The Information Management Agenda…It’s Plural

CIOs must balance managing internal IT systems with creating business technologies that help win, serve and retain customers, says George Colony, the CEO of Forrester Research. “If you’re a great leader, you should be able to handle two agendas simultaneously.”
-WSJ, February 4, 2015

I had a good laugh at this quote because the CIO’s and IT professionals that I know handle a couple of dozen agendas simultaneously! However, it did make me sit back and ask myself:

What are the Information Management agenda(s) in a typical global organization?

Complex IM AgendasWe compiled a list of information management agendas that are deeply impacting today’s organizations and their executives. It was more of a brainstorm and reflection than a primary research effort. But it is based on many of our clients’ requests for assistance. What is surprising is the shear number of information management agendas that face today’s company and even the effort that goes into prioritizing these challenges, as they can’t all be tackled at the same time.

The daunting part is that the eventual information management and governance infrastructure (technological and otherwise) needs to support each of the following agendas appropriately AND simultaneously. In addition, each of the following areas is its own long white paper or short book worth of content. This is a checklist.

We’ve broken our short list of information management agendas into those that are external to the company (i.e. the ‘must haves’) and those that internal to the company (i.e. the ‘really, really nice to haves’). They are:

1. External IM Agendas: Government and Other External Parties (Some friendly; some not)

  • A) Information Privacy and Data Protection Laws:
    • E.g. HIPAA, Individual Country Data Privacy Laws, US State (e.g. MA) Data Protection Laws, etc.
  • B) Other Statues and Legislation:
    • E.g. Homeland Security Act
  • C) Regulatory Requirements and Guidelines:
    • E.g. Title 21 CFR Part 11
  • D) Industry Specific Information Production Standards:
    • E.g. FDA New Drug Applications, GAAP Reporting, etc.
  • E) Content and Data Contractual Obligation Requirements:
    • Specific allowed-use requirements for content or data that is purchased or provided by a third-party.
    • E.g. Gartner models and articles that, contractually, aren’t allowed to be shared across the enterprise.
  • F) eDiscovery / Litigation Requirements, and Production Timing and Performance:
    • E.g. FRCP Rules 16, 26, 37, etc. (which are all changing this year…)
  • G) Information Risk Management:  Information Protection and Access Management
    • The identification of information liabilities and risks and the actions necessary to mitigate those risks.
  • H) External Party Information Confidentiality Requirements:
    • The expectation that client’s or customer’s information that is maintained by the company is managed and controlled according to the expectations of that client or customer.
    • E.g The requirement of a professional services firm’s client that the client’s files be secured in a specific manner and hidden from all other non-client teams.
    • E.g. An audit firm that performs professional services for two direct, global competitors. Or a law firm that represents two direct, business competitors.
  • I) External Party Information Access Requirements: Business Partners and Customers
    • This is just one of the agendas that the CEO of Forrester noted in the quote at the start of this article.
    • E.g. The expectation that a customer will be allowed directly into the suppliers ERP system to view their order’s status. Think Walmart and their integrations in their suppliers. Or ADP and their required integration into their customers’ financial and HR data.

2. Internal IM Agendas: Within the Organization Itself

  • A) User/Role-based Business Information and Functional Requirements:
    • Providing a strong information environment and functionality so that employees can do their jobs quickly, effectively, and flexibly
    • E.g. Portals, search engines, logical content and data structures, ECMS capabilities, RDBMS reports, etc. to support the employee
  • B) Content and Data Processes Requirements:
    • Supportive of automated business processes’ (transactional and non-transactional) content and data
    • E.g. Workflow, ERP processes, transaction content processes (like budgets)
  • C) Employee Access and Rights Management:
    • Who needs to get access to what information, when and from where?
    • How is this managed and controlled?
  • D) Records Management:
    • E.g. Retention schedules, defensible deletion approach, information lifecycle management
  • E) Information Governance:
    • The definitions and operationalization approaches for each of these areas.
    • E.g. Internal policies, procedures, metrics, and oversight roles and responsibilities
  • F) Business Continuity Requirements:
    • Approaches and methods to recover information from catastrophic failures or disasters
  • G) BYOD User Demands:
    • Users’ mobility demands (Access information anytime, anywhere…)
  • H) Information Access/Modification Audits and Tracking Reporting:
    • Capabilities to track information usage, updates, deletions and access to support records management and information risk management needs

Those are a LOT of hoops to make a company’s information management and content/data infrastructure jump through! And meeting those requirements at the same time is on the other side of trivial and easy.

Now, the hard(er) part… Each of these specific information management agendas, External and Internal, has to be potentially applied across the entire set of the company’s information repositories, which could be in multiple locations both inside and outside of the company. Some examples of these are as follows:

Potential IM Repository Types and Locations (in no specific order…)

  • Shared/Network drives:
    • On-prem, cloud
  • Employee “Authorized” Computers, Laptops, Tablets and Smartphones:
    • On-prem, cloud, physical storage on mobile devices
  • Email:
    • On-prem, cloud, physical storage on mobile devices
  • SharePoint and other Enterprise CMS’s:
    • On-prem, cloud, perhaps mobile devices
  • Niche content and data environments: e.g LIMS environments, contract management systems, DAM systems, etc.:
    • On-Prem, cloud
  • System Backup Tapes and Media:
    • Off-site, cloud
  • Websites (Intranet – Employee Only):
    • On-prem, cloud
  • Websites (Extranet – Business Partners, Outsourcers, etc.):
    • On-prem, cloud
  • Websites (Public):
    • On-prem, cloud
  • Voicemails (which are eDiscoverable for litigation purposes…):
    • On-prem, cloud
  • RDBMS/Transactional Systems/ERP Systems:
    • On-prem, cloud, maybe mobile devices
  • Ephemeral Data (which is eDiscoverable in some instances…):
    • On-prem
  • Paper Records:
    • On-Prem, off-site (formal), off-site (informal – someone’s home)
  • Internal Company Social Media: e.g. Yammer, IM’s:
    • On-Prem, cloud, physical storage on mobile devices
  • External Company Social Media: e.g. Twitter / FB / Customer Response and Communications Systems:
    • Cloud, mobile devices
  • Cloud-Specific Services’ Infrastructures Containing Content and Data:
    • SAAS, IAAS, PAAS systems
  • Employee ‘Disallowed’ (but still frequently used by employees…) Technologies:
    • USB / Portable drives (physical storage on mobile devices)
    • Personal phones and tablets (physical storage on mobile devices)
    • Personal email (Cloud and physical storage on mobile devices)
    • Personal laptops/computers (physical storage on mobile devices)
    • Personal Box/Dropbox accounts (Cloud)
  • Contracted / Outsourced Third Parties: e.g. Contracted Research Organizations, Outsourcers, etc.:
    • Contractors’ private network, cloud

Fortunately not every information management agenda is applicable across every repository or the types of content within that specific repository. Nonetheless, understanding the information management ‘universe’ is a good place from which to start the planning and design processes. There is little room for leaving any gaps in the final information management infrastructure.

And, btw, I count a lot more than ‘two’ simultaneous agendas for the CIO … for just the information management area.

To discover more about information governance, reach out to us.