Difference between revisions of "Chief Information Governance Officer (CIGO)"

Effective information governance is so important that it has become a C-suite role in many organizations, with an executive responsible for its implementation. The Chief Information Governance Officer (CIGO) often oversees the initial governance initiative, shepherding its development, management and ongoing evolution throughout the organization. The officer is generally responsible for maintenance of information integrity standards, gathering required quality and usage metrics and ensuring that the company meets compliance and regulatory requirements.^[1]

CIGO Responsibilities^[2]
A CIGO’s core responsibilities can be divided into four categories: leadership, strategy, technical and engagement.

• Leadership
  • Promote information and data management policies and strategies
  • Chair the information governance committee
  • Drive digital innovation
  • Promote best practice for information management
  • Promote the values of a data use and reuse culture
  • Promote improved digital capabilities and upskilling
  • Champion data literacy to support information management
• Strategy
  • Leverage the value of information assets (records, information and data)
  • Endorse the information governance framework
  • Advise and report to executive
  • Perform information management workforce planning
  • Oversee information risk management
  • Facilitate interoperability by design
  • Endorse information security
  • Harness business intelligence for decision making
  • informed of relevant legislation and policy requirements
• Technical
  • Implement information and data standards
  • Provide resources for tools, research and development
  • Ensure good information governance of ICT investment, solutions and infrastructure planning
  • Develop enterprise-wide digital capabilities
  • Drive information access and re-use
• Engagement
  • Build partnerships and collaborations
  • Facilitate relations between information and enterprise architecture
  • Cultivate internal and external stakeholder relations
  • Inform whole-of-government initiatives
  • Influence information and data legislation and policy

The CIGO Role: A Maturity Framework<ref>A Maturity Framework for the CIGO Role IG Initiative</ref>
In the IGI’s 2014—2015 Annual Report, we advocated elevating information governance (IG) to the C-suite with the creation of the CIGO role because, for IG to be effective, some entity within the organization must be empowered to coordinate and act. Their first Task Force was asked to build on this idea and to explore in more detail what the CIGO role would look like at an organization. With an eye toward creating a sample CIGO job description. the group moved from just the creation of a sample job description to developing a model describing the CIGO’s role at varying levels of IG maturity. The chart below outlines the responsibilities that a CIGO would have at the three maturity levels. A more detailed description of the IG maturity levels as well as the CIGO’s responsibilities at each level follows. The framework can also be thought of as both descriptive and prescriptive—showing what a CIGO might do day-to-day at each level or showing what a CIGO would need to do to take an organization to the next level.

CIGO Role Maturity Framework.png
source: IGI

Level One: Nascent

• State of IG: At this level the organization has either no or only a nascent IG program. Many or most facets of IG are either missing entirely or are significantly underdeveloped, but basic RIM and IT functions are in place. There is no formal coordination of information-related activities. To the extent that coordination happens, it is largely unplanned and incidental. There is also no formal IG body (e.g. a steering committee, board, etc.) in place to coordinate IG. Basic policies and procedures are in place for paper records, however, those policies and procedures may be old and out of date. They do not extend to non-paper records, though there is an awareness that they should. Basic IT infrastructure (email systems, shared drives, etc.) is in place, but technology is not being used to effectuate the organization’s IG program. There is no to minimal review of compliance with existing policies and procedures. The organization has minimal or no plans in place for incidents (security breaches, discovery, etc.) and responds to them and other IG concerns as issues arise. The organization’s posture is reactive versus proactive.
• The CIGO’s Role: At this level, the CIGO role would likely not be a standalone position. It would sit within one of the other facets of IG and be “shepherded” through its development. The CIGO’s primary role would be building the foundation for IG. The CIGO would:
  • Identify missing or underdeveloped key facets of IG and begin building out or developing these roles.
  • Begin building alliances and working relationships between the facets of IG and coordinating projects across facets.
  • Create an informal working group, leveraging emerging alliances.
  • Review and revise existing policies and procedures, expanding them, incrementally, to cover more types of information and more uses.
  • Assess current IT infrastructure, including understanding where and how information is being stored and determining the specific needs of the organization to know what technological solutions would add value.
  • Develop an employee education program on existing policies and procedures, and about IG.
  • Begin building known risks into standard policies and procedures, where possible, to routinize response to them.

Level Two: Intermediate

• State of IG: At this level the organization has an established but still developing IG program. The CIGO is emerging as a quasi-independent role, but may still be tied closely to one of the other facets of IG. Many facets of IG are in place and reasonably well developed. Some roles need to be filled and some existing facets must mature. A senior IT professional (CIO/CTO) focused on infrastructure and possibly information security (CISO) are in place. Planned coordination of some information-related activities is occurring, but it is not comprehensive over all facets of IG or on all projects. There is a formal IG body that meets occasionally. Policies and procedures have been reviewed and updated and are being extended to non-paper information, but coverage is incomplete. Comprehensive, organization-wide policies and procedures are not yet in place. Some basic technologies are being used for IG. More advanced and comprehensive approaches are being considered. Some compliance monitoring is in place, but the coverage is spotty. The organization is in a reactive posture with respect to some types of incidents but has begun to take a proactive posture with respect to the types of crises it has addressed in the past.
• The CIGO’s Role At this level, the CIGO role would likely still be closely tied to one of the other facets of IG. However, the CIGO would be emerging as a separate and distinct function. The CIGO’s primary role would be building the framework and structure of an effective IG program. The CIGO would:
  • Continue to shore up existing facets and build out any that are missing to create a comprehensive approach to information and begin assuming a leadership role with respect to primarily information-focused facets of IG.
  • Leverage existing alliances to have IG issues considered from the very beginning of projects. Facilitate the inclusion of other necessary facets in the planning process to encourage active coordination across information-related activities.
  • Lead the existing IG body. Ensure that all facets are represented. Encourage regular and frequent meetings where the various facets can actively plan coordination on new and existing projects.
  • Review and revise policies and procedures to cover information regardless of format. Expand and integrate policies across the organization as warranted.
  • Identify and implement/expand technological solutions to facilitate consistent application of IG policies and procedures.
  • Expand educational programs on policies and procedures. Audit compliance on critical regulatory or legal requirements and expand to audit other information activities.
  • Continue to expand the organization’s incident readiness. Ensure that all regular or anticipated events (e-discovery, investigations, employee departures, etc.) are built into processes, so they are not disrupters of routine.

Level Three: Advanced State of IG At this level the organization has a well-developed or advanced IG program. The CIGO is in a top level position,