“What if ants were as big as dinosaurs?” I remember asking my kids that question, forever ago when they were young. Maybe the thought came from reruns of old monster movies, like the 1954 classic Them! (pictured here). Anyway, it was a cool game, for as the ant’s size multiplies, the laws of math, physics, and biology play their part:
- The ant’s exoskeleton wouldn’t be strong enough to support the increased weight, so an internal skeleton is needed.
- Gravity would play havoc with the ant’s open circulatory system, so a closed system is crucial.
- The ant’s energy needs would soar, and so a different diet and digestive system are required.
- The ant’s newfound size would totally alter its place in the food chain (The Lion King, “Circle of Life,” right?), driving fundamental changes in behaviors and capabilities.
- And on, and on.
Until, we finally end up with an ant the size of a dinosaur … that looks a lot like a dinosaur.
But what’s this have to do with Information Governance?
It turns out that organizations are a lot like that ant. What works fine in a small, uncomplicated environment totally changes as the organization grows in size and complexity. Anyone responsible for compliance at a maturing startup, or at a company experiencing organic or acquisition growth, will know this as obvious. Information Governance policies, controls, and rules could be a bit loose when the organization was small, and probably were so. But as the company grows, things change. What sort of worked before, in a “good enough” way, is no longer even close to what’s needed in a larger, more complex organization.
Some organizations react to this by piling on, adding more policies, more procedures, more detail, more control. This approach can backfire. It adds further complexity, like gasoline on the fire, overwhelming the bandwidth of employees and decision-makers, who are already struggling with the innate complications of the organization’s growth.
And so, the lesson is that as the organization grows in size and complexity, its Information Governance rules need to be more simple. Not simplistic, but simple. Think of the iPhone, with computing power and functional complexity unimaginable decades ago, yet with an intuitive user interface featuring a single button – and no instruction manual.
What does this mean for Information Governance?
Reconcile the rules
- Don’t have totally separate information rules for siloed disciplines, such as records retention, data security, and litigation preservation. Instead, have rules that govern your information in a way that addresses compliance and risk for all of these considerations. The reconciled rules can still be expressed in separate policies and workflows, but they will align with each other, instead of working at cross purposes.
Simplify the rules
- Elevate to a “Big Bucket” retention schedule, with fewer, larger record series. Granular retention schedules are too long to follow, and odds are that different record types are commingled in common data storage repositories without a viable way to execute differential retention periods.
- Smooth out your retention periods for more uniformity. After confirming the legally required retention for your various record series, round them up/off to be more compatible with each other.
- Limit your security classification categories to three or four, with straightforward rules for security controls.
- Distill your legal hold process for clarity on what is preserved, when, by whom, from where, how, and for how long.
- Elevate and shorten your governance policies, so that they clearly reflect authorities, expectations, and consequences.
- Push yourself to distill even further – based on real-world compliance and risk, how can we make this even more straightforward?
Hardwire the rules into workflows, systems, and repositories
- Minimize the need for people to find and make decisions about the right retention periods, the right security safeguards, and the right legal hold actions for all of the information they handle all day, every day. Instead, imbed the right rules into their workflows and into their data systems and repositories. If you apply the right retention rules, access and other security controls, and legal hold capabilities directly into your data systems and repositories, and align these with workflows, then people simply need to follow their workflows and put information where it belongs. Retention, security, and holds apply at the “container” level – the people simply need to put the information in the right container.
Keep granularity local
- There’s still a need for details in how to apply the simplified organizational rules, but keep this local. The Payroll group doesn’t need to know the intricacies of how the Quality team manages its information, nor vice versa. But each of these groups should have the distilled specifics of how their own team properly handles its information. So, each group’s procedures, file plans, directory structures, and system and repository access and controls should directly address what the group specifically does with the information it handles.
Train, measure, and report on the simplified rules
- After you’ve simplified, reconciled, and hardwired your rules, you should be left with a highly distilled rule set. Much of that rule set is applied directly to systems and repositories. But the human element remains, and is critically important, in following expected workflows and avoiding behaviors that result in compliance exposures and risk. This is what you emphasize for training.
- Use the overall distilled rule set for audit/assessment and for measuring and reporting on performance to Information Governance goals.
Less is more. The larger and more complex the organization, the simpler it’s Information Governance rules should be … lest it go the way of the dinosaurs.