How to secure stakeholder buy-in for your information governance project

What are the three critical issues that need to be addressed to ensure stakeholder buy-in and the long-term success of a project?

Nida Rahimi-Naeem

How to secure stakeholder buy-in for your information governance project

What are the three critical issues that need to be addressed to ensure stakeholder buy-in and the long-term success of a project?

Guest blog: by Matthew Bernstein, Information Management Strategist.


Many Information Governance (IG) projects – sometimes even an entire IG ‘Program’ or function – are initiated when senior management realises that a specific “issue” requires an urgent and vigorous response. The issue could be an audit finding, a regulatory enforcement action, the advent of new regulations, or an enterprise cost strategy.

For the business sponsor or project manager, it’s hard to balance gaining the support of senior management (that we always hear is vital to success) with gaining agreement on what to do and how. How do you overcome the governance delays of “it’s too a big a task and we need multiple stakeholders’ input” while mitigating the execution risk that comes with “we’ve just got to get started on this project”?

The answer? Break it down into comprehensible components that can be quickly grasped and approved by individual stakeholders with limited knowledge and time. Start by addressing three critical issues that can derail the long-term success of an IG project, but if established properly upfront can accelerate early wins that build credibility and momentum.

Getting started – three critical issues to address for stakeholder buy-in:

1. Remove ambiguity as to the critical objective. Is it risk mitigation, cost reduction, or a business opportunity?

2. Gain insight around where to focus efforts. What are the time frames and data priorities that will most effectively achieve the critical objective? Should the time frame focus be to “stop the bleeding” going forward or to remediate legacy systems? Should the data priority be determined by risk, business-unit, region, data store, data type?

3. Clearly define critical activities. There can be a tendency (especially for senior management) to derail an IG project by assuming that what is missing is a particular component of the operating model (people, governance, process, technology), and thus make the urgent development of that solution the critical activity, e.g., a new policy ‘framework’, or a new enterprise IT solution.

Defensible disposal: a practical example

‘Defensible disposal’ is of increasing interest to enterprises. But how can you get started on this kind of governance project? How can you be persuasive so to secure stakeholder buy-in? And how can you avoid charging ahead with the wrong approach?

Defensible disposal can have both a Risk and a Business objective, as conveyed here:

Reduce the amount of data held, to decrease processing costs, streamline control processes, and reduce privacy, eDiscovery, and litigation risks and costs, by disposing of information no longer required for legal, regulatory, or business purposes.

It’s easy to see why senior management would support this objective, and have many opinions on what to do! But, to get started, you could ask management to endorse the initial objectives and activities of the program, for example:

“The growth of privacy legislation around the world is creating heightened financial and reputational risks associated with the collection and use of personal data. Thus, the critical objective of the Defensible Disposal Project will be risk reduction: reducing the stores of personal data that the company retains, which would most likely be subject to regulator or consumer challenges.

The largest concentration of personal data is in our consumer banking business and the initial focus of the project will be on improving information governance in that division to support Defensible Disposal. We believe the greatest risk lies in the retail consumer clients’ reaction to the collection of information in the context of new product marketing and onboarding.

The key to success will be RegTech, which provides Automated Regulatory Intelligence (ARI) alongside privacy program management. With the first, we will establish the set of requirements we are subject to in the multiple jurisdictions in which we operate, and we will gain insight into the remedial actions we need to take to ensure governance. With the second, we will create a suitable knowledge base of our data. These are the prerequisites for proposing a disposal plan.”

Obviously, establishing these high-level parameters will require initial background work, to understand the concerns of senior management and formulate a meaningful assessment of the organization’s current state.

Whatever the urgency, the time and place to discover, plan and agree on these initial objectives and activities –– to get the program quickly and successfully underway – is right from the start, not mid-project during a steering committee meeting or a presentation to senior management.

Measure twice, cut once…and get going.


CUBE is a RegTech providing Automated Regulatory Intelligence for information governance solutions. Know every regulation that matters – from defensible disposal to retention – and how to comply, with CUBE.


Related resources

Top 10 leading voices in financial services

Top 10 leading voices in financial services

Ever wondered who the most influential figures are in regulatory financial services from the past 8...

View More