Information Governance ("IG") will continue to rapidly evolve as a discipline, although admittedly currently an ill-defined one, for the next fifty (50) years or so. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA (i.e. because HIPAA CMPs purportedly end up in HHS' coffers for more enforcement) but appear to lack the will or the know how to dramatically impact the compliance chaos that remains a decade on from the HITECH Act.
WHAT IS INFORMATION GOVERNANCE ("IG")?
No one, we believe, really knows for sure. Yes, there is widespread agreement that IG is much broader than "records management" which was itself not well defined across organizations. Records management invokes an image of "dusty cellars" with lonely people occupying them that never get visited by anyone unless there is an emergency in progress. Well OK, IG is "newer and shiner" and growing more important by the day because it touches on so much of what we do: (1) legal; (2) regulatory compliance; (3) contractual compliance; (4) data retention; (5) information technology; (6) privacy; (7) security; (8) big data; and on and on.
WHAT & WHO DOES INFORMATION GOVERNANCE APPLY TO?
Everything and everyone. For knowledge workers, those of us that sit in front of these wonderful (and at times infernal) machines every day, IG is something we interact with every day, and still it remains amorphous and ill-defined. We create documents; search for documents; modify documents; store documents; search within documents and curse MS Word daily (while loving it at the same time). Something this global and far reaching feels like it is much more than a discipline, perhaps it's a meta-discipline; something that drives all other disciplines.
So, we once again present to you our Compliance Manifesto, which seemed to make sense to us now that we are thinking about compliance in a much more global fashion (HIPAA, PCI DSS, GDPR, etc. etc.). In the hopes that those of us that have to deal with this madness can begin to develop a set of first principles that will ground us. Yes we are aware that dozens, if not hundreds, of organizations have purportedly taken on this challenge. Just think of this as a small drop in very big ocean!
- Compliance always exists along a continuum where full compliance is often nothing more than an aspiration.
- Compliance is a journey and not a destination, which implies the creation of a culture wherein compliance is something you do as part of your organization's mission and not as some necessary evil.
- Compliance is not an abstraction, but rather is always manifested at the granularity level of a requirement.
- For each requirement, you need the following three things to demonstrate visible demonstrable evidence: (1) Policies; (2) Processes that underpin your Policies; and (3) the ability to track process results.
- Agile is the only compliance methodology that matters; all others are anachronisms that belong in the dustbin of history because they are woefully inadequate for a rapidly changing complex world.
- Every compliance regime is a wicked problem that contains an order of magnitude more organizational complexity than technical complexity, however the latter is ever present and almost always non-trivial.
- The only way to improve an organization's compliance narrative is to improve its ability to produce visible, demonstrable, evidence of compliance over time, at the granularity level of a requirement.
- Checklists that provide suggested policies, processes, and tracking mechanisms at the granularity level of a requirement prove invaluable because compliance regimes are (almost always) descriptive and not prescriptive (i.e. requirements inform you as to what should be done but not how to do it).
- Analytical frameworks and modeling (often one and the same thing) are proven educational transfer vehicles when deciphering the meaning and/or intent of a requirement.
- Scorecards based on specific requirements are the only way to measure progress of your compliance initiative (i.e. by definition, if you are in compliance with all the requirements of a regulatory regime then you are in compliance).
We welcome any/all feedback for those of you that "play" in this space and for whom this article may have struck a chord.