is, it does a lot more than merely CYA! In addition to your agencies governance compliance requirements and security standards, it can also greatly help you with electronic content management solutions and implementation projects:
- It can help you comply with Federal mandates, like the 2019 and 2023 mandates.
- It can guide you for implementing NARA’s FERMI requirements.
- It can help you elicit and complete proposals or bidding requirements when searching for electronic management solutions and tools.
- It will help you implement standard business practices so that users are creating and using the content within the compliance framework and much more.
- It can help you create compliant processes for end-users to automate their business actions.
Think of it as one large, high-level requirements and compliance plan. You can forever use your research and this IGP to guide you through the most important aspects from a paper to electronic solutions all over your agency.
Expanding your Knowledge
How is your level of knowledge when it comes to your agency’s systems and networks? This is important too. You need to know how they are laid out, permissioned, and secured. Most records managers are familiar with how their data is being backed up, but do you know the access to these networks?
- Do you have an Active Directory or an LDAP managing your users?
- Does it manage permissions to content on the various points of information access?
- All systems? Or just some systems?
- How is it laid out?
- Who manages this?
- What are the processes?
- Are there any policies in place?
What is in place in your agency for policies regarding Rerecords Management, training, the security of information, sharing of information, remote access, etc., if any? You need to familiarize yourself with every policy your company currently has that discusses information governance. This can even include HR policies and financial policies that protect information or give guidelines for how information and document sharing is to be used in the company. You need to know what parts of the policy need to stay the same and what parts need to be updated and why.
Enterprise Content Management
If not already considered, you may need to invest in an Enterprise Content Management system (ECM) like Alfresco to help you actually implement a lot of requirements on the IGP. Some of you already have one and that is why you need an IGP and some of you will need an ECM to help you achieve compliance on an IGP.
Either way, making the IGP beforehand can greatly help you know what you need for an ECM. However, you also may need to change some detailed procedures, based on the ECM you choose. But, this policy can provide high-level requirements for:
- What is the structure of the security and permissions for the points of access to the ECM?
- Important content lifecycle information that can be extracted from your IGP that can help shape your ECM requirements.
- Important information about metadata that can help shape your content model for the new solution.
- Governance standards and record management control that can help you shape your requirements for the new ECM system or upgrade.
- Support for migration — some information can be extracted from the IGP to help plan for migration.
- The research you do for the IGP can be used to help make decisions in your ECM.
Implementation and Change Compliance
When implementing such a policy as an IGP, it is important you think all the way down the line to the users who will be actually doing these actions. Each section of the IGP must be analyzed with a mind to:
- How? Literally, how will they apply this in the physical universe? Steps/actions users will take to apply this?
- You need to know the ramifications so you can fully understand the possible risks and how to manage expectations.
- Is this actually doable, enforceable as written?
- What effects will this create if these policies are laid out this way, in that sequence, etc.?
- Did you give them deadlines? Are these deadlines feasible? Is there anything that the deadlines ‘did not take into account’? (like major transitions, projects ending, mergers, other major business events that can interfere with these timelines?)
- Is it too high level? Is it too detailed?
- What are the potential ways this will get implemented? Will it get misunderstood? What level of training and audit will be needed?
- Do you have policies and procedures planned to cover each aspect smoothly?
- What are users doing today; will this be a massive change and thus bring about user acceptance issues?
- How can we campaign this so it is more palatable?
Truth is, there are always going to be issued with end-users and implementation. But if you do your homework and really plan out each section with:
- Full knowledge of the activity of the department will affect
- The potential ways this can get implemented and how much it will cost, what are the risks, etc.
- Knowing the intentions and new direction of management
- Keep in mind, “what is the greater good?” (meaning “what is best for the whole agency?”) Is it better to make everyone’s jobs easier? Maybe. Is it better to be compliant so the company and its information are safe? You just may be changing their processes, but it might be vital to do so. This is assuming that the change is important and necessary to the IGP and the company.
You may need to justify the changes or affects this will cause so that the majority of people can’t refuse the logic of the change. Lay out training to help with this and remember the more communication the better. Tell every one of your plans throughout the research and discovery phase of this IGP. Once it comes to their department for implementation, users will already know that it is coming. Just keep stating your case – management at this stage should understand and have your back. If not, that is another campaign but I hope by this time you already ran that one and got the support you need!
Managing Expectations – Communication is Key
One thing that has helped me along the way is managing expectations. This is always a large topic on any project. Everyone sees things differently. Getting everyone “on the same page” can be one of the biggest hurdles. Remember when I said to ‘communicate more and more’? It is true, the more you communicate your intentions, goals, plans, procedures, eventually, your communication will sink in and the “understanding” gets better and better.
People who do not understand, often make fun of or flat out refuse to do things. They can also say they ‘will do it’, but since they don’t fully understand, they will not actually do it. Thankfully, there are some who will tell you they don’t understand, and you can fix that much easier. However, no matter the mix, the more people who understand you, your goals, and why this is important, the more compliance you will get.
“Expectation” is defined by the Google Dictionary as “a strong belief that something will happen or be the case in the future” Or “a belief that someone will or should achieve something.”
It is basically a prediction! Users can predict that something is coming down the line, see better what the plans, purpose and future actions are, and include themselves in the mix and PLAN for this occurrence.
Stakeholders need to be able to:
- Understand the words coming out of your mouth/in writing
- Hear it over and over again, in order for their expectations to be closer to your own – if not the same
- Agree with the plan, at least somewhat, or decide they will comply regardless.
Communication is key, but you have to consider the following:
- You must have their attention so that communication is willingly received (simple but sometimes missed!).
- Communicate clearly so they can receive it easily (clear, short and simple terms).
- Communicate a lot about it, you may need to repeat yourself several times.
- Ask them to repeat what you just told them back to you (this is extremely helpful and if you can find a way to do this without making them feel like you are being condescended, then it can really show you who understands).
- Communicate enough Don’t tell them a small fraction of information and then expect full understanding; don’t leave out important factors that could majorly affect them but also not too much as to overwhelm them with the information they don’t need to know.
- Communicate to the right people, in the right sequence. You may need to go from the top down, or up through the chain of command and back down the other side, etc.
- Answer people’s questions, acknowledge their concerns, keep notes.
- Be ready with charts, diagrams and supporting documentation for those who learn in more visual ways.
- Try to fix confusions and misunderstandings as fast as you can. You need to look for them and try to find the disconnect or disagreement. The disagreement may be legitimate — you may have something wrong on your end. You might need to compromise; keep an open mind for your own improvement as well.
You may be speaking clearly but they may not be understanding you FULLY. Actual duplication of ‘what you are trying to say’ or ‘what is needed’ is what you are looking for.
Logistics of a Successful Project
Most Project Managers are aware of the need for pre-planning logistics. This is another vital part of doing an IGP. You will need to know the answers to the following:
- How much of a gap is there from the current scene to the ideal scene?
- How much work, hours, and resources will it take to go from the current scene to the ideal scene?
- What is the desired timeline? Do you have any deadlines imposed by governing bodies, mandates, audits, laws, leadership or legal counsel?
- What is the realistic timeline considering the available resources (funding and personnel, etc.)?
- What resources do I need in order for this to be successful?
- What resources do I have available to me and for how long?
- What is the gap between the above two bullet points?
- Possible risks involved in timelines, funding, and resources?
Putting together a project schedule, approach and risk assessment are going to be vital for an IGP to stay on track and eliminate risks as best you can before they happen so you can plan for them.
Knowing the basics of Project Management will help you implement a successful IGP. You don’t have to be a specialist to implement an IGP, however, I suggest that you do some research on the basic steps and key aspects of Project Management so your bases are covered:
- Project Initiation & Planning
- Dependencies of successful implementation
- GAP Analysis
- Feasibility study
- Project Plan
- Project Execution
- Implementation of the IGP to completion.
- Deliverables for this IGP mapped and completed.
- Project Monitoring and Control
- Change Control as needed through the IGP project.
- Reporting for the IGP project.
- Quality Control for the IGP project.
- Project Closure
- Closure reporting and monitoring.
To recap what we’ve learned in this 3-part blog series:
- What is Information Governance is and why you need it
- Get to know your agency very well
- Make the decision and solidify your purpose for an IGP. Management should be on board at this point. Get the support from leadership that you need.
- Make an IGP Team
- Be aware of the 5 Phases of the IGP:
- Draw up the plan
- How to implement; start your draft IGP
- Implementation and Change Control
- Audit and Monitoring
- Know what needs to go into your IGP Document
- Introduction, purpose, goals, mission, etc.
- High-level requirements and scope
- Project plan and team
- Project compliance
- Policy and procedures
- Audit and monitoring
- Disaster recovery and business continuity
- Use diagrams that help you map out access/control points
- Think about how things will actually get implemented; make it possible and add realistic targets
- Use the IGP for overall access, control, security and other governance requirements on all sorts of projects and policies. Let it guide your organization to compliance in all areas.
- Use an ECM to help forward your IGP compliance and support.
- Manage expectations and remember that communication is the key.
- Managing the logistics to be sure you identify risks early to your project plan.
Good luck! Let me know if this was helpful or if you have any feedback.
Thank you for reading!
P. S. For your convenience, here are the links to the blog series:
VITAL STEPS TO DEVELOP AN INFORMATION GOVERNANCE PLAN – PART 1
VITAL STEPS TO DEVELOP AN INFORMATION GOVERNANCE PLAN – PART 2
VITAL STEPS OF AN INFORMATION GOVERNANCE PLAN – PART 3