Management support is crucial for success with Information Governance initiatives. This is not merely a question of initial project and budget approvals. Most Information Governance initiatives involve behavioral changes in how data is handled, and in many instances, aspects of organizational culture may be impacted. No matter the ultimate benefits, any initiative involving behavioral change will require committed support by management to overcome initial push-back. And because effective Information Governance is an ongoing business process, rather than a one-off project, continuing tone at the top is essential.

Attention is always in short supply in organizations – executive focus even more so. Given that reality, your IG initiative will more likely secure the ongoing support it needs if the initiative (1) focuses first on a concrete, measurable project; (2) advances higher-level, strategic objectives for governing the organization’s information, and (3) aligns with the organization’s business model. These three elements will provide both the foundation for your initiative and the fuel for attaining it.  They are also invaluable in demonstrating how the initiative will be relevant to the organization’s success.

The Project(s) at Hand
In most organizations, abstract notions alone are simply not compelling enough to secure resources and drive change. So, what do you specifically and concretely want to accomplish now, in the short run?  What would be a meaningful improvement in governing information compliance, cost, risk, and value, but not such a time-consuming, against-the-odds effort that will squander momentum or risk early failure?  And what project will involve active participation of some or most of those you want to be involved in your ongoing initiative, to foster collaboration and ownership?

Common projects under Information Governance initiatives include one or more of the following: (a) reducing email volumes, (b) controlling unstructured data in file shares, (c) mitigating legacy troves of paper or digital records, (d) applying security controls to protected data and repositories, (e) controlling data compliance and risk with service providers, (f) preparing for data breach response scenarios, or (g) simplifying and improving legal hold processes.

Proper framing of a specific IG project clarifies who should be involved, when to start, what resources are needed, and what project success will look like.  Specific projects also tap into a sense of urgency, to get and keep things moving.

A quantified IG business case is best done in the context of specific projects, based on the particular project’s scope, expected outcomes, and the data targeted. What measures are pertinent in the business case will depend upon the project’s nature and purpose.  For example, let’s say your initial project will focus upon gaining control of excessive, uncontrolled email volumes.  For that project, one can quantify measurable hard cost savings (such as from reduced storage costs and allocated system support costs) and soft cost savings (such as from faster information retrieval, improved productivity, and business process efficiencies).  Remember to consider the costs of expected growth in email volumes over time, comparing the status quo approach to cost reductions to be achieved.

Risk mitigation can also be quantified, such as for an email volume reduction project.  The value of potential ediscovery costs and data security exposures can be estimated based on the data volumes within project scope.  For example, though there are many variables in calculating ediscovery costs, processing costs can range from $25 to $100 per gigabyte, before review fees and production costs. Considering that data volumes in IG project-targeted repositories may range from hundreds of gigabytes up to multiple terabytes, the ediscovery cost of unnecessarily retained data looms large indeed. 

As for quantifying data breach costs, the 2024 IBM/Ponemon annual report Cost of a Data Breach documents the high cost of breaches, with significant variations per industry. Other sources indicate an average cost of $169 per compromised record, though the evolution in attack vectors, such as the rise in ransomware, have made it more difficult to reliably tie the overall costs of data breaches to the number of compromised records. But what remains true is that data breaches are expensive, and there cannot be a breach of data that has already been compliantly disposed of.

Selecting the right initial project(s), determining outcomes and measures, and preparing the business case are important groundwork for your IG initiative.  But to help secure resilient management support for an ongoing initiative, you’ll also want to tie the individual projects to strategic objectives, discussed next time.