White Paper Information 101

Date Released: September 2017

Melbourne (03) 9690 7222 | Sydney (02) 9258 1056 www.astral.com.au

Information Governance 101 Page 2 of 14

Table of Contents

1. Introduction...... 3

1.1 Information in the Digital Age ...... 3

1.2 A Global Digital Economy ...... 4

1.3 What is Information Governance? ...... 5

1.4 The elements of Information Governance? ...... 5

1.5 Business Challenges, Benefits and Value of Information Governance...... 5

2. Information Management Challenges ...... 7

3. Information Governance ...... 8

4. Benefits of Information Governance ...... 9

5. Information Governance Framework ...... 11

5.1 The Challenges of Implementing Information Governance ...... 11

5.2 Steps for implementing an Information Governance Program ...... 12

6. Factors to Drive Information Governance Success ...... 13

Astral Contact Details ...... 14

About Astral ...... 14

Disclaimer

This White Paper is published for general information purposes only. Nothing in the White Paper is directed at any particular person or organisation. Nor does it address any particular subject matter relating to personal information or privacy law. Nothing in the White Paper is intended as or constitutes legal advice. You, the reader, are entirely responsible for any reliance you make on the information published herein. Please ensure that you obtain appropriate legal advice.

© Astral Consulting Services Pty Ltd (ABN 67 095 048 776) 2017. Astral Consulting Services Pty Ltd (“Astral”) owns the copyright in this document (including the layout, format and template). This document may not be reproduced or used without the prior written consent of Astral.

Information Governance 101 Page 3 of 14

1. Introduction

Information Governance (IG) is a subset of , The Information Governance Initiative defines IG as: “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” For most businesses, the goals of Information Governance are to:  Treat information as a business asset;  Use information to support business goals and objectives;  Increase the business value of information;  Reduce operational, legal and regulatory risk;  Ensure information is managed in a compliant manner. An IG Framework looks at the way the organisation works with information to deliver business outcomes, incorporating:  The information that is required to complete the business processes that provide each outcome,  How this information is used by the people who do the work to complete the processes, and  The technology to manage the information and enable the people to do the work. The purpose of this White Paper is to introduce the concepts of Information Governance in easy to understand business language.

1.1 Information in the Digital Age No industry in the modern economy has been untouched by the transformation heralded by technology. Over the past few centuries, successive waves of industrial revolution have altered the very nature of business. Earlier phases of this revolution steadily reshaped industry over an extended period.

Information Governance 101 Page 4 of 14

Digitally-driven revolutions of recent decades – powered by exponential growth in computing power and the internet – have radically changed the shape of our economies and businesses in a much shorter timeframe. As a result, global technology brands such as Facebook, Google and Amazon - formed only in recent decades - are among the largest companies in the world. Other parts of the economy are transforming just as quickly. Traditional sectors such as healthcare, transport and finance are now underpinned by digital technologies and the tools of the internet.

1.2 A Global Digital Economy At the heart of this transformation, and increasingly a by-product of it, is digital information. In a global digital economy, information and data has become the “new oil”. Extracting it, and making best use of it, is critical to progress and success. Entire new business models such as Airbnb and Uber, and more broadly the sharing economy itself, have emerged to capitalise on this trend. Existing businesses in other sectors have also recognised the imperative to evolve to be competitive in this digitally-based economy. They have invested in platforms and capabilities that collect and make use of data – to deliver insights, efficiencies and innovative products to their customers. The result has been an exponential explosion in the volume of data being created and managed by businesses. Some estimates predict the volume of digital data will reach 40 Zettabytes by 2020. The volume of information and the rate of growth is too large and rapid to use traditional methods of information management.

Information Governance 101 Page 5 of 14

1.3 What is Information Governance? Information Governance is an enterprise-wide strategic approach to managing the ever-increasing volumes of information. Many leading business organization are adopting Information Governance to better manage and understand their information assets.  Information Governance is a strategic, top-down approach to managing all aspects of information within the organisation, in line with the strategic objectives of that organisation.

 Information Governance provides the framework, systems and processes for ensuring the value of information is maximised and risks are minimised.

 Information Governance looks at all information, regardless of its format. This includes structured information such as databases and unstructured information such as documents, emails and rapidly growing social media.

 Stakeholders of Information Governance include internal and external stakeholders, including internal users of data, risk and compliance teams, executive and board members, and legal and regulatory bodies.

 Information Governance is a subset of corporate governance – it is a strategic rather than tactical discipline, which aligns information management with business strategy and processes.

1.4 The elements of Information Governance? There are many elements to Information Governance with the major ones being:  Information Management   Cybersecurity   Privacy  eDiscovery  Data Analytics  Risk & Compliance Other elements include:   Data Science  Enterprise Architecture   Business Intelligence

1.5 Business Challenges, Benefits and Value of Information Governance. The business challenges driving business uptake of Information Governance include:  Information explosion – typically 80% of information is unstructured,  Cost growth of keeping information for ever,  Increased risk and complexity,  Responding to regulatory requirements,  Proliferation of systems and outsourcing of IT,  Increased risks of cyber attacks.

Information Governance 101 Page 6 of 14

The value and business benefits of Information Governance can be categorized into the following groups:

Information Governance 101 Page 7 of 14

2. Information Management Challenges

The increasingly large stores of data, and the potential to extract value from them, represent a tremendous opportunity for business. However, this also presents significant challenges, outlined below. Dealing with these challenges – cumulatively – now exceeds the capabilities of traditional methods of information management. Unmanaged, these information management challenges have the potential to substantially disrupt the operation of an organisation and undermine the benefits from its digital investments.

Information explosion: Stores of data/information are larger than ever and growing rapidly – volumes typically double ever 12-18 months. This data is also increasingly dispersed, through growing use of mobile and cloud technologies and the geographic spread of a global technology market. Unstructured information which presents greater challenges in terms of risk management and extraction of value – is also increasingly prevalent. Typically, 80 per cent of information in an organisation today is unstructured.

Cost growth: Despite its promise of efficiencies and insights, the accumulation of data can quickly become a burden. In many organisations, the explosion of information has brought a sizeable increase in storage and retrieval costs, not to mention impacts to productivity, and the need to maintain a more complex landscape of systems. In many instances, storage growth is outpacing IT budgets.

Increased risk and complexity: Information is now collected, processed and exchanged between a growing number of internal and external systems. Understanding data flows and monitoring regulatory compliance has become increasingly difficult. Further, in order to manage the growing stores of information, businesses are shifting data to offshore locations and third parties, which further incurs security and compliance risks. Assurance over the data protection and information governance capabilities of third-party service and infrastructure providers is difficult.

Regulatory scrutiny: Regulatory scrutiny on protection of data is becoming more intense, in line with increased customer expectations. New data protection regulations are taking effect across the globe – including General Data Protection Regulations (GDPR) and mandatory data breach reporting – posing compliance costs and complex new challenges. Responding to legal investigations and meeting compliance and privacy requirements has also become costlier due to the volumes of data needing to be searched.

Cyber risk: Cyber threats are growing in volume and evolving in sophistication, with breaches and cyber-attacks regularly and publicly impacting major brands. The resulting reputational damage has translated into economic impacts of affected organisations. Increasingly, the likelihood of being the target of a cyber-attack is inevitable.

Information Governance 101 Page 8 of 14

3. Information Governance

Traditionally, addressing the challenges associated with the management of information within an organisation has fallen to disparate disciplines. For instance, compliance teams respond to regulatory challenges, cyber security functions manage the systems and tools that protect data, while other aspects of data and information management sit elsewhere. As the previous section outlined, in today’s digital context the growing number and complexity of challenges associated with information has outpaced traditional information management disciplines. More importantly, as information has become a strategic business asset, forward-thinking organisations are demanding more than a collection of fragmented and operational approaches to the way this information is managed and governed. Instead, they require a holistic and strategic approach that better supports their need to maximise the value of information and minimise its risks. Information Governance has emerged as a consolidated and strategic framework that meets this need.

Information Governance can be viewed as an umbrella concept that describes all information management activities. The information Governance Initiative (IGI) provides a definition of Information Governance as: - the activities and technologies that organisations employ to maximise the value of information while minimising associated risks and costs.

Information Governance both unites the disciplines focused on data and information and provides strategic and executive focus to the value and cost of this information. It also allows boards and executives to better understand the value of information within their organisation, and to see how investments in technology align with strategic priorities. As a result of the historical siloed approach to managing different components of information across organisations, different people have different understandings of the elements of Information Governance and the associated terminology which is clarified below, both at a high level.

The major elements of Information Governance are:

Information Governance 101 Page 9 of 14

4. Benefits of Information Governance

In an information-driven economy, improved decision-making around the use of information is critical to business and competitive advantage. The establishment of an Information Governance program immediately supports this strategic imperative, by providing an organisation with:  Recognition of information as a strategic asset,  A strategic framework to ensure technology investments align to organisational strategic objectives and priorities; and  A clear strategy and improved accountability for information, which enables the Board and executives to have strategic oversight of the value, cost and risk associated with an organisation’s information.

The various Information Governance elements can deliver business outcomes in the following areas:

More specifically, Information Governance delivers specific business benefits in three areas:  Risk mitigation • Helps organisations avoid or mitigate information-related risk, including regulatory and legal risks, • Supports an improved ability to proactively meet compliance obligations, by introducing the right systems, polices and processes in relation to information usage and retention, • It understands key risks events, including the growing risk of cyber attacks.

 Efficiency • Control over the dysfunction, duplication and waste created by information silos, • Reduction in storage and eDiscovery and minimise data breach costs, • Common approach to information management, more consistent rules.

 Business value • Better decision-making, • Improved trust in the quality of information, • Drive activities that extract business value from information, including data analytics (extracting advantage from unstructured information is a promising area). Information Governance 101 Page 10 of 14

It’s also worth noting that while identifying a measurable return on investment from governance activities can be challenging, information governance delivers tangible bottom line benefits:  Lower storage management costs – A 2015 Information Governance Initiative study found that 40% of an organisation’s network drive content is junk: • 10% is of no business value, 25% is superseded / out of date / older than legal retention periods / beyond technical viability and5% is duplicated. By deleting valueless data and reducing storage growth by only keeping information that is required by the business, information governance drives a reduction in the costs of storage and the management of the information.  Increased productivity – Countless hours are spent by employees locating information to do their jobs. Information governance can support the recovery and redirection of this valuable time towards more productive activities.

Information Governance 101 Page 11 of 14

5. Information Governance Framework

An Information Governance Framework looks at the way the organisation works with information to deliver business outcomes, incorporating:  The information that is required to complete the business processes to provide each outcome,  How this information is used by the people who do the work to complete the processes, and  The technology to manage the information and enable the people to do the work. An Information Governance Framework provides a common set of rules and processes for the management of information assets. It identifies the key stakeholders involved in Information Governance within the organisation, and the ultimate business outcomes sought. Ultimately, successful implementation requires a balance across all business drivers and stakeholder requirements.

5.1 The Challenges of Implementing Information Governance A key challenge of an IG program is to balance the need to meet legal and regulatory compliance with the operational needs of the business and its users. More organisations are starting to see that an IG program with processes that are unnecessarily restrictive will in fact limit its adoption in the organisation. As controls and processes are introduced as part of the IG program it is important to understand the ramifications for the business and keep these in mind as the IG program progresses. Common challenges experienced include:  Most IG initiatives do not have stakeholders across the enterprise, they are driven from a specific area such as legal, records management, risk, security.  Most enterprises approach IG from a compliance perspective rather than seeking to achieve more value from information or from lowering the cost of managing the information in an organisation.  Typically, when implementing a solution, the Taxonomy is designed from analysing business artefacts rather than the processes that create, search for, and reuse these artefacts to add business value. Focussing on business processes supports increasing value rather than just managing data. Information Governance 101 Page 12 of 14

 To drive an enterprise initiative around IG, the focus needs to be in creating value. It needs to apply end to end across the business and be closely aligned to the business processes of the organisation both structured and ad hoc.  A key challenge of an IG program is to balance the need to meet legal and regulatory compliance with the operational needs of the business and its users.  More organisations are starting to see that an IG program with processes that are unnecessarily restrictive will in fact limit its adoption in the organisation.  As controls and processes are introduced as part of the IG program it is important to understand the ramifications for the business and keep these in mind as the IG program progresses.

5.2 Steps for implementing an Information Governance Program As a strategic endeavour, an Information Governance program must be a holistic, organisation- wide initiative to be successful, driven by top-level sponsorship and a consistent approach. Suggested initial steps are: 1. Senior Executive buy-in with an understanding of Information Governance concepts and the strategic value of information assets. 2. Establishment of Roles and Responsibilities for implementing and monitoring the IG program across the organisation, at a minimum, this includes:

• The IG Sponsor (Senior Executive) • The IG Steering Committee • The IG Project Team • Subject Matter Experts from the business 3. Understand the current state – what information, who owns it, who uses it, what is the business value, how is it managed, what are the risks and what are the internal and external requirements of how it should be used and managed? 4. Establish an Information Governance Program - The primary project deliverables of an Information Governance program include:

• IG Strategy - sets the direction for IG based on business needs and strategic objectives of the business.

• IG Framework - defines the enterprise requirements across all components of IG to meet the strategic requirements.

• IG Roadmap - Defines the initiatives that need to be performed to embed the IG Framework and improve IG maturity. 5. Develop Information Governance Policies, Standards and Procedures 6. Establish a base line and measure progress on a regular basis.

Information Governance 101 Page 13 of 14

6. Factors to Drive Information Governance Success

The right conversations - Information Governance means many things to many people. Before engaging with stakeholders, you need to make sure you are having the right conversations in a language that your stakeholders understand.

Align IG to business objectives - Traditionally the drivers for an IG program are regulatory or legal compliance. In highly regulated industries this can be enough of a “big stick” to ensure its adoption, for many organisations though it needs to show greater value. The IG program must also:  Address the needs broader than just these legal and regulatory compliance;  Be connected to business objectives;  Tie into other organisational initiatives and programs of work;  Be included as part of any new solutions or processes from the beginning that impact on how uses manage information. Positioning IG holistically to drive compliance and deliver business value will vastly increase the business acceptance.

Apply subtle change to IG - Deploying the whole IG program at once in a ‘big bang’ manner increases the risk of failure by overwhelming the organisation. Instead by introducing these changes progressively across the organisation it increases the chances of success and provides the opportunity to refine the IG program before each successive role out. This can be achieved many ways:  Focusing the program on certain information types exposed at the highest risk initially;  Performing a staged deployment department by department;  By embedding new processes as part of other projects, process or system changes;  Including IG Roles and responsibilities in broader organisational changes.

Gain business support early - After establishing the scope and breadth of the IG program of work it’s imperative to gain the support of the business before diving into the deep end. This is achieved by:  Establishing the right sponsor. Sometimes the best sponsor comes out of areas other than Legal or Risk or Compliance. For example, an IG program that initially focusses on improving value of customer information, while still meeting regulatory compliance, should be driven by a sponsor from the sales or marketing as they will resonate most with the stakeholder impacted by the initial change;  Including the business in the development of the IG framework as involvement creates ownership;  Focusing the program on the business value of IG;  Avoiding over use of noncompliance “scare tactics”;  As business support increases it can then be used to create a critical mass for success across the rest of the business. Information Governance 101 Page 14 of 14

Key Learning – it is all about your people

Astral Contact Details

For further information, please contact:  Marie Felsbourg (Astral CEO) (ph) 03 9690 7244, (m) 0417 564 085, (e) [email protected]

About Astral

Astral Consulting has been a leader in information management and the implementation of business change for over 15 years. We have implemented solutions that include policies and business rules, covering end-to-end business process and integrating structured and unstructured information. Our skills and experience combine to build compliance into process and enable end users to optimise both business and compliance success. Astral is an organisation highly regarded for its knowledge, advice and independence. http://www.astral.com.au/