PART TWO

Step 8: Audit the Information Risk Mitigation Program

The metrics you have developed to measure risk mitigation effectiveness must also be used for audit purposes. Put a process in place to separately and independently audit compliance to risk mitigation measures, to see that they are being implemented. The result of the audit should be a useful input in improving and fi ne-tuning the program.

It should not be viewed as an opportunity to cite shortfalls and implement punitive actions. It should be a periodic and regular feedback loop into the IG program.

Notes

1. Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.

2. U.S. Government Printing Offi ce (GPO), “Code of Federal Regulations,” www.gpo.gov/help/index .html#about_code_of_federal_regulations.htm (accessed April 22, 2012).

3. National Archives and Records Administration, “Electronic Code of Federal Regulations,” http://ecfr .gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl (accessed October 2, 2012).

4. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171. s

5. “ISO 31000 2009 Plain English, Risk Management Dictionary,” www.praxiom.com/iso-31000-terms .htm (accessed March 25, 2013).

6. Fraser and Simkins, p. 172.

7. Ibid.

8. Ibid., p. 179.

9. Health and Safety Executive, “Five Steps to Risk Assessment,” www.hse.gov.uk/risk/fi vesteps.htm (accessed March 25, 2013).

10. Project Management Institute, A Guide to the Project Management Body of Knowledge ( PMBOK Guide ), 4th ed. (Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.

CHAPTER SUMMARY:

KEY POINTS

■ In identifying information requirements and risks, legal requirements trump all others.

■ In the United States, the Code of Federal Regulations lists information reten- tion requirements for businesses, divided into 50 subject matter areas.

■ The risk profi le is a high-level, executive decision input tool.

■ A common risk profi le method is to create a prioritized or ranked top-10 list of greatest risks to information.

■ Once a list of risks is developed, grouping them into basic categories helps stake- holders to grasp them more easily and consider their likelihood and impact.

■ The risk mitigation plan develops risk reduction options and tasks to reduce specifi ed risks and improve the odds for achieving business objectives.

■ Metrics are required to measure progress in the risk mitigation plan.

■ The risk mitigation plan must be reviewed and audited regularly and proper adjustments made.

53

C H A P T E R 5

Strategic Planning and Best Practices for Information

Governance

S

ecuring a sponsor at the executive management level is always crucial to projects and programs, and this is especially true of any strategic planning effort. An g executive must be on board and supporting the effort in order to garner the re- sources needed to develop and execute the strategic plan, and that executive must be held accountable for the development and execution of the plan. These axioms apply to the development of an information governance (IG) strategic plan.

Also, resources are needed—time, human capital, and budget money. The fi rst is a critical element: It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict and consistent follow up, support, and communication. Executive sponsorship is a best practice and supports the key principle of accountability of the Generally Accepted Recordkeeping Principles ^® (The Principles)¹ (see Chapter 3 for more detail). And, of course, without an allocated budget, no program can proceed.

The higher your executive sponsor is in the organization, the better. ² The imple- mentation of an IG program may be driven by the chief compliance offi cer, chief information offi cer (CIO), or, ideally, the chief executive offi cer (CEO). With CEO sponsorship come many of the key elements needed to complete a successful project, including allocated management time, budget money, and management focus.

It is important to bear in mind that this IG effort is truly a change management effort, in that it aims to change the structure, guidelines, and rules within which em- ployees operate. The change must occur at the very core of the organization’s culture. It must be embedded permanently, and for it to be, the message must be constantly and consistently reinforced. Achieving this kind of change requires commitment from the very highest levels of the organization.

Executive sponsorship is critical to project success. There is no substitute.

Without it, a project is at risk of failure.

If the CEO is not the sponsor, then another high-level executive must lead the ef- fort and be accountable for meeting milestones as the program progresses. Programs with no executive sponsor can lose momentum and focus, especially as competing projects and programs are evaluated and implemented. Program failure is a great risk without an executive sponsor. Such a program likely will fade or fi zzle out or be relegated to the back burner. Without strong high-level leadership, when things go awry, fi nger pointing and political games may take over, impeding progress and cooperation.

The executive sponsor must be actively involved, tracking program objectives and milestones on a regular, scheduled basis and ensuring they are aligned with business objectives. He or she must be aware of any obstacles or disputes that arise, take an ac- tive role in resolving them, and push the program forward.