peshkova - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

New risk management needs challenge information governance processes

Risk management requirements have complicated information governance, but with the right strategy the two disciplines could be mutually beneficial.

Companies today face endless amounts of risk to their information assets, and often struggle to adapt their data management processes to offset these threats. With the right strategy, however, companies can take advantage of information governance and its associated analytics to alleviate risk, according to data management expert Jeffrey Ritter.

In this Q&A, Ritter discusses the relationship between risk management and information governance, and how the two fields could prove mutually beneficial.

Companies today are discovering that their compliance programs are serving as platforms for their risk management initiatives across the company. Does information governance have anything to contribute to this expansion and focus on risk management?

Jeffrey Ritter: One of the essential truths for showing the value of information governance in today's global marketplace is that information governance creates and maintains authentic records. Compliance has never required anything less. Public agencies, industry standards and the courts consistently require companies to create and produce information assets that can be evidence of the truth.

However, particularly in the United States courts, there is still a bias against relying on business records as evidence. That bias is shifting as information governance becomes more engrained in a company's IT management structure, but even internal compliance programs are still learning how to rely on digital records as evidence of the truth.

Even so, risk management cannot do its job unless it has information that is both authoritative and objective. Decisions on how to control or mitigate risks that are based on information that cannot be trusted are simply bad decisions. That is why tens of millions of dollars are being spent on new software applications that sort, filter, disqualify and embargo huge volumes of information from being ingested into big data analytics: to get rid of the information that does not meet the standards.

So, information governance strategies are critical to risk management. Effective information governance helps deliver the objective, authoritative data that risk management requires to be effective.

What trends in risk management are occurring that challenge information governance strategies?

Ritter: The first is big data analytics. Companies are looking to not only collect and use all of their internal information, but also collect, integrate, and rely upon information from third parties such as customers, suppliers, service providers and data custodians. The information governance function has to assert itself to help define what third party data sources align best with the internal information assets, and understand the requirements of risk management analytics to better manage the internal assets in order to be useful.

Second, risk management is moving toward the continuous monitoring of risks. Any dashboard-based management tool available on a desktop is a perfect example. Operating data is being generated, synthesized, interpreted and presented in visual displays to show where processes are being properly executed, and where weaknesses or failures are occurring. This moves information governance into a very critical shift: No longer are the information governance professionals serving as custodians of historic records. They need to be involved in how real-time data is designed, classified and used in order to enable the data to have its best possible use.

One pixelBusiness realities force converged take
on managing information risk

Third, risk management has become all about metrics—measuring the impact of the status quo on a corporation's objectives, and the possibility of how changes will alter the present state of affairs. Economics, velocity, accuracy, absence of errors (such as Six Sigma management) -- technology is enabling unprecedented measurements. But measuring anything also requires monitoring and observation, which are often not pleasant topics in this age of privacy and surveillance.

So, information governance strategies have to help build the tools for collecting information required to calculate the metrics demanded by risk management. Since many of the analytics focus on how humans and systems interact with other computer systems and information, information governance can do a great deal to advance risk management by getting involved in how all of the digital infrastructure and information assets are designed and integrated together.

We have seen over the last decade how electronic discovery has evolved, emphasizing more and more the utility of information governance to finding relevant information on a cost-effective basis. Is risk management the new driver for information governance?

Ritter: Risk management certainly has that potential. But at the same time, risk management could also degrade the effectiveness of information governance at acquiring the funds and assets required to be successful.

Risk management needs the information on historic operations in order to better execute the predictive analytics that shape how existing programs and services may be adjusted to lower risk and increase the profits of the company. If information governance cannot step up and deliver that information, risk management will by-pass them and get the information from other sources, both inside and outside the company. It is sort of like the scientist in Jurassic Park who, when told all the dinosaurs were female, replied, "Life finds a way." If the information governance team does not embrace the requirements of risk management, the risk managers will find a way to acquire the information they need.

The upside, however, is more promising. Risk management requires information and information governance is the most cost-effective asset within a company to deliver that required data. If the IG function does not exist at the right level of maturity to support risk management, it is entirely logical for the top executives to see the connection and value and shift more support toward building information governance.

Ultimately, businesses run on information. Digital data that can be trusted is the essential fuel for any company. I do believe risk management is the new e-discovery. It is a business discipline that, like e-discovery, is tremendously inefficient in how information is ingested, but information governance can deliver results so significant that they can be measured at the bottom line of net profits within the company.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

Data management strategy key to risk abatement

Modern information governance myths, debunked

This was last published in January 2015

Dig Deeper on Information technology governance

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization incorporate information governance processes into risk assessment and management?
Cancel
I've worked at companies where risk management and information governance are taken fairly seriously, and I've worked at places where, quite frankly, it's a joke.
Cancel
For companies where risk management/information governance is a joke, how do companies change that corporate culture? Will executives only pay attention if their company is hacked, or can risk managers and GRC professionals somehow get them to realize that the best defense is good offense?
Cancel
It's all about communication, in my opinion. Too often, IT fails to clearly state the risks, their likelihood of occurrence, and the impact if those risks are realized. I think it stems from IT departments not wanting to acknowledge that a vulnerability emerged under their watch, and have to explain how things go to be that way in the first place. But if IT will 'man-up', and clearly state that there's a vulnerability, that's been exploited elsewhere, and what will happen if it's exploited at their company, management will listen. There's been too many headlines now for them not to.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close