[00:00:01] Speaker A: Hello, thank you for joining us. This is what Counts, a podcast created by Trailblazer Consulting. Here we highlight proven solutions developed through our experience working with companies across various industries and we talk about how you can apply these solutions to your company. We share our experience solving information management challenges like creating and implementing a records retention schedule, creating an asset data hierarchy, or helping with email management.
This is Lee and in this episode Mor and I will talk about the governance section of Trailblazer Framework and where the devils and the details hide.
[00:00:37] Speaker B: There you go. Where the governance devils are hiding, I don't know.
So governance broadly defined not just by us in our framework, but out in the world, in current and sort of industry parlance and best practices, governance is looking at decision making roles and responsibilities.
How is a. How does a company set about making sure that its team, its staff always act in the same way, act in the prescribed way and act according to the policies that the company has put in place? So thinking about the details of governance and where we can get tripped up first one is defining roles and responsibilities.
And we have over the years, depending on the appetite for this in the companies we're working with, we've done a really thorough job from the CEO and the C suite to first line managers, all the way down to administrative staff and hands on technical staff. And who has responsibility for what in normal course of business operations, in a disaster recovery situation or in a legal holder audit situation, because the responsibilities shift a little bit depending on those extraordinary circumstances, a lot of companies do not have the appetite for that detailed granular approach to defining every single person's responsibilities with regard to their information.
So we end up doing sort of big buckets where you have the. We broadly say something like the people who are responsible for creating the information are also responsible for carrying out the retention of the information. Following the rules for records retention, in the event of a legal hold or an audit hold, then the legal department has the responsibility of identifying the information that's on legal hold and the custodians who might have that information and they work with it. Who has responsibilities related to preventing inadvertent destruction and preserving the information.
So we approach it more like that. And at the top level in that scenario, we say the supervisors, the leadership team, whatever the right level is, depending on your organization, that group has the responsibility in their individual departments or teams to set a standard that says we will follow these rules, there is time to do it, and it's important to follow them.
So the governance piece starts with that and getting those right is Important, this is where the devil in the details comes in, because you don't want to leave holes in it. For instance, some companies have an information security team that's part of their, or maybe cybersecurity and it's part of it. They might also have a physical security team that is not part of it, it's part of facilities. Well, if you're trying to apply an equal rule on your records and the safety of your records and protecting sensitive information, you need that rule to be carried out on physical records as well as on electronic records. But the way you do it is different. But that means that the physical security team and the cybersecurity team have to work together to make sure that they are identifying and protecting the sensitive information appropriately. If you don't address both of them, if you only focus on the digital side, then suppose somebody breaks into your warehouse and steals all your records. Or you have, you've allowed field offices to make their own arrangements for off site storage. A lot of, you know, you store it kind of lockers out there holding records. We've seen many of them and there's, there is, there was a situation where one of the largest mortgage companies in the country had a bunch of branch offices. They closed the branch offices at a certain point in time. They closed several of them, not realizing that the branch offices offices had contracted with neighborhood storage companies to hold mortgage applications in paper form in an off site storage location. Well, obviously once they closed the branch, they stopped paying that bill. Mortgage applications and files got auctioned off because that national company didn't realize what was going on with the paper records in the field.
Maybe their mortgage systems were secure, they weren't using, they weren't losing their digital files. But those applications were out there in the world having been auctioned off. That was a huge security breach, a huge privacy data breach.
So understanding how your organization works and how all the different parts of it come together, that's the job of governance when it comes to the information side of things.
[00:06:17] Speaker A: I do agree that that's the job of governance. And your example is perfect in terms of things that the details that do slip through the crack sometimes.
One thing that kept coming back to me was you got to get the right people in the room. And that's a detail that can't be overlooked. Right. So the governance structure, who's going to collaborate, who do we get to talk to each other that understand all of these components that need to be understood and taken care of. That's a huge detail that needs to be Handled.
[00:06:55] Speaker B: That's a great point and it's a hard one to accomplish.
Depending on where your organization is in the information governance journey. If you're an older organization and you have a lot of paper storage, off site storage, it's pretty likely that your information governance has been pushed down to a fairly low clerical level because it's just about moving boxes, it's about moving paper and there's not enough scrutiny of what gets sent off site or how the forms get filled out. Often there is not enough scrutiny because it's easy. We just need to get this out of the office. We just need to move it. And somebody in, in a department or in a field location might just pack up a bunch of stuff and send it off site and they'll fill out minimal information.
And then later when the information governance team is trying to figure out what's out there, how do we apply retention?
They have a hard time two ways. They have a hard time getting themselves out of the paper mindset and they have a hard time getting the attention that they need when they're looking for support across the organization. They need support from it because they need to have the same rules applied to the paper side and the digital side.
And recently with one client we went round and around and we wrote a defensible disposition procedure and we looked at the cyber side and we looked at the digital side, we looked at the paper side and we met multiple times with the IT team and said, here's what we're thinking and here's, you know, here it is. And gave them the document in draft form and got comments from them.
But it was all. They were kind of on the surface of it, like, yeah, yeah, yeah, I don't have time for that right now. But, but you're on the right track. But when we went back again to try and get sign off, they were like, whoa, hold up, we can't do these things that you've put in here. Like do you really mean it that you want a triple delete to be sure you're going to do that? Because that's very expensive. And we're also not going to destroy physical media because that doesn't happen anymore. Like that's not really a thing anymore. This is kind of old, which maybe because it took us a long time to write it, but so it just now we've got their attention, which is great and we're updating everything. Then we have the other side, the business side, saying why are you spending time and money on this? Can't you just Do a spreadsheet. Can't you just have a spreadsheet? Not realizing that the volume of the information out there and the many hands that are on it. No, you can't do a spreadsheet. You could do a spreadsheet if you had 25 people who did nothing but try and maintain that spreadsheet, but that's not very efficient.
But again, because this came from the paper world, from the world of just off site storage, send boxes off site, don't really care, then it's very hard to push your way forward and get that help. So that to me is one of the key challenges in the governance space. So you're right to bring that up about getting the right people in the room.
I just want to add getting them to engage is also a challenge, not insurmountable. And perseverance is important. But for the information governance leader, as you're looking at, here are my goals, here's the company's goals, here's the type of organization we are, how big we are, these are our risks and being able to talk about those risks in terms of risk to the business, not just risk to the records, but the risk to the business due to a failure of records, of record keeping, of information governance and be able to make that case to the, to the right people in the room to get the governance set and get the support that is really important that I think that is critical to success.
So that's item number one off of our framework.
[00:11:13] Speaker A: I agree. And throw in a liaison network because your records department is not always 10 people. It's usually small and very compact and they need help implementing governance so they build their own network of people to.
[00:11:34] Speaker B: Yeah, that's another one of those things that just make. That frustrates me in this space when we do the math of how long it takes to do all these things. I remember for one company we did the math of how many people, how many records, how many different things that needed to happen. And it was like you need 64 people in your, in your information governance central office, which clearly nobody is going to put 64 people on this.
So. Okay, then you're right. That's when you get to how else can we implement it? We can implement it by having a liaison network, a coordinator network. We can implement it through training to all those different buckets of who has what responsibilities, targeted training for the people at each level of what they're supposed to do. We can also implement it with software and automation.
But that's a cost of a different kind but if you actually looked at how much it takes to do this, nobody would ever do it and that would be a problem.
So we we sometimes will look if people ask, but we have we never recommend 64 people because that's a non starter.
You just have to figure out how to share that burden across the company.
[00:12:55] Speaker A: There you go.
If you have any questions, please send us an email at
[email protected] or look us up on the web at www.trailblazer.us.com. Thank you for listening and please tune into our next episode. Also, if you like this episode, please be a champion and share it with people in your social media network. As always, we appreciate you, the listeners. Special thanks goes to Jason Blake, who created our music.
