Metrics in IG: What can't be Measured, can't be Improved
Organizations try to continuously improve their Information Governance (IG) programs to effectively manage all types of data throughout the entire data lifecycle. This can be achieved through regular evaluation and analysis of the existing program and identifying specific steps to improve it.
Key performance indicators (KPIs) are metrics and monitoring mechanisms widely used to measure the progress of a program or a process towards goals. Tracking the metrics helps identify the areas for improvement and provides directions for adjustments to enhance the program.
In Information Governance, companies use KPIs to monitor the effectiveness of IG programs and ensure that the programs are aligned with the corporate strategy, and help them to satisfy all compliance requirements. The KPIs can help understand if the program is performing in line with stakeholder expectations on agreed-upon objectives and directions.
Determining what KPIs should be used to measure the program is a crucial first step. The right metrics can help you articulate the purpose, performance, and significance of your program in the best possible manner.
How to choose the right metrics for your organization?
Each organization is different, with its unique sets of goals, objectives, and challenges. The key is to develop metrics focusing on evaluating the critical activities of the company impacting the bottom line.
The metrics must provide precise and accurate comparisons of where your program is in relation to your short-term goals. The numbers you track should be derived in a way that improving them will advance the program closer to these short-term goals. As you start meeting these goals, the metrics should allow you to track progress towards achieving your long-term strategic goals.
The right metrics should enable a consistent view of any particular element of the program over a period. Even qualitative metrics should be tied to quantitative and measurable parameters. The metrics that can be easily representable as a number or percentage can be more accurately understood and compared. Ideally, data needed for calculating the metrics should be available through regular operational processes within the organization and without additional burden on the business units.
Typically, the metrics should cover most of the following categories:
IT systems, storage, and costs
Securing sensitive and confidential information
Types of Metrics
Metrics are grouped in several ways across different organizations. One simple but effective way to think about metrics is to group them into strategic, tactical, and operational bins.
Strategic metrics are high-level metrics that are used to evaluate progress toward a specific long-term goal. These provide an organization-wide impact and are mostly used by senior-level management.
Strategic metrics compile the performance over set time frames, i.e., monthly, quarterly, or yearly, and compare the performance metrics against the strategic goals of the organization. These metrics can help identify flaws in the program and achieve business goals within a shorter time span and reduced operational costs.
Strategic metrics can provide insights into the different aspects of the entire program. For example, the maturity of the program against NIST or other benchmarks can be measured and tracked. They can also include opportunities for improvement, data quality, data findability, etc. Trends of costs and efforts at the program level can also be tracked.
Tactical metrics provide more in-depth analysis and are suitable for detailed analysis of the program’s performance. It provides a detailed picture of the current scenario and helps to hone in on the critical areas for improvement.
They allow you to analyze a much larger volume of data collected over a shorter time period. Coupled with analytics, it can help detect patterns and opportunities that can improve decision-making and strengthen the IG program.
Most IG programs track tactical metrics around various aspects of the program. A good example is a DSAR process–tracking metrics, like the number of requests, the request status, and the time to comply will help companies to ensure their DSAR process is running efficiently.
Operational metrics provide the ability to track specific processes and operational activities. Most operational metrics provide real-time alerts and notifications about any irregularities. This enables teams to act before these become actual problems. Security notifications are a good example of operational metrics. Typically, operational metrics are automatically generated at specific times in the processes.
By maintaining a fine balance between the strategic, tactical, and operational metrics, you can identify systemic and operational shortcomings in your program and make steady progress towards long-term goals.
Deriving business value from metrics
After the selection of the right metrics, the next big step is implementing it using an effective dashboard that will maximize the benefits of your data and promote a data-driven culture.
It is equally essential to encourage a data-driven culture by fostering an understanding of the value and purpose of the governance process amongst all users and stakeholders. As many may not consider governance as a part of their job, appropriate training and awareness campaigns might need to be run.
It is also important to report back regularly to the broader organization on progress made in the IG programs. Sharing some of the key metrics will help to demonstrate the improvements made by the program to the wider organization. These communications can highlight specific improvements made by the IG program on business processes and workflows. This feedback loop can strengthen the sense of ownership users feel about the IG program.
Well-defined metrics can empower the designated teams or individuals to bring forward improvements. The governance program should enable the flow of metrics to allow the authorized decision-makers to initiate action for the desired business results. It is crucial to communicate the data change and the data value in a manner that is comprehensible by the stakeholders.
Tracking the occurrence of events that carry significant risks is a good way to see how your IG program is performing. Other broad areas to capture in your metrics include overall data-related costs, cybersecurity impacts, and the impact of upcoming regulatory changes.
Comprehensive reviews of the program at regular intervals will help to ensure the right set of metrics are being tracked. These reviews can identify what elements of the program can be improved or if any directional changes are needed to the program.
The key to effectively using metrics is to ensure the right set of metrics for your program and organization are employed. You will also need to be judicious in what you are tracking and how. If people are bombarded with metrics, they often end up going around in circles without progress. Grouping metrics into strategic, tactical, and operational bins brings clarity to how you think about your program. Each organization has a unique set of challenges, and the metrics you employ must be reflective of them.