Chief Information Governance Officer (CIGO)
Definition of Chief Information Governance Officer
The Chief Information Governance Officer (CIGO) is a senior role to establish and maintain an enterprise-wide culture for an accountable and business-focused Information Management environment. The CIGO:
- champions the value of information assets and their effective management at an organizational level
- establishes an organizational culture that encourages and supports staff to manage and use information assets strategically
- drives digital innovation and capability in information management
- delivers expert and up-to-date advice on overarching information management strategy
- leads information governance across the agency, including engaging with information and data managers and users to support best practices for information management.[1]
Today, there is endless talk about data. Big data, smart data, data, data, data. But there is much information about data being utilized as an asset. Digital Information and data are not exactly the same. And if data, aka digital information, begins to take on the form of an asset, watch out. Assets are carried on the balance sheet. Digital information assets could be worth millions, or tens of millions, or hundreds of millions of dollars on the balance sheet in the upcoming decade.
source: The Cowen Group
There have been multiple conversations over the recent months where senior corporate executives have begun to speak about data as digital information and an asset, leading to the establishment of the role Chief Information Governance Officer within their organizations.
Effective information governance is so important that it has become a C-suite role in many organizations, with an executive responsible for its implementation. The Chief Information Governance Officer (CIGO) often oversees the initial governance initiative, shepherding its development, management and ongoing evolution throughout the organization. The officer is generally responsible for maintenance of information integrity standards, gathering required quality and usage metrics and ensuring that the company meets compliance and regulatory requirements.[2]
History and Evolution of the Chief Information Governance Officer[3]
In past decades, information governance responsibilities might have fallen under the purview of the chief information officer (CIO). But somewhere along the line, the CIO job description changed to focus solely on the information systems and associated technology that power a company—not the information itself.
In today's age of big data, organizations have more information under their control than ever before.[1] To extract the maximum value from that data while simultaneously protecting an organization from its associated risks, business leaders have turned toward the CIGO because of the role's independence from other departments. CIGOs are tasked with neutrally balancing the needs of all departments with respect to an entire organization's top priorities.
Though the position is an emerging one, support for the CIGO continues to rise as business leaders increasingly understand the implications of information governance (and more importantly, the lack thereof). While many organizations have information governance projects in place, such initiatives are much more likely to succeed with top-down management.
CIGO Responsibilities[4]
A CIGO’s core responsibilities can be divided into four categories: leadership, strategy, technical and engagement.
- Leadership
- Promote information and data management policies and strategies
- Chair the information governance committee
- Drive digital innovation
- Promote best practice for information management
- Promote the values of a data use and reuse culture
- Promote improved digital capabilities and upskilling
- Champion data literacy to support information management
- Strategy
- Leverage the value of information assets (records, information and data)
- Endorse the information governance framework
- Advise and report to executive
- Perform information management workforce planning
- Oversee information risk management
- Facilitate interoperability by design
- Endorse information security
- Harness business intelligence for decision making
- informed of relevant legislation and policy requirements
- Technical
- Implement information and data standards
- Provide resources for tools, research and development
- Ensure good information governance of ICT investment, solutions and infrastructure planning
- Develop enterprise-wide digital capabilities
- Drive information access and re-use
- Engagement
- Build partnerships and collaborations
- Facilitate relations between information and enterprise architecture
- Cultivate internal and external stakeholder relations
- Inform whole-of-government initiatives
- Influence information and data legislation and policy
The CIGO Role: A Maturity Framework[5]
In the IGI’s 2014—2015 Annual Report, we advocated elevating information governance (IG) to the C-suite with the creation of the CIGO role because, for IG to be effective, some entity within the organization must be empowered to coordinate and act. Their first Task Force was asked to build on this idea and to explore in more detail what the CIGO role would look like at an organization. With an eye toward creating a sample CIGO job description. the group moved from just the creation of a sample job description to develop a model describing the CIGO’s role at varying levels of IG maturity. The chart below outlines the responsibilities that a CIGO would have at the three maturity levels. A more detailed description of the IG maturity levels as well as the CIGO’s responsibilities at each level follows. The framework can also be thought of as both descriptive and prescriptive—showing what a CIGO might do day-to-day at each level or showing what a CIGO would need to do to take an organization to the next level.
Level One: Nascent
- State of IG: At this level the organization has either no or only a nascent IG program. Many or most facets of IG are either missing entirely or are significantly underdeveloped, but basic RIM and IT functions are in place. There is no formal coordination of information-related activities. To the extent that coordination happens, it is largely unplanned and incidental. There is also no formal IG body (e.g. a steering committee, board, etc.) in place to coordinate IG. Basic policies and procedures are in place for paper records, however, those policies and procedures may be old and out of date. They do not extend to non-paper records, though there is an awareness that they should. Basic IT infrastructure (email systems, shared drives, etc.) is in place, but technology is not being used to effectuate the organization’s IG program. There is no to minimal review of compliance with existing policies and procedures. The organization has minimal or no plans in place for incidents (security breaches, discovery, etc.) and responds to them and other IG concerns as issues arise. The organization’s posture is reactive versus proactive.
- The CIGO’s Role: At this level, the CIGO role would likely not be a standalone position. It would sit within one of the other facets of IG and be “shepherded” through its development. The CIGO’s primary role would be building the foundation for IG. The CIGO would:
- Identify missing or underdeveloped key facets of IG and begin building out or developing these roles.
- Begin building alliances and working relationships between the facets of IG and coordinating projects across facets.
- Create an informal working group, leveraging emerging alliances.
- Review and revise existing policies and procedures, expanding them, incrementally, to cover more types of information and more uses.
- Assess current IT infrastructure, including understanding where and how information is being stored and determining the specific needs of the organization to know what technological solutions would add value.
- Develop an employee education program on existing policies and procedures, and about IG.
- Begin building known risks into standard policies and procedures, where possible, to routinize response to them.
Level Two: Intermediate
- State of IG: At this level the organization has an established but still developing IG program. The CIGO is emerging as a quasi-independent role, but may still be tied closely to one of the other facets of IG. Many facets of IG are in place and reasonably well developed. Some roles need to be filled and some existing facets must mature. A senior IT professional (CIO/CTO) focused on infrastructure and possibly information security (CISO) are in place. Planned coordination of some information-related activities is occurring, but it is not comprehensive over all facets of IG or on all projects. There is a formal IG body that meets occasionally. Policies and procedures have been reviewed and updated and are being extended to non-paper information, but coverage is incomplete. Comprehensive, organization-wide policies and procedures are not yet in place. Some basic technologies are being used for IG. More advanced and comprehensive approaches are being considered. Some compliance monitoring is in place, but the coverage is spotty. The organization is in a reactive posture with respect to some types of incidents but has begun to take a proactive posture with respect to the types of crises it has addressed in the past.
- The CIGO’s Role At this level, the CIGO role would likely still be closely tied to one of the other facets of IG. However, the CIGO would be emerging as a separate and distinct function. The CIGO’s primary role would be building the framework and structure of an effective IG program. The CIGO would:
- Continue to shore up existing facets and build out any that are missing to create a comprehensive approach to information and begin assuming a leadership role with respect to primarily information-focused facets of IG.
- Leverage existing alliances to have IG issues considered from the very beginning of projects. Facilitate the inclusion of other necessary facets in the planning process to encourage active coordination across information-related activities.
- Lead the existing IG body. Ensure that all facets are represented. Encourage regular and frequent meetings where the various facets can actively plan coordination on new and existing projects.
- Review and revise policies and procedures to cover information regardless of format. Expand and integrate policies across the organization as warranted.
- Identify and implement/expand technological solutions to facilitate consistent application of IG policies and procedures.
- Expand educational programs on policies and procedures. Audit compliance on critical regulatory or legal requirements and expand to audit other information activities.
- Continue to expand the organization’s incident readiness. Ensure that all regular or anticipated events (e-discovery, investigations, employee departures, etc.) are built into processes, so they are not disrupters of routine.
Level Three: Advanced
- State of IG: At this level the organization has a well-developed or advanced IG program. The CIGO is in a top level position, independent of a particular facet of IG and is a co-equal to other top information positions (CIO/CTO, CISO, etc.). The major facets of IG are in place and are well developed. There is formal, comprehensive coordination of information-related activities. The coordination is part of a formal plan that seeks to maximize the value of information while minimizing risk. There is a formal IG body in place to coordinate IG. It communicates and meets regularly. Comprehensive, organization-wide IG policies and procedures are in place and extend to all types of information regardless of format. They are being reviewed and updated as appropriate. As appropriate, technology is being used to implement IG. Some processes are likely automated. A formal auditing procedure is in place and being executed regularly. The organization has procedures in place to avoid incidents (like breaches) where possible and also to respond to others (e.g. litigation or investigations) as part of the regular IG process.
- The CIGO’s Role: At this level the CIGO would be a standalone entity and co-equal to other high level roles like the CIO/CTO and CISO. The CIGO’s primary role would be maintaining and improving the existing IG program with an eye toward optimizing the organization’s use of its information. The CIGO would:
- Ensure that the major facets have the resources to maintain and improve their functions. Build out minor IG facets as appropriate to optimize the organization’s use of information. Assume leadership and responsibility for information focused facets of IG.
- Be responsible for coordinating and integrating all information-related activities, organization-wide, and continuously improving on a formal plan to do so.
- Lead the organization’s formal IG governing body that meets regularly to proactively coordinate IG functions.
- Routinely review and revise policies and procedures. Streamline same to reduce the burden on end-users. Automate steps where possible.
- Review and expand the use of technology as appropriate to streamline processes, enhance compliance, and to extract business value from information.
- Conduct regular, formal auditing of all policies and procedures. Automate auditing functions where possible.
- Maintain and improve the organization’s incident readiness. Expand focus on value-generating processes.
CIGO Key Relationships[6]
- Reports to the CEO.
- Collaborates as a peer with the CIO and CISO with each having primary but overlapping areas of influence corresponding to IT infrastructure, information itself, and information security for the CTO, CIGO, and CISO, respectively.
- Collaborates directly with the COO and CFO.
- In addition to collaborating with the COO, consults regularly with management of all business units to ensure effective change management and that the company’s business objectives are considered during all IG efforts.
- Consults regularly with all levels of legal management to ensure that handling of information assets meets the company’s legal, regulatory, and ethical obligations.
- Business intelligence, privacy, records and information management (HIM), and knowledge management teams are direct reports to the CIGO.
The CIGO Role in Law Firms[7]
There is a noteworthy difference of opinion among law firm management regarding the chief information governance officer (CIGO) role and to whom the responsibilities of this position best belong. Many technologists believe information governance best fits the job description of chief information officers (CIOs) because of their technical acumen; others think the role is best suited to chief financial officers (CFOs) because of their responsibilities regarding risk management and financial liability.
However, many in the records and information management community hope the role would be part of the overall responsibilities of a new position — the CIGO — as a separate but equal position to the CIO and CFO. It could be argued that the information governance manager's role complements the other roles in the C-suite, but there are significant differences that would help balance law firm information management.
Regardless of where an organization's opinion falls in the CIGO role discussion, the vast majority of law firm executives believe there is a need for a champion in the C-suite. However, some unsettled issues remain about to whom the champion reports and how he or she is engaged in the process of building and maintaining an information governance program.
This role is different than that of the CIO, and the separation will provide more respect for information governance and its associated business processes. There is a great deal of coordination that needs to be structured in the information governance portfolio within law firms. Some executives believe the coordination effort could be aided by broader independent oversight.
When developing a CIGO position, the organization must determine which skills and strengths it needs. There are a few obvious roles and responsibilities to consider. A CIGO should focus on information security, which is the practice of securing information from unauthorized use, disclosure or destruction. Regulatory compliance requires adherence to federal and state laws, regulations and rules, guidelines and specifications that relate to the business and operation of the law firm. Noncompliance often results in penalties or fines.
Data governance processes need to ensure data assets are managed throughout the enterprise and can be trusted so individuals are held accountable for actions or events. CIGOs must understand risk management process, be able to evaluate and address business risks and then assess their priorities to monitor and control the risk. Importantly, the CIGO must protect personal information and data belonging to an individual or client company that relates to stored data on the firm's computer systems, such as collected personal information, medical records, financial data or private business information.
Information management in the legal industry will be largely affected by these decisions. It must be specified to whom the CIGO reports and how he or she interacts with the management committee to ensure the firm's objectives are met and profitability is maximized. Information security may be a huge differentiator when clients are selecting which law firm they want to work with.
See Also
References
- ↑ What is Chief Information Governance Officer (CIGO)? naa.gov.au
- ↑ Defining Chief Information Governance Officer (CIGO) Techtarget
- ↑ History and Evolution of the Chief Information Governance Officer [1]
- ↑ CIGO Responsibilities National Archives of Australia
- ↑ A Maturity Framework for the CIGO Role IG Initiative
- ↑ CIGO Key Relationships Ahima
- ↑ The CIGO Role in Law Firms Iron Mountain