Smallwood's book on Information Governance is actually pretty interesting. I particularly like his list of things to do to actually improve your overall IG maturity:

• Assigning RM responsibilities to senior executive.
• Hire or promote records managers
• Develop policies and procedures
• Develop training for all levels of staff
• Identify requirements for records findability/accessibility
• Define business processes
• Develop audit process
• Identify business activities for creation and storage of records
• Assess security and access controls
• Develop access and security control scheme
• Implement systems to capture and protect records
• Develop metadata scheme
• Develop remediation plan and implement corrective actions
• Develop enterprise classification scheme
• Identify user search and retrieval requirements
• Develop standard for managing the records lifecycle
• Develop enteprise-wide retention schedule
• Map retention schedule to classification scheme
• Impelement an annual review process for record series and legal research
• Develop training for classification scheme and retention schedule
• Develop procedures for records disposition
• Implement disposition processes
• Develop audit trails for records transfers and destruction

Another possible issue that emerges is risk management. Can they log risk events? Can they build risk scenarios? We could also have a discussion about metrics: data loss from misplaced laptops, reduction in intrusion, reduce ediscovery costs, reduce adverse finding, expand information risk training, roll out of software or tools, etc.

e could also have a discussion about metrics: data loss from misplaced laptops, reduction in intrusion, reduce ediscovery costs, reduce adverse finding, expand ifnormation risk training, roll out of software or tools, etc.

Change management is another key area of concern.

Executive sponsor has some key concerns: budget, planning and control, decision making, expectation maangement, anticipation, approval.

Components of the IG team must include IT, RIM, risk reduction, executive sponsor, and IG program manager. Other business units could be involved including human resources, company communications, and business units. Also consider IT security, archivists, business analysts, knowledge management professionals, litigation support, process specialists, and project managers.

Align the plan with the overall strategic plan.

Assess trends: IT strategy, technology, user behaviours, archival formats, etc.

Assess the business environment. Are things booming? Is litigation becoming a bigger concern?

Assess legal, regulatory, and political factors. How much risk is acceptable? Is there impending legislation? What is the institutional appetite for risk?

Consider best practices, for example:

1. IG underpins RIM.

2. IG is a program, not a project.

3. Use frameworks and maturity models.

4. Defensible deletion is critical.

5. IG policies before enabling technology.

6. Secure documents through the entire lifecycle, regardless of where it lives (e.g., IRM)

7. Retention schedules and legal hold notifications are the basics.

8. Use a cross-functional team.

9. Consider applicable laws and regulations.

10. Build a risk profile.

11. Build a risk mitigation plan.

12. Develop metrics.

13. Audit the IG program.

14. Develop enterprise-wide retention.

15. Senior management must drive the program.

16. Redesign processes for information governance before deploying technology.

17. Deal with email.

18. Discourage personal archiving of email.

19. Dispose of email sooner rather than later.

20. Limit cloud use to low risk, low retention documents.

21. Manage social media.

22. Be familiar with international standards.

23. Metadata is part of IG.

24. Remember that some things must be kept forever.

25. Get executive sponsorship.