Developing Meaningful IM Policies
The other day I was having a coffee with a friend and she began to discuss some of the challenges and frustrations she was having around the management of information within her organization, or more precisely the lack of management over information. Towards the end of our conversation, she concluded that what was missing – and what she desperately needed to fix the problem – was an Information Management Policy. She realized that a well thought out policy would help her gain control over the feral hordes of information roaming the office landscape. I agree a well-developed IM policy will provide her with part of the solution to her problem and I yet believe that IM policy development is one of the most misused and poorly executed tools in the information governance arsenal.
In general, policies are part of a system of principles that guide decisions and achieve outcomes. We often ask “Do we have a policy on that?”, “What is the policy on that?”, “Do we need a policy on that?” Then we take great care in writing them. And finally we gather them up and post them in a centralized location for all to view. I have observed a quintessential pan-Canadian ethos that finds comfort in the peace, order, and good governance of policies. Policies are an integral tool IM departments use to provide this sense of order, assign responsibility, and set limits.
Yet despite the time, energy, and effort we lavish on developing IM policies they very often don’t help us achieve our desired outcomes. Instead, they languish in obscurity and fade away unread, unremembered, or unheeded. I suspect this has much to do with how IM policies are developed. Usually, IM policy development is treated like a project and given to a person within the IM team whose job it is to then draft the policy. That team member might conduct comparative research on similar policies but typically works in isolation from the rest of the organization and develops an IM policy that is at least once removed from helpful. Just as common is the policy that is written before the reasons for its drafting have been properly defined, increasing the risk that the policy’s author may not clearly separate the symptoms of the problem from the actual problem. For example, silos of unmanaged information in an office is a symptom of a problem. The actual problem may be a lack of awareness among employees as to where to store the information they create and capture. Or perhaps the problem is that employees lack the tools and knowledge of how to successfully retrieve information from the organization’s electronic records and document management system. Failure to separate the symptoms of the problem from the actual problem will result in a misaligned IM policy that solves nothing.
Another issue impairing IM policy development is the writing of multiple policies on different aspects of the same problem. Often Security, IM, and IT will each have a policy regarding information security and this duplication increases the risk that the multi-dimensional concerns around the problem will not be addressed in a coherent and cohesive manner. These multiple policies also force employees to check multiple places in order to get a full picture of their role and responsibilities. Ironically, while the enterprise nature of information and how it is used across the organization does mean that there are concurrent responsibilities for its management, this policy over development and lack of departmental coordination can lead to contradictory policy guidance and may expose the organization to the very information security breach they are trying to avoid.
In order to successfully develop an IM policy, I would urge that we move away from relying on the policy writing processes and assumptions of the past. Today, we must dig deep and consult widely with business users to determine how the problem occurred, when it occurs, why it occurs, what the impact is, and what the desired outcome is once the problem is addressed. A well-designed IM policy, developed collaboratively, will ensure that a full analysis of the problem from different angles has been undertaken and will ensure that the proposed solution addresses the full scope and context of the problem.
IM policy development is not a project that ends once the policy is approved and published. To respect the time, energy, and resources everyone must invest to develop an IM policy, continuing performance measurements are required to evaluate how successfully the policy addresses the problem. These success measures need to be included as part of the IM policy development process. Examples of performance indicators could be EDRMS usage measured by percentage of users or reduced expenditure on offsite record storage. In most cases, the identification of one or two meaningful indicators to measure performance should suffice.
Finally, IM policy development should not simply be a reactive, ad-hoc, or tactical response to an emerging issue. IM policy development should be part of an overall information governance strategy that includes policies, processes, and controls to manage information across the organization through multiple delivery channels. IM policies should not exist in a vacuum; policies should be developed in alignment with a larger information governance framework that is proactive, strategic, delineates clear accountabilities, and provides mechanisms for review through appropriate governance bodies.