How Well Is Your Information Governance Program Working? A Guide to Auditing Compliance and Maintaining IG Programs
Answering questions including “What to audit?”, “What style of audit fits?”, and “How to maintain the Information Governance (IG) programme?” are just some of the basic questions that must be answered to be able to understand how well your IG program is working. In the cyber world that we live in, IT brings new architecture into the business environment, thus through the webinar, four industry experts answer a variety of questions on the processes that should be followed.
The webinar moderator, Tara Emory, Director of Consulting at Driven Inc, frequently writes and speaks about information management and e-discovery, whilst also being a certified Project Management Professional (PMP). Irene Amu, Senior Privacy Counsel at Motorola Solutions, spent several years in Motorola Solutions Internal Audit Department leading and managing various enterprise risk management projects. Aaron Crews, Senior Associate General Counsel and Global Head of eDiscovery at Walmart, is in charge of Walmart’s eDiscovery process and strategy, as well as the legal portion of the company’s information governance programs. Shemeika Landry, Senior Counsel at Energy Transfer Partners, L.P, is responsible for developing policies and procedures to ensure compliance with laws, rules and regulations that apply to the organization.
Firstly, as a company, you must identify what style of audit fits into the context of your organization. It is important that your IG program is built in and does not come as a bolt on, in order to really function well. One size does not fit all, and what might work in one organization might not work in another, thus the program should be specific to your organizations needs’. Central to the enabling of the IG program are the executive team; to begin with they must understand the key risks, and then must provide the executive level endorsement, without which the program can not move ahead.
In terms of building in auditing and updates as you create the IG program, fundamentally, the audit process has to be aligned with the company objectives to run smoothly. The IG program should aid in achieving the business goals, but also should be effective on a daily basis at the technological level.
Your team creating the IG program include: legal, compliance, IT & Security, Risk and Records Management Departments. They are all required to remain involved in auditing and updating through the process, and this is where the cross-functional teams are very useful. They bring different perspectives on problems, and help to decide what to focus on, selecting what to audit. Deciding what to audit depends on what questions you are trying to answer, therefore the process involves finding where the gaps are.
The panel discusses various techniques for auditing: employee feedback, reporting and sampling. Employee feedback is critical to the IG progam because employees are the eyes and ears within the business. Getting information back from them in the form of polls and surveys should be done continually. Reporting involves being able to build in mechanisms to answer the questions about how your company is functioning, and what to do with the data. It involves looking at file analysis software techniques and designing systems so that you have structured metadata. Lastly, sampling is used as a full holistic approach to having an effective IG program. It is resource intensive so its use needs to be limited.
In order to maintain the IG plan, there must be constant repetition of the processes. Additionally, the retention schedules should be updated in our ever-changing regulatory environment, thus ensuring that your team is annually trained for the processes is essential. When sun setting one software system to move to another, you should ‘slice and dice’ your information, guaranteeing that you only have the information you require on the new program, and not unnecessary information from before.
In the midst of all the processes that have been discussed, the value, risks and costs should not be forgotten in the development stages. You must be able to assess the daily effectiveness for your employees; is the program efficient or abandoned by them? There is no cookie-cutter IG program that can be followed, but if a logical approach is undertaken, managing the various questions of ‘who’, ‘what’ and ‘how’ can be more easily answered than before.
Download the webinar and the accompanying slides here:
