Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.
The goal of a holistic approach to information governance is to make information assets available to those who need it, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, enables the company to reduce the legal risks associated with unmanaged or inconsistently managed information and be more agile in response to a changing marketplace.
An important goal of information governance is to provide employees with data they can trust and easily access while making business decisions. In many organizations, responsibilities for data governance tasks are split among security, storage and database teams. Often, the need for a holistic approach to managing information does not become evident until a major event occurs, such as a lawsuit, compliance audit or corporate merger.
Information governance provides a wide range of benefits. It ensures the following:
- whoever requires access to certain information can receive it;
- underlying data is properly managed, stored and secured;
- regulatory requirements are correctly observed, where necessary; and
- risk management is in place to minimize any issues that might arise from incorrect use.
Why is information governance important?
Information governance makes information more accessible to those who need it, which is crucial for any organization. Organizations of all types and sizes often suffer from poor organization and management of information assets, leading to issues with accessibility, ease of use, timeliness and security -- all of which governance can positively affect.
Often, the same information may exist in more than one location, leading to issues with updating. When the same information is in several places and does not agree, confusion can ensue. Effective information governance can establish single source of truth (SSOT), rendering information more trustworthy.
Effective information governance is so important that it has become a C-suite role in many organizations, with an executive responsible for its implementation. The chief information governance officer (CIGO) often oversees the initial governance initiative, shepherding its development, management and ongoing evolution throughout the organization. The officer is generally responsible for maintenance of information integrity standards, gathering required quality and usage metrics and ensuring that the company meets compliance and regulatory requirements.
It is also increasingly common that the enterprise establish an information governance council composed of key stakeholders in the organization, including management-level representatives from every area of the business, information technology (IT) personnel involved in infrastructure and security, and subject matter experts who fully understand how specific information is used. This governance council often aids the executive officer in implementing and enforcing governance policy and can be invaluable in helping to guide its ongoing development.
A commitment to information integrity throughout the enterprise requires the active participation of employees at all levels and in all areas. Awareness of and commitment to information governance processes should be organization-wide, actively promoted and frequently updated.
What is the difference between data governance and information governance?
When considering information governance, it's common to wonder how it differs from data governance, which is referred to more commonly. The difference is subtle; data is not necessarily information, whereas information cannot exist without data.
Information governance refers to data assets that have carefully defined business meanings; data governance, on the other hand, refers to the oversight of the physical data itself -- its storage, security and transport. Someone implementing data governance might perform those tasks with little or no understanding of the data's meaning, while, in information governance, meaning is everything.
Information governance challenges
Even a clear vision and strong management support don't guarantee information governance success. Organizations can experience a number of common issues when implementing information governance, including the following:
- Compliance and regulatory issues. An organization often requires information governance during a lawsuit or some other consequence of noncompliance. On such occasions, compliance teams must go through potentially millions of pages of documents -- and possibly even more rows of data -- in pursuit of information that has been requested for legal purposes. This process, also called electronic discovery (e-discovery), is daunting even when things are at their most orderly. It can become a nightmare if the organization's information is not well ordered and readily discoverable.
Organizations can mitigate this challenge using several strategies, such as the following:
- establishing a universal metadata taxonomy for consistent tagging of information;
- developing a consistent retention management/defensible disposal policy and process; and
- establishing a data classification program to rate all information assets according to their sensitivity.
- Big data and machine learning. Machine learning is increasingly essential in the enterprise, enabling the predictive and prescriptive analytics that are necessary to maintaining a competitive edge. But machine learning depends on big data -- large amounts of information about the particular domain being modeled for predictive use -- and it is often challenging to manage data of that magnitude.
Careful attention to the integrity of data sources and the merging and transformation of data from multiple sources is essential in this endeavor. Organizations should ensure that the big data underlying the analytics is as accurate and clean as possible, and strong governance policy can help ensure this.
- Lifecycle management. One major challenge of an information governance implementation is the need to manage data that underlies information assets throughout its lifecycle in multiple domains. As silos come down and information becomes more centralized in the enterprise, inconsistencies in its management can creep into existing processes, causing friction between groups. All groups using common information must agree about the process of refreshing, modifying and archiving that information. Achieving policies that encourage such agreement should be a responsibility of the governance officer and council.
Information governance frameworks
Many types of organizations may have different goals and tasks, but the elements of information that are used to manage those activities are often similar. For this reason, it is possible to create frameworks to clarify an information governance plan that can be useful in organizing the effort, regardless of how customized the organization's handling of information may seem.
These information governance plan frameworks outline the who, what, when, where, why and how of company information. Frameworks are built from the answers to some central questions that apply to information of all types:
- What does this information mean?
- Who uses it?
- How is it created/where does it come from?
- What do users do with it?
- Who can access it?
- Why is it important?
- How long is it useful for?
- What other information depends upon this information?
Answering all of those questions for every information asset within the enterprise is a monumental task. Once an organization collects those the answers, however, a path to managing it becomes increasingly clear.
Frameworks are tailored to the organization's unique governance needs but should define the following areas:
- Policy. The framework defines which wide-ranging, overall corporate policies and procedures are relevant to the information governance program as a whole, including the company's data security, records management, retention and disposal schedules, privacy and information sharing policies.
- Process. The framework carefully defines how the policies are implemented.
- Roles and accountability. Who does what is a key part of policy implementation and process. An accountability framework defines the information governance program's key roles, including what information governance responsibilities specific employees and departments will have as part of the program's implementation and integration. For example, who has ultimate responsibility for the management of specific bodies of information, particularly sensitive ones? What are the consequences of mismanagement in this area?
- Metrics. Organizations can track information quality, access and lifecycle management by measuring activity, quality of outcomes and issues. Strong metrics make for strong process and effective risk management.
- Compliance. A framework highlights legal and regulatory concerns to ensure that they are addressed and to specify how.
- Scope. The framework establishes the extent of the information governance program, including clearly outlining its overall goals, what staff members will be involved in achieving these goals and the types of data the information governance program is designed to manage.
- Internal and external data management. The information governance framework defines how employees and the organization manage specific data, with relevant sections including legal and regulatory compliance; acceptable content types; how personal information is managed; how information is stored, archived and disposed of; and how information is shared.
It is also essential to establish how the organization operates and shares information with stakeholders, partners and suppliers. The framework should define the policies and procedures for sharing information with third parties, how the information governance process influences contractual obligations and how the organization will determine whether third parties are meeting its information governance goals.
- Disaster recovery (DR) and business continuity (BC). The framework should clearly outline company procedures in the event of a data breach, including how to report information losses and breaches, incident management specifics, DR processes, BC strategies, and auditing of these DR and BC processes.
- Continuous monitoring. The framework should outline plans for quality assurance (QA) of information governance processes, including how the company will monitor information access and use, measure regulatory compliance adherence, maintain effective security, conduct risk assessments and periodically review the information governance program as a whole.
Laws, regulations and principles
Information governance isn't just a matter of best practices; it is a matter of regulation in and of itself because it is so deeply intertwined with security, privacy and compliance concerns.
As technological innovations continue to expand business capabilities and corporate data volumes grow, regulations that put strict mandates on information governance processes have become the norm. This is especially true for data privacy and security, as personally identifiable information (PII) has become a big target for hackers and nefarious online actors. Privacy laws, such as the European Union's Data Protection Directive, have started to expand in countries all over the world and create new information security (infosec) governance obligations for companies.
Many industries, including highly regulated sectors, such as energy and financial services, are subject to regulations that require records and electronic communications be retained for a minimum period of time. These regulations include mandates from federal agencies, such as the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and Environmental Protection Agency (EPA), regarding response times for information requests. Regulatory reporting requirements also often mandate that companies provide an account of compliance, usually in the form of raw or summary data, with set frequency, such as annually.
Some examples of laws and regulations that information governance can address include the following:
- HIPAA. The Health Insurance Portability and Accountability Act is a good example of regulatory requirements that can be addressed through effective information governance. It imposes strict compliance requirements of healthcare organizations to compel them to protect the privacy of patient medical information.
- GDPR. The European Union's General Data Protection Regulation is another regulatory effort to preserve privacy -- in this case, that of consumers. GDPR calls for organizations to empower customers to control the amount of private information that a company can share. This is another area where information governance is critical and empowering.
- FCPA. The Foreign Corrupt Practices Act addresses compliance, imposing rules on organizations to ensure the authenticity of the records they keep. The idea is that organizations will be able, if called upon, to produce evidence of information authenticity -- yet another process for information governance.
Information governance models
In addition to frameworks, there are information governance models. Organizations can use these to assess the quality and effectiveness of an information governance program once they implement it.
- The Information Governance Reference Model (IGRM) provides organizations with a means of communicating the processes, policies and responsibilities of an information governance program with its key stakeholders. Its goal is to establish a clear mapping of information management responsibilities within the organization and among its partner organizations.
- The Information Governance Maturity Model (IGMM) is focused on best practices. It is built on the Generally Accepted Recordkeeping Principles, encouraging the implementation of processes that are not only compliant, but progressive, spurring the organization to greater efficiency, competitiveness and customer focus.
- The Information Governance Implementation Model (IGIM) establishes common understanding of governance principles and policies among stakeholders, reducing risk and enhancing cooperation and broad uptake of processes.