In this next blog, Part 2, I want to go over the phases of the IGP and what goes into the IGP document. Please be sure to read the first part of this three-part blog “Vital Steps to Develop an Information Governance Plan – Part 1”.
Phases of an IGP
- First Phase: Gather all the information needed. What is in place already, know your agency’s needs, inside and out. Get proper justification for an IGP and get the support from leadership if not obtained already. Come up with a high-level plan for the plan – what do you need to gather to go in your IGP? You have to start somewhere, and that is “what is ALREADY in place?” Whether good or bad, you need to know what is being done today with regards to information governance and all its policies, access points and personnel.
- Start your IGP Project Plan: What is the scope of this IGP project? What are your resources? What are the timelines and risks?
- Create an Information Governance Diagram: This can help you sort the data you have gathered thus far and put them into the main sections of your Information Governance Plan. Mapping this out can help you see the high-level areas that make up your IGP and you can use this in your plan, some examples can be:
- Records Management
- Information Rights
- Information Security
- Email Management
- Second Phase: Start drawing up the plan document itself. Create the IGP Document draft (see sections below). Sometimes it helps to start the document even before you “know all you need to know” – it can help you find areas you didn’t think about and structure the rest of your work. So, don’t be afraid to just start a draft policy and add sections to it that you need to iron out later.
- Third Phase: Work out how it will be implemented. Do you need a phased approach? Do you have all the info you need in order to complete the document? No? How can you get this information and what is your approach? In the Third phase you may or may not complete the document, but your key research points should be visible and the sections of the document that you need to finalize should be clear.
- You may need to draw up the policies that are going to be implemented before the IGP is complete, so take that into consideration. Sometimes the low-level policies need to be implemented earlier than the IG, so that could also be a part of this phase.
- You may also need to dig into every department and find out how implementation will affect that area and what the risks are. This is where a phased approach can help ease yourself into the implementation for each area.
- Fourth Phase: Your document is complete, and you have a solid implementation plan in place. Start to roll out your implementation (if not already started in phase three above). This can be conducting training and continuation of the policies that need to be created or applied.
- You may need to help each department get over the hurdles that this will entail. There may need to be meetings that support the cause and push understanding for smoother implementation.
- Each department may need its own pilot or phased approached as discussed earlier. You may need to make a different plan for each area (with the help of the whole team and the department head).
- You will need to have an agreement on how changes will occur and how to switch gears depending on feedback from the implementation. You may find that something is lacking or that design or policy is in need of re-vamping. Have the team decide on the changes and their risks. Updating the plan, sub-policies, training, etc., may be needed.
- Fifth Phase: Audit, Monitoring: You will need to conduct audits for continued process improvement. You may find all sorts of errors or bottlenecks that need to be corrected in your IGP. This is a learning process and it takes time. You need to have a solid plan for monitoring and then follow up with it. This may even entail a completely different set of team members in each department unless you have the luxury to have Records Custodians/Coordinators in each area; they can be very useful for this type of monitoring.
- Look into what your margins were, your ‘success criteria,’ and see if you are meeting the marks. Do you have good reports and statistics that help you determine if you are meeting your desired goals? Are they helping you audit your project? If so this should help you determine how things are going.
- Analyze what was done or not done and come up with a plan to correct it. It might be a change to the policies or IGP or it might be training and employee correction.
What Goes IN the IGP?
Now, let’s dive into the “meat” of the IGP document. This can greatly vary from agency to agency.
At a high level, your IGP might include the following:
1. Introduction, Purpose, Goals, Mission, etc. Spell out why this document is here and why it is needed. You can even add some details of the “current issues” that this policy is trying to solve or you can just add its purpose and milestones. Adding in metrics for success can also be very successful in keeping everyone’s “eyes on the mountain.”
Note: Depending on the scope, these may differ from your “Project Plan.” The IGP may be more a high-level guide for information assets agency-wide, whereas a Project Plan will go over specifically how to get the IGP completed and implemented. The Project Plan may only be directed at the IGP project team, whereas the IGP itself will be for everyone.
2. Requirements and Scope. This could help focus the attention of the reader as to what this IGP will be applied to or focused on. You may have an agency-wide IGP or maybe specific IGPs for certain entities. Including what regulatory and governance compliance you are aiming for is a must. It can help you focus the rest of the document as well.
Keep in mind the following ERM Requirement Categories from NARA, as discussed earlier:
- Maintenance and Use
These sections can help guide you in the scope of each asset type that is being governed. For instance, in your IGP you may want to manage electronic documents. In order to successfully manage all electronic documents, you will need to govern these areas, to some degree, so you can capture this in your IGP.
3. High-Level Project Plan and Team. This can be everyone on the project team and what the activities and actions are going to be from the Project Management perspective on a high-level basis. You don’t have to get into major details about the IGP Project, like a communication plan or a schedule; that would be better suited for the Project Plan if you make one.
4. Project Compliance. This can include how things will be implemented. Will you need to do this departmentally or roll it out in phases? What are the expectations of the staff? What are the steps for Change Control? How will implementation be structured? Part of the compliance is adhering to the policies and procedures – this section may need to include “why all these policies?” and “how are you going to achieve the purposes and goals of Information Governance by applying these policies?” Keep in mind your audiences – what is better suited for the project plan vs. what should be for everyone’s knowledge in the IGP?
5. Policy and Procedures. This may include the in-place policies and procedures or new policies and procedures that will result from this IGP or are the basis of this IGP. Most of the time, the IGP itself is too high level so you may need to have detailed supporting policies and procedures. The IGP can give a direction and a guideline for these policies. Policies/Procedures/User Guides that may need to be included for this section are:
- TXT/IM’s and Social Media
- Records Management:
- Retention Schedules and implementation
- File Plans
- Legal Hold Procedures
- FOIA/Record Requests
- Disposition (Destructions & Transfer procedures etc.)
- Naming conventions
- Content models
- Security models and role-based access controls
- Network maps
- Back up plans
- Disaster recovery plans
- System design documentation
- Privacy & information sharing
- Social Media, Instant Messaging, Mobil Device plans
- Training & schedules
- Capture, scanning or conversions, etc.
- Hard copy records plan and retrievals
- Storage facilities
- System user guides
6. Training. How will the training be conducted? When? What’s the frequency and what are the topics? How will the policies and procedures be covered for everyone who needs to know them? Some people may say you don’t need this in the IGP. And that is OK – it can all be covered in a separate training policy/plan. Just think about “what is important for your agency?” If you need a more elaborate, separate policy/plan for a training approach then add it to the list of policies that you need to support this IGP.
7. Audit and Monitoring. Add how you will be auditing this plan, as well as the regulatory audits that your agency is subject to that affects the IGP and the users on the subjects of the IGP. You may also need to discuss the reporting needed here to assist in the monitoring and reporting so that those requirements are clear as well.
8. Disaster Recovery and Business Continuity. How will these different areas be covered in a disaster? What are your back-up plans? Make sure to do research on this, you may have 2-15 different types of disaster recovery plans based on the different types of content and their locations, etc. You may need separate policies/procedures for these, but they can be covered, in general, in the IGP.
9. Definitions. “Understanding” and “communication” are the most important things when conveying any policy. So, when trying to implement your IGP it is important that you have a place to explain any misunderstood terms by adding a small Glossary and Acronyms section. (You can’t have understanding without communication, and you can’t have communication without words, so if those words are not understood, then you do not have actual understanding of your policies and procedures).
Please be sure to read part 1 of this three-3 part blog “Vital Steps to Develop an Information Governance Plan – Part 1”.
To recap, in part 2 of this three-part blog we discussed:
1. Be aware of the Five Phases of Information Governance Plan:
- Draw up the plan
- How to implement; start your draft IGP
- Implementation and Change Control
- Audit and Monitoring
2. Know what needs go into your IGP Document
- Introduction, purpose, goals, mission, etc.
- High-level requirements and scope
- Project plan and team
- Project compliance
- Policy and procedures
- Audit and monitoring
- Disaster recovery and business continuity
Also, please be sure to read the third part of this three-part blog, “Vital Steps to Develop an Information Governance Plan – Part 3”. The third part of this blog will go over:
- Using diagrams that help you map out access/control points.
- Determining how things will actually get implemented.
- Setting possible and realistic targets.
- Using the IGP for overall access, control, security, and other governance requirements.
- Managing expectations.
- Why communication is the key to success.
- Managing the logistics to be sure you identify risks early to your project plan.
Good luck! Let me know if this was helpful or if you have any feedback.
Thank you for reading!
P. S. For your convenience, here are the links to the blog series:
VITAL STEPS TO DEVELOP AN INFORMATION GOVERNANCE PLAN – PART 1
VITAL STEPS TO DEVELOP AN INFORMATION GOVERNANCE PLAN – PART 2
VITAL STEPS OF AN INFORMATION GOVERNANCE PLAN – PART 3