Information Governance

Subscribe to Information Governance

SARS-CoV-2 or 2019-ncov coronavirusIn early 2018, outbreaks of a novel parainfluenza virus erupted in Frankfurt, Germany and Caracas, Venezuela.  United States soldiers serving abroad contracted the virus, and an exchange student returning to a small New England college campus triggered the initial cases in our country.  The virus spread by coughing and caused severe symptoms in about half of those infected, killing 20% of severely ill patients.  With no vaccination available, the novel virus spread rapidly across the globe.  Within a year, the virus – Clade X – killed 15 million Americans and 150 million people world-wide.

This actually happened two years ago … in a tabletop exercise hosted by Johns Hopkins Center for Health Security in Washington D.C.  Like its predecessors Dark Winter (2001) and Atlantic Storm (2005), the Clade X tabletop exercise featured subject matter experts in the unscripted roles of senior U.S. government officials reacting to a dense, unfolding fact pattern, based upon extensive scientific data and modelling, that realistically captured the likely variables and decision points in response to a national security crisis.  This time the crisis was a global pandemic, and Clade X revealed significant gaps in our pandemic response preparedness.

Clade X was not our most recent pandemic test event.  From January to August, 2019, the U.S. Department of Health and Human Services ran the Crimson Contagion planning exercise, with officials from a dozen states, various federal agencies, and non-governmental organizations working through response to a simulated viral pandemic originating in China.  Crimson Contagion’s findings were specific, blunt, and bleak, revealing widespread confusion between federal agencies and also between federal and state actors in coordinating response actions, such as in defining which workers were “essential,” handling school closures, and procuring sufficient personal protective equipment, ventilators, and medications.

Beyond “pre-mortem” exercises, post-mortem reviews identified our strengths and weaknesses in handling actual outbreaks, such as the July 11, 2016 NSC report capturing extensive lessons learned from our response to the 2015 Ebola outbreak.

The Lesson for Information Governance?
Continue Reading Pandemic Lesson 3 for Information Governance: Testing the plan matters

SARS-CoV-2 or 2019-ncov coronavirusEisenhower famously quipped “plans are worthless, but planning is everything.”  His point was that though a plan may not anticipate every contingency, the rigors of the planning process are essential for preparedness.  That’s true for everything from WWII to pandemic response and to managing information risks and opportunities.

So, did the United States have a plan for pandemic response, and what were its key elements?

Yes indeed, the Bush administration developed plans and recommendations for U.S. infectious disease response, and these were built upon by the Obama administration.  Key elements included the following:


Continue Reading Pandemic Lesson 2 for Information Governance: Planning Matters

SARS-CoV-2 or 2019-ncov coronavirus“If anything kills over 10 million people in the next few decades, it’s most likely to be a highly infectious virus, rather than a war.  Not missiles, but microbes.”  That’s from Bill Gates’ 2015 TED Talk, in the midst of the Western African Ebola outbreak.  Gates added “W]e’re not ready for the next epidemic….  With Ebola, the problem was not that we had a system that didn’t work well enough.  The problem was that we didn’t have a system at all.”

Let’s fast-forward to a couple years ago, the 100th anniversary of the 1918 flu pandemic.  What should have been understood in 2018 as the risk, in the near-term, of an epidemic or pandemic with major impact in the United States?

Understanding risk is how we address uncertainty.  Whether you prefer the common definition of risk (the possibility of loss or injury) or the more technical concept under ISO 31000 or COSO’s ERM Integrated Framework (the effect of uncertainty on objectives), understanding risk requires us to evaluate the likelihood and severity of potential outcomes.  Understanding risk also requires us to evaluate our current readiness to mitigate or control the risk, in light of our risk tolerance.

So, in 2018, what did we know about the likelihood and potential severity in the United States of epidemics and pandemics, and what did we know about our readiness to respond?
Continue Reading Pandemic Lesson 1 for Information Governance: Understanding risk matters

People on peak mountain climbing helping team work , travel trekking success Management support is crucial for successful Information Governance initiatives. This is not merely a question of initial project and budget approvals. Most Information Governance initiatives involve behavioral changes in how data is handled, and in many instances, aspects of organizational culture may be impacted. No matter the ultimate benefits, any initiative involving behavioral change will

People on peak mountain climbing helping team work , travel trekking success

Selecting the right initial project(s), determining outcomes and measures, and preparing the business case are important groundwork for your Information Governance initiative, as discussed in Part 1.  But to secure resilient management support for an ongoing initiative, you’ll also want to tie the individual projects to strategic objectives for Information Governance at your organization.

money blowing awayI’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, you’re the “Manager of Money,” right? 

“Nope – that’s indeed my title, but I don’t have the authority to manage all of RabbitHole’s money. My focus is just on the paper money, not electronic accounts and transfers. And I only keep track of the paper currency that is boxed up and kept off-site – what employees do with money day-to-day is up to them, their business units, and the company’s Money Policy.”

What does the Money Policy say?
Continue Reading What if companies treated their money like their information?

Our firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.

The Information Governance perspective is a ready-made, scalable resource. Any organization can make meaningful headway, right away, by simply adopting an inclusive IG perspective when addressing information matters, before investing in significant organizational changes and expensive technology tools.

What does this mean? Simply this – whenever any information-related issue is dealt with or decision will be made by your organization, be sure to ask the following:
Continue Reading Why govern our information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.