Knowing everything there is to know about your information is critical to your risk mitigation efforts. Yes, this surfaces areas of possible vulnerability, but it also ties directly to the Big Risks that will get your senior team (and other bosses) aboard the data governance train.
You know as well as I that there are risks and there are RISKS, and you can drive yourself batty (and everyone around you) if you chase them equally. For example:
- Small Risk: Storing customer information in shared drives rather than the official repository. Not ideal, but frequently unavoidable due to a lack of training or misapplied access controls.
- Big Risk: Dropping a shipping container full of medical records at the local transfer station rather than shredding its contents. Relatively uncommon but not unheard of, and a lawsuit waiting to happen.
Ask the Big Practical Questions
There are methodologies galore (this one from NIST is a popular one) that can help you determine which risks should keep you up at night and which you can afford to sleep through, and what to do about them. Many of these are focused on systems and technology, or on only this or that aspect of risk (e.g., privacy, cybersecurity). So before you even get near that rabbit hole, we recommend that you ask the big business-practical questions like:
- If we got sued, can we respond to discovery demands in a timely fashion? Is any of our information a ‘smoking gun’?
- If we were hacked, could the information that leaks damage our competitive standing? Our reputation? Our stock price?
- If we had a fire, a flood, a tornado that destroyed our first-line information, could we rapidly restore it to the point where we could quickly resume operations?
This exercise is a pretty good litmus test of your senior team’s understanding of the connection between information and risk, in terms of what keeps them up at night: legal exposure, privacy and security, disaster recovery, finance, etc. These are the issues that they’re paid to address, not whether this or that record is properly classified.
Close the Gap of Understanding
To be sure, classification and all its attendant disciplines – retention, disposal, legal hold, etc. – are central to the work required to actually mitigate the identified risks. But as I hear regularly from the executive suite, “we have people for that,” a response that helps explain why forging the data/risk connection can be so challenging.
In most cases, these “people” include IT, HR, legal, and compliance staff, among others, and it can be incredibly effective to band them all together. The idea is to maintain a resolute collective focus on the Big Risks and the role data and information governance plays in researching, ranking, and addressing them.
To complete (and browbeat) the metaphor, it’s a one-track mindset that should keep you from running out of steam while you wait for the brass to signal green, and keep you from going off the rails once they do.
—-
Mitigating risk and unlocking opportunities through data and information governance is what we do – and our deterministic fresh framework enables us to help you faster and better than ever. Reach me today and let’s make it happen for you!
Steve Weissman, Founder & CEO, Holly Group LLC • “The Info Gov Guy™” • steve@hollygroup.com • 617-383-4655 • Member, AIIM Company of Fellows • Recipient, AIIM Award of Merit