violetkaipa - Fotolia


As data threats and mandates persist, governance vital to manage risk

Security threats and compliance rules complicate businesses' information protection efforts, but smart governance processes can help manage risk.

Information security threats and data governance mandates have made risk management a top priority, as nearly every functional business process must answer the same query: "How do we reduce and manage risk?"

To answer that question, one asset is critical: Organizations must trust that their information is reliable, accurate, authentic and complete. Today, venture capitalists and startups are scrambling to build the tools that will sort, filter, embargo and classify information assets to better evaluate and manage risk. Big data analytics can find the connections among circumstances, actors and events to expose weaknesses or nefarious conduct. Those analytic findings can then help determine responsive controls.

But while big money is being spent on these tools, companies neglect data governance investments to improve their own systems, devices, applications and information asset analytics. Effective risk management and compliance requires access to information immediately, and the organization must know that the data is accurate to make these business decisions. In other words, risk management relies on information that has been effectively governed.

It's important to remember that information governance is much more than keeping track of digital records for litigation or compliance. It involves building classification tools and functional descriptive data into our digital assets so they can be called upon and used in business with increased velocity and accuracy. It enables the company to take fewer risks because it makes critical information available at the moment decisions are being made.

Data governance collects information demanded by risk management processes. Since many of the analytics focus on how humans and systems interact with other computer systems and information, information governance can do a great deal to advance risk management by getting involved in how all of the digital infrastructure and information assets are designed and integrated together.

Governance also classifies and applies rules to how data assets are managed. When adverse events such as data breaches occur, responsive investigations and corrective action plans are crippled if the appropriate operational data such as activity logs or transaction logs are not readily available.

Using governance to manage risk

Risk management cannot do its job unless it has information that is both authoritative and objective. Decisions on how to control or mitigate risks that are based on information that cannot be trusted simply are bad decisions. That is why tens of millions of dollars are being spent on new software applications that sort, filter, disqualify and embargo huge volumes of information: to get rid of the information that does not meet rules.

Information governance works with IT enterprise architects and developers to make sure data required for legal, compliance, audits or risk management is properly classified from the moment of creation. Governance processes create faster access to better data in order to initiate investigations and corrective actions following an adverse event.

And of course, time is money. Ultimately, many business decisions that create risk do so because the executive or team making the decisions didn't have the right information available at the time a decision was made. By making accurate, vital business data readily available when needed, governance can support better business decisions and ultimately reduce risk.

There are two key data governance objectives businesses should strive for: First, information governance should improve the accessibility of specific information. One of the troubling outcomes of increasing data volumes is that they increase the time required to find information. When more time is required, there is an increased risk the clock will run out, forcing a business decision based on information that hasn't been found yet.

Second, even when information is located, governance helps assure the information is reliable. Business executives cannot presume all of the information on their screens is completely true and accurate. The more money or resources at stake with a specific decision, the more executives must question whether the information before them can be trusted.

We rely on information to make critical business decisions. Information governance dramatically improves the reliability of information and reduces (or even eliminates) the time executives must spend validating information when making decisions. This enables the company to make faster, better decisions that create far less risk because they are informed by well-governed information.

These information governance and risk management strategies are making all the difference in some of the best companies in the world. Information is starting to gain the investments required to become effective, and has become inherent to not only risk management but also to companies' financial success.

About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

More from Jeffrey Ritter on data governance:

Time-tested governance strategies still proving useful in big data age

The financial benefits of conducing governance and risk stress tests

Dig Deeper on Managing governance and compliance