The goal of a holistic approach to information governance is to make information assets available to those who need it, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, allows the company to reduce the legal risks associated with unmanaged or inconsistently managed information and be more agile in response to a changing marketplace.
An important goal of information governance is to provide employees with data they can trust and easily access while making business decisions. In many organizations, responsibilities for data governance tasks are split among security, storage and database teams. Often, the need for a holistic approach to managing information does not become evident until a major event occurs, such as a lawsuit, compliance audit or corporate merger.
Since information governance has become as essential to corporate functions as compliance, business processes and customer outreach, more companies have begun to employ chief information governance officers to lead IG programs and projects. The CIGO is typically responsible for developing, implementing and managing the IG program and ensuring its processes and procedures are integrated companywide.
The CIGO is tasked with working closely with all of the company's business units, executives and board to develop an IG program to meet the company's legal, regulatory and ethical obligations, as well as helping ensure company data integrity so it remains a trusted business asset.
Information governance frameworks
To help clearly define information governance processes and goals, frameworks can be developed to formally outline an organization's approach to information governance. These information governance plan frameworks outline the who, what, when, where, why and how of company information:
- What is this information?
- When was this information created or processed?
- Where is the information stored?
- Who has access to this information?
- Why is this information being retained?
- How is this information being stored and protected?
Frameworks are tailored to the organization's unique governance needs, but should define the following areas:
Scope. The framework establishes the extent of the information governance program, including clearly outlining its overall goals, what staff members will be involved in achieving these goals and the types of data the IG program is designed to manage.
Roles and responsibilities. The framework defines the IG program's key roles, including what information governance responsibilities specific employees and departments will have as part of the program's implementation and integration.
Policies and procedures. The framework defines which wide-ranging, overall corporate policies and procedures are relevant to the information governance program as a whole, including the company's data security, records management, retention and disposal schedules, privacy, and information sharing policies.
Internal and external data management. The IG framework defines how employees and the organization manage specific data, with relevant sections including legal and regulatory compliance; acceptable content types, how personal information is managed; how information is stored, archived and disposed of; and how information is shared.
It is also essential to establish how the organization operates and shares information with stakeholders, partners and suppliers. The framework should define the policies and procedures for sharing information with third parties, how the IG process influences contractual obligations and how the organization will determine whether third parties are meeting its information governance goals.
Disaster recovery and business continuity. The framework should clearly outline company procedures in the event of a data breach, including how to report information losses and breaches, incident management specifics, disaster recovery processes, business continuity strategies, and auditing of these DR and BC processes.
Continuous monitoring. The framework should outline plans for quality assurance of information governance processes, including how the company will monitor information access and use, measure regulatory compliance adherence, maintain effective security, conduct risk assessments and periodically review the information governance program as a whole.
IG laws and regulations
As technological innovations continue to expand business capabilities and corporate data volumes grow, regulations that put strict mandates on information governance processes have become the norm. This is especially true for data privacy and security, as personally identifiable information has become a big target for hackers and nefarious online actors. Privacy laws, such as the European Union's Data Protection Directive, have started to expand in countries all over the world and create new information security governance obligations for companies.
Many industries, including highly regulated sectors, such as energy and financial services, are subject to regulations that require records and electronic communications be retained for a minimum period of time. These regulations include mandates from federal agencies, such as the Securities and Exchange Commission, Department of Justice and Environmental Protection Agency, regarding response times for information requests. Regulatory reporting requirements also often mandate that companies provide an account of compliance, usually in the form of raw or summary data, with set frequency, such as annually.
Information governance expert Jeffrey Ritter discusses how businesses can leverage information governance.
Sound business records management processes provide the evidence to demonstrate compliance with these regulations. Compliance rules, such as Foreign Corrupt Practices Act, require organizations be able to attest to the authenticity of their records, and information governance programs are essential to ensure electronic data integrity.
Strategies for information governance in healthcare settings have also become a major concern for companies in numerous industries. Health Insurance Portability and Accountability Act (HIPAA) compliance requires covered entities -- any organization or corporation that directly handles personal health information or personal health records -- put strict data privacy and security provisions in place for safeguarding medical information. In 2013, the HIPAA Omnibus Rule was put in place by U.S. Department of Health and Human Services to expand compliance mandates to covered entities' business associates. The Omnibus Rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
Information governance reference, maturity models
Assessment tools such as the Information Governance Reference Model and Information Governance Maturity Model are available to help companies measure their IG program's progress.
The Information Governance Reference Model is made available by EDRM, and it's designed to provide "corporations, analyst firms, industry associations and other parties as a tool for communicating with and to organization stakeholders on responsibilities, processes and practices for information governance." According to EDRM, it is a responsibility model, rather than a document or case lifecycle model, and it can be used to help identify the stakeholders in the IG program and where their responsibilities may intersect.
The Information Governance Maturity Model is based on the eight Generally Accepted Recordkeeping Principles developed by ARMA. According to ARMA, the maturity model defines characteristics of various levels of recordkeeping programs, ranging from substandard to transformational information governance. The ultimate goal is to reach the top, transformational level of information governance maturity, where IG strategies are completely integrated into overall corporate infrastructure and business processes to help improve cost containment, competitive advantage and client services.
Should you invest in HP's enterprise content management tools?