ISACA Geek Week

August 8 – 10, 2016

Building a Digital Governance Program

Stacy Wiedman
swiedman@gmail.com
 TODAY’S AGENDA

Building a Digital Governance Program- an approach for

implementing within a large organization. Discussion of critical
aspects for a successful program .

• What is Digital Governance?

• Digital Governance Benefits
• Group Structures
• Digital Governance Policy
• Digital Standards
• Monitoring & Oversight
• Social Media
• Tips
 What is Digital Governance?

Digital governance is a discipline that focuses on establishing clear accountability for

digital strategy, policy, and standards. A digital governance framework, when effectively
designed and implemented, helps to streamline digital development and dampen
debates around digital channel “ownership.” -Managing Chaos: Digital Governance by
Design, Lisa Welchman

Digital governance is a framework for establishing accountability, roles, and decision-

making authority for an organization’s digital presence - which means its websites,
mobile sites, social channels, and any other Internet and Web-enabled products and
services.– ActiveStandards.com

The ultimate goals of governance are to empower and accelerate an agency’s ability to
make informed digital services decisions and to help an agency achieve the goals named
in the Digital Government Strategy. - Federal Government Digital Services Advisory Group
Digital Define what your
organization
Governance Digital
needs & clearly
Policy articulate it
Program Scope

Basics

DIGITAL Executive
Digital
Standards GOVERNANCE Support

PROGRAM

Digital Group
Oversight Structure
Digital Governance Benefits

• Aligned priorities
• Coordinated services
• Clarity of decision making process
• Clear accountability
• Adherence to laws, regulations, standards, and policies
• Effective delivery
• Capability to meet business needs in the correct
timeframe
• Supportability
• Interoperability
• Cost effective
• Ability to leverage 3rd party relationships
• Consistent and high quality digital client /prospect
experience
How to build a program

• Gather a core team

• Assess what exists today
– What is working/ what is not

Communication and
working well
– Who is doing what
• Determine objectives of a
new program

Awareness
Repeat, • Develop the group structure
as
needed
• Share- receive feedback-
update
• Execute!
GROUP STRUCTURE
Assess your current group structure
• Where do the digital resources sit in the organization
• all in IT; pockets of the organization, only in the web steam, etc.
• Develop a RACI Chart (Responsible, Accountable, Consulted, Informed)
• Think of YOUR organization, WHO wants to know, WHO needs to
know, WHO wants/needs to contribute
Digital Corp. Business Unit Corp. Business Unit Risk Compliance
Team Marketing Marketing IT IT
Digital Strategy
Development and Maintenance of
Strategy
Digital Policy
Digital Policy creation
Digital Policy monitoring
Digital Policy enforcement
Digital Standards
Determination of needed standards
Standard creation
Standard approval
Standards monitoring
GROUP STRUCTURE

• Centralized into one

team (typically
Marketing,
Communications, or IT)
• Consistent Messaging
• Clear Ownership
• Standardized tools
• Can create bottle-necks
and inefficiency
• Can be slow to innovate
and keep current with
technology
GROUP STRUCTURE

• Multiple areas of
digital expertise
• Ability to focus on
business unit needs
• Duplication of
efforts
• Lack of consistency
• Power struggle
• Many tools can lead
to complexity for
integration
• Can lead to
confusing user
experience
GROUP STRUCTURE

• Business units continue

to build their own
capacity based on
specific needs
• Central and strong digital
team directs the
enterprise effort
• Excellent leadership and
collaboration skills are
critical
 One Option
Digital Corporate Risk Provides oversight & strategic direction
Committee Resolve escalations
Governance Communication & awareness of Digital
Council Governance program

Interested parties and

digital stakeholders
provide input on new
standards, policies, Provides overall leadership and direction
and procedures, and
Head of Digital Approves policies and all digital related
disseminate guidelines, procedures, and standards
information to and
from the Committee
Primary Digital Governance
oversight
- Linkage into other digital
Digital Governance Committee processes (risk
assessments, project
management, etc.)
- Create Digital Governance
Policy
Working Group - Digital standards
Subject matter experts from management
Working Group relevant corporate functions and - Monitoring oversight
business units focus on specific
Working Group
topics.

E.g. Policy creation, Execution of

standards, Digital projects, Solution
development, etc.
Another Option
 • High level rules are needed to guide teams on content
• Mandatory content requirements need to be
POLICY documented
• Enforcement is difficult to do without a policy

High level management direction;

WHY do I need to do this?
Example: Privacy Policy, E-mail Policy

Minimum acceptable level or rules;

WHAT is required?
Example: Server Security Standards

Additional advice or recommendations;

Helpful information
Example: Employment Discrimination Guidelines

Process flow or instructional details;

How do I do it?
Example: Software Request Procedures
DIGITAL GOVERNANCE POLICY
Scope - Clearly list what is in and out of scope
Governance Structure/ Management Authority
Roles and responsibilities (may be defined in a Charter)
Reports to the XX Committee
Digital Standards
Who creates, who approves, where are they published, etc.
Management Reporting
List frequency of management reports and who received them
Policy Exceptions
Approval; regular review cycle
Other Items of Importance may be included
See next page
DIGITAL GOVERNANCE POLICY
Other Items of Importance - add relevant high level mandates/requirements – or link to
other policies with related information

– Domain Management
– Content Management
– Mobile Management
– Social Media Management
– Accessibility
– Technical Security
– Language Translation
– Web-linking to other sites
– Intellectual Property
– Privacy
– Records Management
Scope Definition - Example

Included in Policy Scope Excluded from Policy Scope

Company external web sites requiring a user name Electronic mail
and password
Company external informational web pages – Microsoft SharePoint internal solutions
product and services information, helpful tips, etc.

Third party authenticated or unauthenticated web Intranet web sites that are available
sites or applications displaying our brand or logo within the company network only

Third party sites containing a link to an external Intranet authenticated applications

company web site
Company sponsored social media pages, points of Interfaces and file transmissions
presence, or posts (i.e. Facebook, LinkedIn, etc.)

Company images, multi-media, and content Instant messaging used within the
accessible externally company internal network
Company mobile applications, mobile web, text,
alerts
Customer video conferencing (i.e. interactive
agent) or text chat
eSignature
Customer facing forms
 Standards – Risk Assessment

If any one criteria is ranked as “high”, the high rating applies to the entire standard

Impact
Does this standard: High Medium Low
Category:
- impact revenue generation, transaction Significant Direct Direct Indirect, limited
revenue
processing, or financial statements Impact Impact impact, or no impact

Yes - contains
- provide direction to ensure legal or
regulatory required Potentially No
regulatory compliance
instructions

- determine how the Corporate brand is Direct negative Indirect

brand No
represented impact impact

- provide direction to avoid adverse media Significant Direct Direct Indirect, limited
reputational
publicity or other reputational risks Impact Impact impact, or no impact

- involve capturing, storing, or protection of privacy/ Tracking

PII or confidential No
customer data or non-public information security data

- address system data integrity and availability Significant Direct Direct Indirect, limited
technology
to our customers utlizing digital assets Impact Impact impact, or no impact
 HIGH RISK ENTERPRISE DIGITAL STANDARDS
• Brand
Risks • User Experience/ User Interface • Content Management Framework
• Web Design • Language Translation
Regulatory • Copyrights and Trademarks • Domain Management
violation

Legal violation

Negative public Content/

perception Design
Publishing
Customer
dissatisfaction
Strategic
• Digital Governance
Customer • Social Media
liability • Human Resources

Data Breach Development/ Compliance

Infrastructure
Incorrect or
inaccurate
information • Code Standards for web •Privacy – GLBA - COPPA
• Testing - Release & Change •ADA
Unavailability Management •Industry specific
• Information Security •Model Audit Rule -Insurance
• Digital Architecture •FINRA
•FFIEC
•Fair & Responsible Banking
SOCIAL MEDIA

FFIEC Guidance Social Media Risk Management -December 2013

(Federal Financial Institutions Examination Council)
Requirements:

1. Governance structure
2. Written policies and procedures
3. Risk management process for selecting and monitoring third-party
relationships
4. Employee training program
5. Monitoring & oversight program
6. Audit & Compliance involvement
7. Regular reporting to senior management

Risk Assessment
• Know your organizational social media strategy
• Know your social media inventory – points of presence
• Know monitoring/community engagement
SOCIAL MEDIA

Develop a Social Media Policy

A social media policy should consolidate the high level aspects uncovered
during the risk assessment:

• Who defines and approves the Social Media strategy

• Lists the purpose of the organization's use of social media, high level
objectives, presence, and approaches
• Who is responsible for compliance and content
• Lists the rules of engagement
• How will rules, regulations, and compliance obligations be met
• Defines community management program
• States requirements and acceptable “Employee use of social media”
Digital Governance Monitoring & Oversight

There is a difference!

Define WHO will perform monitoring

Oversight should be performed by a separate group than monitoring
Tools are extremely helpful
web crawlers
rogue domains/sites
brand infringement
broken links
compliance checking – privacy, web links, etc.
Are broken links important to fix?
Hurt user experience, credibility, search engine optimization
How does monitoring and oversight add value?
• Executive support is key
– Ability to influence others and
the authority to make things
happen
• Don’t get in the weeds
• Assist in development of standards
– Allow subject matter experts to
have clear ownership and
responsibility
• Understand your digital assets
• Start small and increase with
maturity
QUESTIONS/ RESOURCES

Managing Chaos – Digital Governance by Design, by Lisa Welchman

Taming the elephant in the room: Why digital governance is job one for today’s C-suite
Digital Services Governance Recommendations
http://ithandbook.ffiec.gov/
Consulting Firms (EY, KPMG, Accenture, PwC, etc.)