The Moral Imperative to Understanding ‘Information Governance’

Last month, a federal judge found that errors by Air Force records managers were primarily responsible for a 2017 mass shooting in Sutherland Springs, Texas that resulted in the murders of 26 men, women, and children – including a five year old girl. (This conclusion had already been confirmed a year and a half earlier in this February 2020 Epoch Times investigation.) 

How could this have happened? And more importantly, what can records managers do to prevent it from happening again?

_____________________________________

About 10 or 12 years ago, marketing executives at powerful tech companies began to notice that records managers – particularly those working in Federal government agencies – were failing to effectively manage information through its appropriate lifecycle using the expensive technologies these companies were selling them. Instead of questioning the effectiveness of these technologies and working with records managers to improve them, these same marketers realized they could make even more money if they blamed the centuries-old discipline of records management on these failures and developed a completely new discipline to take its place. This new discipline became known as ‘information governance.’ 

Since its inception, tech companies have heavily marketed the new ‘information governance’ discipline and it has gradually replaced traditional records management as the answer to solving the information lifecycle management challenge at every institution that once represented the records management profession, including ARMA International, AIIM, MER, and even the Institute of Certified Records Managers.

Yet tragedies like the Sutherlands Springs murders continue unabated and they are still being blamed on failures in records management. This is only possible because the marketers who invented ‘information governance’ never actually defined what it was or demonstrated how it was in any way a superior discipline to traditional records management.   

This madness cannot continue. There is no transparency anywhere in our private and public organizations. Our leaders are not being held accountable for anything they do. Our privacy is completely evaporating. Our most valuable recorded information is being stolen in an accelerating stream of devastating data breaches…and people are dying. All because the work that records managers have performed for thousands of years is no longer being carried out. 

This is a life-or-death matter and an existential threat to civilized society. I am presenting a list of questions below. If you are an information governance professional or you hold a place of leadership in an organization that promotes the new information governance discipline, you are morally obligated to provide answers to these questions so that records management professionals like myself can understand what we are doing wrong and can no longer be held responsible for these types of devastating tragedies: 

1. The definition of records management has always remained the same: effective management of recorded information (regardless of format or media) through each stage of its appropriate lifecycle: creation, use, distribution, maintenance, and disposition. What is the commonly accepted definition of information governance that distinguishes it as a separate discipline from traditional records management?

2. In an organizational hierarchy, is the information governance discipline below, above, or somehow complementary to records management? Please explain your answer.

3. Can one become an information governance professional without training and experience in records management? If not, what level of records management expertise is required before one can become an information governance professional?

4. Becoming a qualified records management professional requires years of rigorous academic study and real-world experience. Is that also true for an information governance professional? If so, where does one acquire such training and experience?

5. What technologies does an information governance professional implement that would not be used by a records management professional? How does an information governance professional use existing records management technologies differently than they have been used by records management professionals?

6. Just as a financial manager has a fiduciary obligation to her customer’s money, a records manager has a fiduciary obligation to her customer’s recorded information. This has been true for thousands of years. Does an information governance professional also have a fiduciary obligation to her customer’s information? If so, how has it been established and how is it different from the fiduciary relationship records managers have with information?

7. Please provide at least one academic study of a real-world case showing where traditional records management failed to successfully manage an organization’s information lifecycle challenges, but application of the new information governance discipline did. Please highlight the technologies, policies, and methodologies used by the information governance professional that were not used by the organization’s records management program.           

Please provide your answers in the comments section below.


6 thoughts on “The Moral Imperative to Understanding ‘Information Governance’

  1. “About 10 or 12 years ago, marketing executives at powerful tech companies began to notice that records managers – particularly those working in Federal government agencies – were failing to effectively manage information through its appropriate lifecycle using the expensive technologies these companies were selling them. Instead of questioning the effectiveness of these technologies and working with records managers to improve them, these same marketers realized they could make even more money if they blamed the centuries-old discipline of records management on these failures and developed a completely new discipline to take its place. This new discipline became known as ‘information governance.’ ”

    I’m more disheartened with the RM community than you are I think Don. I don’t think it was necessarily a fault of the technologies solely or even mostly, but mostly a failure of the RMs. I’ve worked in numerous Fed agencies and almost to the person the RMs forced technology and electronic processes to behave like they were used to in paper processes. I’ve seen RMs insist everything going into a system had to be converted to a .pdf. I’ve seen RMs insist that employees couldn’t possibly put records in a system so they had to be emailed to an RM who would then put it in the system for them. I’ve seen RMs who don’t understand email, sharepoint, much less other technologies and RMs who don’t care what process creates a record, only that someone at the end follows their flow chart to declare it and then hand it over to the RM to “manage.”

    I don’t think that NARA helped, either, especially since they were requiring “print to file” email records capture for years.

    I think that IT departments especially grew frustrated with these dinosaurs and their outdated processes to capture information and simply grew other positions. Electronic records software (admittedly some were duds) weren’t to blame, but the processes to capture the records in them were to blame. Those processes were designed by RMs and employees ignored them because they were cumbersome and the value wasn’t present. So again, IT departments came up with the “information manager” who would look at existing repositories and map those to a governance plan so they could semi-responsibly get rid of obsolete information. The certification process and orgs fighting to get money to give someone a certificate followed very quickly.

    1. Thanks for your comments, Mike.

      As I think I’ve mentioned to you before, I don’t believe records MANAGEMENT has failed these last 20 years or so, I believe records MANAGERS have. Some of that is their own fault for not adapting to the transition from paper records to records born digitally, but a lot of it is due to bad guidance from people and associations they trusted who ultimately betrayed them.

      But I think you are letting the tech companies off far too easily. They have behaved reprehensively. I will be writing about my experiences working at one of them in some upcoming posts. I think you will be shocked.

      In the meantime, I’m just hoping that SOMEONE has enough faith in ‘information governance’ to answer my questions. It really couldn’t be more important.

  2. I’m answering as an individual and based on my own assumptions and beliefs about RM and IG.

    1: What is the commonly accepted definition of information governance that distinguishes it as a separate discipline from traditional records management?

    A: There isn’t one. It’s not truly a separate discipline from traditional records management. As I understand it it is more of a shift in how we discuss records management and that shift is necessary to engage more workers. 2 decades ago people printed information and filed it. They don’t now. A decade ago NARA was still promoting printing email and filing it to ensure you captured the “record.” It wasn’t until 2015 that NARA issued a memorandum requiring federal agencies to manage email in an electronic format. 2015.

    You yourself have bashed 5015.2 and taken your share of responsibility so I won’t rehash that but as you point out, it was a problem in and of itself. It treated electronic records and information in the same manner as a piece of paper. And further many of the RMs who implemented systems didn’t understand them anymore than they had to understand how to turn pulp to paper and the results (especially the workflows and processes to move information from one system into their RM system) were disastrous.

    CIOs began abandoning the RMs for being too left behind, too focused on trying to make 1s and 0s behave like sheets of paper and file folders. Many RMs still believe there is a difference in “records” and “information” and truly the only difference is that with a “record” someone “declared” it to be so, anointed it so to speak. Until someone takes that step traditionally it seemed many records managers did not care about the ever increasing Terabytes of information being created.

    2. In an organizational hierarchy, is the information governance discipline below, above, or somehow complementary to records management?

    A: It depends on the organization. Do you have a white hot RM who is seated at the OCIOs table, understands tech, understands how to manage information through a lifecycle as it touches multiple different systems and doesn’t try to force already burdened daily workers with yet another process to follow to manage a “record” with a retention of 5 years or less? Heck you’re already doing IG as I understand it. But if you have someone dusting off the cardboard in the basement making sure the humidity is right for the next 20 years until a box can be pulled off a shelf and a contract put in place and a body to stand there and watch as a bunch of irrelevant papers from 2 or more decades ago are shredded? Then in today’s organization the IG likely sits “above” the RM because they’re trying to improve processes for managing information as it’s being created and used by 20-somethings today, most of whom may not even print a piece of paper in their entire careers.

    3: Can one become an information governance professional without training and experience in records management? If not, what level of records management expertise is required before one can become an information governance professional?

    A: No. I would say that a full understanding of retention schedules, how they are developed, how they are researched and how they are kept up to date and, most importantly, how to translate them for your organization is a minimum requirement. However many RMs I’ve encountered have failed to adapt to how information workers operate today.

    An example:

    An organization paid to have thousands of documents digitized so they could be reviewed, utilized, and accessed to make business decisions. None of these records were Permanent. Tens of thousands of dollars used to contract with a company to use high speed scanners to digitize this information. Once that was complete the company wanted to destroy the paper.

    RM: No. you can’t.
    Company: Why not?
    RM: How do we know that each digital copy is an exact duplicate of the paper?
    Agency: OK so what do we do?
    RM: You need to look at each 10th paper and compare it with the digital version, if 90% of the comparisons are correct then we can assume that the entire set is correct and then the paper can be replaced by digital as the official record.
    Company: What’s the retention for these records?
    RM: Ummm ten years.
    Agency: So we need to spend another $30,000 to have someone compare each piece of paper to the digital version to then get rid of the paper?
    RM: yes.
    Company: It’s cheaper to store the paper and use the digital files. Smell you later.

    How much value did that company place in Records Management after that exchange? How much engagement did they have with the RM after that? If you respond Little and None you win the prize.

    And that happens over and over again.

    7. Please provide at least one academic study of a real-world case showing where traditional records management failed to successfully manage an organization’s information lifecycle challenges, but application of the new information governance discipline did. Please highlight the technologies, policies, and methodologies used by the information governance professional that were not used by the organization’s records management program.

    I am not aware of any studies where traditional RM failed to manage challenges but IG did. I do know, as well as you know, because your blog repeatedly highlights the failures of RM, that traditional RM, applied today, using traditional methods, is failing in multiple organizations as outdated modes of thinking come crashing into workers who are utilizing dozens of SAAS applications to perform their work.

    I’ll turn this around, as an RM, using your understanding of how many RMs operate today, explain to me how you will capture the following record:

    I create a document in Gsuite on a shared drive for my team, all of whom can edit it.
    One of whom takes it and attaches it to a SLACK message, where another team can edit it. It is saved into another share where it can now be edited by another team.
    Since it’s being used in an all-hands presentation it is Slack’d (IMd) to another review team and then moved into yet another share, but the link to the document is shared to 1500 employees, all of whom have access to it.
    Meanwhile a team member takes the document and puts it in the project management system to utilize as the basis for a project to begin in 3rd quarter FY2022.

    All of this happens within 25 minutes. Real world example. Today example in fact.

    Using Traditional RM manage the document as well as provide direction to the company on how to manage the previous versions that still exist in multiple shares and on our IM platform, and then provide direction on how to manage all of the versions in their multiple locations when they are discovered for a litigation matter in 3 years.

    I don’t think that IG is that different from RM. In fact it’s not any different from what RM should be, but it is vastly different to what many RMs forced RM to be over the past 2 decades by enacting poor policies such as “print to file email” or heavy handed forced management of information and records with extremely short retention periods (3 years or less) requiring employees to read and review every single piece of information they received (to include hundreds of emails a day) and use a flow chart that consists of:

    Receive or Create
    Determine Record or Non Record
    Sent or Received?
    Draft or Copy?
    Directly supports a business decision or process?
    Issues Direction or Gives Approval?
    Provides Evidentiary Value?

    It’s a record! Now remove it from your system and declare it into this other system. By the way since this other system is pretty hard to learn and you only interact with it once or twice a month, make a copy of your document and keep it in your email or file share (we know you do this anyway) where it does NOT have retention applied to it but still is discoverable. And someone else with access may search and find it and use it, even though it’s obsolete. And then move on with your other tasks in any of the 200 applications you have access to (all of which store your data offsite since there is no physical server space in our organization).

    In fact since some of the information you routinely interact with (like IM) we will advise the CIO to enact a policy that says “Don’t create records in Slack” and then smugly think we’ve done our jobs because surely no one will make a decision in an Instant Message now…right? We have a policy that says not to.

    But if you do, since IM doesn’t integrate with our Records Repository, convert your IM to a dot pdf and then put it in the records management system.

    Oh and if you could print a copy and file it in our state of the art filing room that would be great, too. If you need to refer to it in the future you can come request it and we will make a copy of it for you.

  3. Mike,

    Thank you for responding to my questions. And thank you for confirming some of my worst fears about “information governance.”

    To be honest, I was really hoping for a more authoritative response than your “assumptions and beliefs” as an individual. But, absent any dissenting opinions from other members of the global information governance community, I will be using your responses as the basis of my arguments going forward.

    Kind regards,
    Don

  4. (Continued)

    4. Becoming a qualified records management professional requires years of rigorous academic study and real-world experience. Is that also true for an information governance professional? If so, where does one acquire such training and experience?

    A: To the first question: Yes. As stated loosely above, an effective IG professional will possess records management experience, without it the IG will likely be a failure (unless they have a dedicated RM specialist on board to manage the retention piece of things).

    Where I see a difference is that while RM should have been keeping up with systems and electronic processes and sitting next to the OCIO, many didn’t. They were glad to go to the basement and focus on checking records in and out and shredding documents during their annual disposition cycle.

    Into that gap are stepping people with RM experience who realize that to be effective they need to help organizations manage the vast amounts of info being created – information the RMs didn’t touch or even advise on because on their flow chart it ended at the triangle that said “not a record.”

    Where are they acquiring that information? By coming up through the ranks in data governance, information governance, as an information worker who starts thinking about how to improve processes, as records managers who start questioning why they being told by senior RMs to only care about a subset of information (records) rather than all of it. I’ve known lawyers who have moved into the field because they realize they’re good at helping organizations organize and improve through better information management.

    5. What technologies does an information governance professional implement that would not be used by a records management professional? How does an information governance professional use existing records management technologies differently than they have been used by records management professionals?

    A: None, really. As you have pointed out many RM technologies, especially those built to operate in compliance with 5015.2 were failures, at least in the implementation phase. At the very beginning no one was going to get thousands of workers within an organization to “declare” records into an RMA. It was never going to happen and yet tens or hundreds of millions of dollars have been wasted over and over again by RMs who keep insisting they will make it happen.

    At my organization we have over 200 SAAS applications in use. And I approve more, daily (I’m part of the acquisition team that approves new software). All of them have valuable information used to make important decisions that affect the business. No one juggling 5-20 different applications has time to decision tree everything they do and then declare it a record.

    They don’t and they won’t.

    So what to I do with a slight change of focus? For one I became part of the approval process for new applications. Rather than wait for them to be stood up and users use them, then come around during some annual RIM month and maybe discover the IT department has a new project management software I am the approver. Before anyone gets my approval, and you can’t get the software without it, I look at the contract. I ask how the information will be utilized. I inquire as to who will have access, the business impact, and how the information will be managed throughout its lifecycle and I teach them about the records (if applicable) and their requirements and we schedule that system (as applicable) into our disposition process and organizational file plan. In short I seek to understand the software and as a result understand the information. I can then make better decisions about how that software and the information contained fits into our IG program.

    I’ve never, in 20 years of Federal and Private records management, working with certified RMs at high levels, heard of or seen another RM become part of a process like that at the very beginning. Never. Not Once. Not Ever.

    Most don’t care about the software or technology, they wait until you “declare” the record out of that software.

    6. Just as a financial manager has a fiduciary obligation to her customer’s money, a records manager has a fiduciary obligation to her customer’s recorded information. This has been true for thousands of years. Does an information governance professional also have a fiduciary obligation to her customer’s information? If so, how has it been established and how is it different from the fiduciary relationship records managers have with information?

    Yes. No difference, except, again, I believe the IG discipline, and more importantly what managers, OCIOs and leadership expect from an IG professional, is above and beyond what they have been trained by Records Managers themselves, to expect from Records Management professionals. Heck RMs are still fine with the term “records clerk.” It’s branding. What sounds more like a person who is going to help a techie manage their information and do their jobs with more efficiency?

    A records clerk?
    An Information Governance Specialist?

    Go ask anyone under 50 who they want to work with. I’ll wait.

    I think a big part of what you aren’t seeing, Don, is that RM has a bad image among anyone under 50 or 60 years old. It’s an image of clerks and file folders. And who created that image? Records Managers themselves. No one else. No one.

    I have talked with people, senior people, people who have sat through boring annual records training, who still tell me they don’t create records because they aren’t in contracting or legal.

    Is that their fault? No it is the fault of RMs who consistently ignored how information was being created over the past 4 decades and still held onto a belief system that information was declared as a record. Finalized.

    Like when someone signed a piece of paper and handed it to a clerk who mimeographed it and filed it away. And then the creator would come and review it at a desk under a watchful eye.

    Information doesn’t work that way in today’s age but many RMs were blind to that.

    Declare the record, then I’ll manage it.

    And as a result the profession, the noble profession, got two black eyes and was sent to the locker room to wash jock straps.

    Again I think that the IG profession seeks to take what RM did but broaden it – giving the RM (now IG) responsibility for managing information in those systems and across the enterprise. It takes the RM’s shrug from “I don’t care what system it is, you have to declare it a record, it’s your responsibility, now put it into this RM system or I’ll write you up on a report no one reads” to placing the impetus on the IG to provide the HOW the information in 200 SAAS applications will be managed in accordance with the retention schedule and what the overall information plan is for an organization.

    Because ask many RMs over 50. They don’t care about information. They care about records. And they’ll point to their flow charts to demonstrate to you why there is a vast difference. Because if everything is a record they’d be overwhelmed or, worse, irrelevant. So they stick to these concrete distinctions. And then they aren’t helpful to the organization overall because they don’t have a plan or idea or care about how the OCIO needs to manage 165 Terabytes of information, they can only advise on how to manage the 5 MBs of records declared out of that system.

    In almost every organization I’ve worked in, the previous RMs had so ruined and mismanaged records programs that no one, not anyone at those organizations, gave a fart about records management. They had ostracized themselves either due to antiquated processes, a failure to be seen as speaking the language and understanding tech, or just disappearing. At one organization I worked there were only 300,000 declared records – in a 50 year history! The process to manage records was so convoluted no one would do it. And this happens over and over again everywhere. Every one of the RMs clung to their ridiculous flow-charts and demand that people print emails or documents (ruining the metadata and provenance of the information) or “declare” them into a record’s system. Every one of them failed to try to understand the context and content of information and insisted it wasn’t their job, their job isn’t to “know” whether you create records, their job is only to manage the records you declare. If you don’t declare any, so be it.

    This is how RMs pushed themselves into the proverbial basement. This is how a new generation of people who see the value of RM are rebranding themselves as IG Professionals. It just sounds better and it is a more well-rounded job description. You manage records? The ones people bother to remember to declare? Great. I manage information. I have a seat at the OCIOs table. I help make business decisions that impact the entire organization. I help guide the tech we buy and utilize. I talk with data managers and application designers about redundancy, etc. And I schedule everything that comes into our network with an expiration date.

    Not just the records. Everything. That’s the difference.

    RMs created a barrier between themselves and a tech generation. They didn’t understand tech, used terms like “record email” and generally were trained by the big CRM orgs to be a hindrance. The examples you’ve made over and over again speak to this. RM is a failure across the Federal Government and worse in private enterprise.

    If we have to call RM in 202X “IG” to get people to listen and come to the table then so be it. The RMs and their certifying organizations had their chance. They -should- have been at the forefront, they should have been the right hand to the OCIO since the first computer was issued to the first employee but they weren’t. And then they didn’t do anything for the next 4 freaking decades, either. And in their training today they still expect employees, managing information in dozens or hundreds of repositories, to think about whether they are the sender or recipient, if the information has business value, and then choose from one of these 500 records categories to manage your record.

    And if the certifying organizations never had that intent then their training processes were failures because I have never, not once, not in over 20 years in this profession, met an RM who didn’t hold onto that ridiculous flow chart and expect people to carve out their “records” for management and then the RMs turned their back on the overwhelming majority of information that wasn’t in that category.

    And if you’re being honest with yourself you know you’ve seen it too.

    I will end with a statement that I do strongly agree with you that if someone is purporting to be an IG professional and doesn’t have some RM history and bonafides then they are a danger to whomever is hiring them.

  5. No problem.

    I’m happy to engage but if you are trying to play “gotcha” then I’ll likely disengage. I feel that is why many aren’t responding if I’m being honest. It seems you’re not seeking to understand but to respond.

    Like when someone has already made up their mind and can’t wait for someone to finish talking so they can tell them how wrong they are. This means they didn’t listen to the person they just waited until they finished speaking.

    In my mind IG and RM don’t have any real differences except an image problem with RM. If it takes rebranding the name, but applying the same processes and procedures as RM and based on the science of records management, then so be it.

    Because I believe that many of the people in the IG sphere are trying to differentiate themselves from what is seen by some as a hindrance in the RM profession – people waiting until records are declared to begin working.

    Sitting back and ignoring the pain of information workers and IT staff managing vast amounts of data because until it’s a record it’s not their problem.

    I am successful in IG because I speak the language that CIOs and tech and workers want to hear, and I have a 2 decade background in researching and creating records retention schedules that govern our information repositories. I have certifications in RM from a few different organizations that certify people in this stuff.

    I don’t have my Information Governance Professional certification. I don’t feel I need it. My bonafides speak for themselves.

    But if I am calling myself an IG professional it’s because that’s what my company advertised as seeking in their job description.

    Now ask yourself why they’d do that? Why do companies advertise they are looking for IG or IM professionals instead of RMs, but whose job description includes records management?

    That’s the question you should be asking and I know at least part of the answer because I’ve described it in my responses above.

    Let me put it one last way:

    Who is more valuable today, someone who designs apps for cell phones?

    Or the telephone repairman?

    I have, on my desk as I type, a copy of Chilton’s Guide to Telephone Installation and Repair. I can remember growing up in GA with a party line. I remember when you rented your phone from the phone company for a monthly additional charge, and you turned your phone in if you moved. I remember having to call the telephone repairman when the phone had static, or didn’t work, etc.

    How relevant is that work now to help make you more efficient on your cell phone? Still a phone right? Still can talk to people right?

    If that telephone repair man didn’t transition to cellular technology or, even better, to developing applications and troubleshooting cell phones where do you think he or she is working today?

    To many people the name of RM is akin to the Telephone Repair person. Obsolete.

    The requirement is still there – manage information, prove evidence of business decisions, ensure integrity.

    I’m not aware of any IG person who seeks to not ensure that the basics of RM are kept in place, just as I’m not aware of any iphone application developer who is seeking to turn off the ability to talk into your phone.

Leave a Reply to Don Lueders Cancel reply