If I had to encapsulate in one phrase everything I’ve learned about doing information governance (IG) and related disciplines over the last 20 odd years, it’s that you should be pragmatic. Being pragmatic does not mean being shoddy, either by solving the problem at hand in a way that hinders other initiatives or the “big picture,” or by neglecting compliance obligations, or by accepting too much risk. Being pragmatic means being creative and rigorous in how you develop and assess your options to achieve your IG objectives.
Here are four examples of such rigorous, creative pragmatism:
1. Clarify the scope of IG and don’t overreach
Start with a clear definition of what you’re trying to do. The best general definition I've seen for information governance is Robert Smallwood's: "information governance is the control of information to meet your legal, regulatory, and business requirements." It's a great start because it's accurate and simple -- it avoids the trap of being a laundry list written in legalese.
But I’d respectfully tweak it to clarify it and guard it from overreach and failure. I’d say: IG is the control of information to meet your legal, regulatory and business risk requirements. Information governance doesn't address all your business demands -- its primary focus is on "defensive" business requirements as opposed to "offensive" business requirements. IG’s primary focus should be on controlling the risks and costs (primarily risk-related costs) of your information. It doesn't primarily address the offensive requirements of operational efficiency or meeting customer demands -- its primary focus is not on helping you meet your sales numbers, improve the time needed to bring a product to market, improve customer retention or rebrand your company. These may be secondary benefits of good information governance, but defense should have priority.
This narrowing of focus is critical, as no other discipline in your organization can do the job of information governance, and this job is becoming very complex very quickly. If your IG program succeeds at protecting your organization from information risk and risk-related costs, it’s a successful program. But if it fails to protect you -- whether or not it improves the operational efficiency of some of your business processes -- it’s a failure.
2. Always design your approach to optimize partial failure
Almost everyone -- 100 percent of the vendors and 99 percent of organizations -- assume that your new processes and technologies will work as advertised. They then analyze the risk reduction and efficiency impacts based on that assumption in their business cases, operational planning, etc.