In a few past articles, I discussed the importance of having the right information governance framework in an organisation. I have also mentioned the importance of having policies and procedures, developing a training plan for organisation, and creating lines of defence in information governance. However, these things would not work if there were no right belief system in the organisation.
Imagine a software company where developers believe in creating top-notch products but barely pay attention to data privacy by design and only consider it as an afterthought. The developers only want to think about birthing products that the world would love; and that would, ultimately, increase the financial revenue of the company. They understand that there is the need for security of customer data, but they don’t see the reason to spend so much time on it.
In field work, that is usually the case in most businesses. Certain stakeholders see the infusion of information governance structure into their business as a burden and often handle it with kids gloves. However, statistics and research show that businesses who treat information and data privacy as a business function can build businesses that customers can trust and thereby increase business revenue.
Maintaining an information risk culture is about describing the values, beliefs, knowledge, attitudes and understanding about those information management risks by an organisation. It is essentially the attitude of the organisation to either embrace risk as a team or avoid risk as a team. Collaboration is the name of the game.
When Microsoft says they defend privacy and allow customers to defend the privacy choices and embed privacy in their tools and products, that means their developers consider the right of individuals and general transparency principle when building products. It is very important to how such strategies inform the right information risk management methodology.
The demonstrable behaviour by employees in the above example of the software company portend a problematic information risk culture which could lead to other problems. Such culture should be controlled and nurtured throughout the enterprise to enable the company to maintain a sane information management framework that does not morph into the loss of customers’ trust and revenue.
Usually what leads to such weak culture is poor communication from the top management. If the management can’t communicate consistently about the importance of having the right attitudes in managing data, then the aim of having the right organisational structure will be defeated and most times the organisation ends up building negative perceptions on customers, investors, and regulators.
The culture of the organisation indicates the maturity of the information risk programme. In a highly optimised organisation, employees recognise the risk to their processes, discuss the risk without hesitancy with an objective to address attendant risks. In managing information risks, behaviour is one of the key aspects that must be nurtured. The organisation can determine by observing the behaviour of management and employees.
A company can have all the fine policies and procedures, but they can only be influenced by the behaviour of the people responsible for them to work. As such, it is important to maintain and invest in building a proactive information governance culture in any organisation.
