How to secure stakeholder buy-in and get your Information Governance project started

How to secure stakeholder buy-in and get your Information Governance project started

Guest blog: by Matthew Bernstein, Information Management Strategist and Founder of MC Bernstein Data.

Many Information Governance (IG) projects – sometimes even an entire IG 'Program' or function – are initiated when senior management realizes that a specific "issue" requires an urgent and vigorous response. The issue could be an audit finding, a regulatory enforcement action, the advent of new regulations, or an enterprise cost strategy.

For the business sponsor or project manager, it's hard to balance gaining the support of senior management (that we always hear is vital to success) with gaining agreement on what to do and how. How do you overcome the governance delays of "it's too a big a task and we need multiple stakeholders' input" while mitigating the execution risk that comes with "we've just got to get started on this project"?

The answer? Break it down into comprehensible components that can be quickly grasped and approved by individual stakeholders with limited knowledge and time. Start by addressing three critical issues that can derail the long-term success of an IG project, but if established properly up front can accelerate early wins that build credibility and momentum.

Getting started: three critical issues to address at the outset

  • Remove ambiguity as to the critical objective. Is it risk mitigation, cost reduction, or a business opportunity?
  • Gain insight around where to focus efforts. What are the timeframes and data priorities that will most effectively achieve the critical objective? Should the timeframe focus be to "stop the bleeding" going forward or to remediate legacy systems? Should the data priority be determined by risk, business-unit, region, data store, data type?
  • Clearly define critical activities. There can be a tendency (especially for senior management) to derail an IG project by assuming that what is missing is a particular component of the operating model (people, governance, process, technology), and thus make the urgent development of that solution the critical activity, e.g., a new policy 'framework', or a new enterprise IT solution.

Defensible disposal: a practical example

'Defensible disposal' is of increasing interest to enterprises. But how can you get started on this kind of governance project without charging ahead with the wrong approach?

Defensible disposal can have both a Risk and a Business objective, as conveyed here:

Reduce the amount of data held, to decrease processing costs, streamline control processes, and reduce privacy, eDiscovery, and litigation risks and costs, by disposing of information no longer required for legal, regulatory, or business purposes.

It's easy to see why senior management would support this objective, and have many opinions on what to do! But, to get started, you could ask management to endorse the initial objectives and activities of the program, for example:

"The growth of privacy legislation around the world is creating heightened financial and reputational risks associated with the collection and use of personal data. Thus, the critical objective of the Defensible Disposal Project will be risk reduction: reducing the stores of personal data that the company retains, which would most likely be subject to regulator or consumer challenge.

The largest concentration of personal data is in our consumer banking business and the initial focus of the Project will be on improving information governance in that division to support Defensible Disposal. We believe the greatest risk lies in retail consumer clients' reaction to the collection of information in the context of new product marketing and onboarding.

Key to success will be Regulatory Technology (RegTech), which provides and interprets regulatory intelligence, and privacy program management. With the first, we will establish the set of requirements we are subject to in the multiple jurisdictions in which we operate, and we will gain insight into the remedial actions we need to take to ensure governance. With the second, we will create a suitable knowledge base of our personal data. These are the prerequisites for proposing a disposal plan."

Obviously, establishing these high-level parameters will require initial background work, to understand the concerns of senior management and formulate a meaningful assessment of the organization's current state.

Whatever the urgency, the time and place to discover, plan and agree these initial objectives and activities –– to get the program quickly and successfully underway – is right from the start, not mid-project during a steering committee meeting or a presentation to senior management.

Measure twice, cut once…and get going.

About the author: Matthew Bernstein has 20+ years' experience managing information, to help companies assure compliance with data privacy, regulatory retention, and other information governance requirements. Through MC Bernstein Data, Matthew is applying lessons learned in the highly-regulated global banking industry to reduce risks, mitigate potential penalties, and lower costs. Specialisms include: Strategy Formulation and Senior Management Engagement, Information Governance Program Development and Information Management Governance as a Service (policy development, Records Management and Archiving Management, and Controls and Monitoring)