Managing client-specific IG requirements for professional services firms and other service providers
The present regulatory landscape and the frequent incidents of security breaches are making organizations contemplate the various risks associated with poor data management practices.
Be it the SolarWinds hack or the more recent Kaseya ransomware attack, supply chain attacks have exposed the vulnerabilities associated with third-party service providers. Enterprise data is no longer confined to in-house servers, and as a result, companies are recognizing and working to manage third-party risks.
Several organizations are putting their professional services firms and other service providers under increased scrutiny for their information governance (IG) policies and asking for details regarding the data practices and management of their IG programs.
Clients are also defining “sensitive data” (such as employee or customer information or business trade secrets) and adding specific limitations on the data. These limitations may include who’s authorized to access it, the data’s geographic location, and requirements for additional controls such as data encryption while in use and how and when to dispose of it, etc.
Information governance and compliance don’t just run on an honor system anymore. Clients reserve the right to perform audits or expect third-party reviews of the processes to ensure these practices are followed.
When you have each client making specific IG requirements on how their data needs to be managed, there are some challenges involved in meeting these requirements. Increased demand for additional controls, regular monitoring, and audits can burden the professional service resources in the absence of the right systems and processes.
However, this can also present an opportunity to differentiate from the competition by demonstrating superior and robust IG policies and procedures. In other words, good data practices can be a great differentiating factor and can increase competitiveness.
Here are some best practices for information governance and records management professionals that will help with overall data management and make it easy to meet client-specific IG requirements.
1. Map and Identify
Mapping how the client data flows and who handles them can help you identify where to begin and areas that need more controls. Data Mapping can help you find out what information is present and where and how it flows through the various systems. Engaging the different departments to know what information they receive, how it is stored, and who has access to it can help improve stakeholder awareness and responsibility. This Data Map should be updated periodically to include new technologies, data, and processes as they are brought into the firm, and careful consideration should be given to information privacy, security and retention.
2. Update Policies
Most organizations have taken a policy-first approach. This has resulted in several organizations having too many policies that have been implemented over time without proper consideration. Decentralized implementation of policies and lack of coordination across segments has also resulted in these policies being contradictory to each other or not up to date with the current regulatory environment.
While updating the policies, you also get a chance to examine how to classify data as personal information, business record, etc. and what factors drive decisions around the location of data, its accessibility, data retention, and disposition.
3. Foundational Process
Having a clearly defined process is very important to the application of a successful IG program. IG could be the way to break down information silos within a firm by focusing on the common goals of client service, information integrity, and security and minimizing firm exposures.
A strong IG program will not only reduce risk but also provide compelling business advantages by reducing physical and electronic storage costs, adding efficiencies to search and retrieval processes, and, ultimately, building a firm’s competitive advantage.
After establishing the desired policies, it should be ensured that the employees are trained on them, and the organization works on fostering a culture of information governance. Next comes the incorporation of the right tools and technology that would help automate repetitive tasks and coordinate across various systems.
It should be noted to choose technology that provides visibility across all data repositories and connects to various business systems without logging in to multiple systems.
4. Communication is Key
The client requirement should be effectively communicated with the IG team to understand whether the company can meet all of the client’s requirements or not. If not, then necessary changes can be suggested based on the team’s evaluation.
Communication is also very critical to secure stakeholder buy-in and improve culture and awareness within the firm. DataMap can help bring transparency and awareness and increase collaboration and communication within the firm.
5. Secure Stakeholder Buy-in
By getting management buy-in and support, you can bring in a cultural shift in how the data is treated across the organization. It becomes easier to establish cross-functional collaboration and implement policies with backing from senior management. And contrary to popular belief, the management is usually very receptive to such changes owing to strict regulatory and audit requirements.
6. Measure your Progress
The IG programs should be assessed on a regular basis, and the reports should be shared with the stakeholders and clients. Without measuring the progress, it is impossible to determine how the program is performing.
Monitoring the program’s performance will help you oversee compliance, take necessary action against any problems, and documenting historical decisions and activities.
The firm’s approach towards IG will define the effectiveness and the scope of the program. Though it is a challenging process, having the right support, expertise, resources, and technology can improve your overall approach. Having a well-thought process around IG can take you beyond compliance and risk management to help you gain a competitive advantage.