Information Governance (IG)

Definition of Information Governance

What is Information Governance
Gartner defines Information Governance as "the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals."^[1]

Information governance is not a separate category from information management, but rather a different perspective of it – a more conservative one. In a perfect world, organizations would bar applications that put content out of control, but efforts to stop people from doing what they want to do with information always fail. Always. Information governance is really the practice of putting in place measures to mitigate the risk.Those organizations that have good information governance programs in place know:

• What information is retained
• Where it is stored
• How long it is retained
• Who has access to it
• How that data is protected
• How policies, standards and regulations are enforced

The challenge many organizations face is connecting these programs under one umbrella and correctly assigning ownership – sometimes to legal, sometimes to IT, and sometimes to compliance. Each organization is different, but in general the following diagram is a good description for information governance.(See Figure 1.)^[2]

Figure 1. source: Information Architected

Historical Overview of Information Governance^[3]

As data generation exploded in recent decades, and regulations and compliance issues increased, traditional records management failed to keep pace. A more comprehensive platform for managing records and information became necessary to address all phases of the lifecycle, which led to the advent of information governance. In 2003 the Department of Health in England introduced the concept of broad-based information governance into the National Health Service, publishing version 1 of an online performance assessment tool with supporting guidance. The NHS IG Toolkit is now used by over 30,000 NHS and partner organizations, supported by an e-learning platform with some 650,000 users. In 2008, ARMA International introduced the Generally Accepted Recordkeeping Principles®, or "The Principles" and the subsequent "The Principles" Information Governance Maturity Model. "The Principles" identify the critical hallmarks of information governance. As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use "The Principles" to establish consistent practices across a variety of business units. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" ("The Principles") would guide:

• CEOs in determining how to protect their organizations in the use of information assets;
• Legislators in crafting legislation meant to hold organizations accountable; and
• Records management professionals in designing comprehensive and effective records management programs.

Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. In electronic discovery, or e-discovery, relevant data in the form of electronically stored information is searched for by attorneys and placed on legal hold. IG includes consideration of how this data is held and controlled for e-discovery, and also provides a platform for defensible disposition and compliance. Additionally, metadata often accompanies electronically stored data and can be of great value to the enterprise if stored and managed correctly. With all of these additional considerations that go beyond traditional records management, IG emerged as a platform for organizations to define policies at the enterprise level, across multiple jurisdictions. IG then also provides for the enforcement of these policies into the various repositories of information, data, and records. A coalition of organizations known as EDRM, which was founded in 2005 to address issues related to electronic discovery and information governance, subsequently developed, as one of its projects, a resource called the IGRM. In 2011, EDRM, in collaboration with ARMA International, published a white paper that describes How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles ("The Principles") The IGRM illustrates the relationship between key stakeholders and the Information Lifecycle and highlights the transparency required to enable effective governance IGRM v3.0 Update: Privacy & Security Officers As Stakeholders.

Information Governance: Standards and Requirements^[4]

Information Governance provides a consistent way for organizations to deal with the many different standards and legal rules that apply to information handling, including:

• The Computer Misuse Act 1990
• The Data Protection Act 1998.
• The common law duties of care and confidentiality.
• The Human Rights Act 1998.
• The Freedom of Information Act 2000.
• The Privacy and Electronic Communication Regulations 2003
• The rights and pledges made to patients within the NHS Constitution.
• The Confidentiality NHS Code of Practice.
• The Information Security NHS Code of Practice.
• The first Caldicott Report and Information: To Share or Not to Share? The Information Governance Review (the Caldicott 2 Report)
• The Foreign Account Tax Compliance Act, or FATCA
• Payment Card Industry Data Security Standard, or PCI Compliance
• Health Insurance Portability and Accountability Act, or HIPAA
• Financial Services Modernization Act of 1999, or GLBA
• Sarbanes–Oxley Act of 2002, or Sarbox or SOX
• Federal Rules of Civil Procedure^[5]

Why Information Governance Matters^[6]

Companies and organizations continue to struggle with information, whether it's unlocking its' greatest potential or remaining compliant and secure. Information Governance is the enabling function in companies to increase the value of information and reduce the risk that information poses.

• Increasing the value of information: In a recent study, nearly one-half of respondents said that their organizations "do not treat information as an asset." So it should come as no surprise that that same study also found that over 3/4s of respondents had a hard time finding information in their organizations. Without a comprehensive and organizational-wide strategy, companies are delegating that responsibility to their various departments and employees, the result of which is abysmal findability of information along with an increase in security concerns. While companies are beginning to spend significant amounts of money on Big Data and Data Science initiatives, it is Information Governance which enables those projects to become more cost effective and successful. Underlying information strategy enables companies to increase their information value.
• Decreasing the risk of information: Compliance and security remain top concerns for executives today. While technology continues to be implemented in attempts at securing organizations, the underlying problem of making the right information available to the right people at the right time remains elusive. Unfortunately, for many organizations, the risk of internal breaches are as large as those of outside malicious hackers. Securing highly sensitive materials must be enabled through better information structure and organization. Information Governance enables this. For compliance concerns, nearly 40% of respondents in a recent study say that they do not have a culture of compliance in their organization or have a weak culture of compliance. For those in the remaining 60% of organizations, those efforts often fall on deaf ears as information doesn't enable the targeted compliance culture. Information flows are enabled by information governance, and ensuring those flows are one of the keys to compliance success

Information Governance Goals^[7]

• Understand and promote the value of data assets
• Effectively resolve data related issues and create processes to prevent future occurrences of such issues
• Define and approve data strategies, policies and standards, as well as associated procedures and metrics, communicating them clearly with relevant people
• Sponsor, track and ultimately oversee the delivery of data management projects and services
• Enforce conformance to policies and standards relating to information governance

Developing an Information Governance Framework^[8]

To help clearly define information governance processes and goals, frameworks can be developed to formally outline an organization's approach to information governance. These information governance plan frameworks outline the who, what, when, where, why and how of company information: What is this information? When was this information created or processed? Where is the information stored? Who has access to this information? Why is this information being retained? How is this information being stored and protected?

Frameworks are tailored to the organization's unique governance needs, but should define the following areas:

• Scope. The framework establishes the extent of the information governance program, including clearly outlining its overall goals, what staff members will be involved in achieving these goals and the types of data the IG program is designed to manage.
• Roles and responsibilities. The framework defines the IG program's key roles, including what information governance responsibilities specific employees and departments will have as part of the program's implementation and integration.
• Policies and procedures. The framework defines which wide-ranging, overall corporate policies and procedures are relevant to the information governance program as a whole, including the company's data security, records management, retention and disposal schedules, privacy, and information sharing policies.
• Internal and external data management. The IG framework defines how employees and the organization manage specific data, with relevant sections including legal and regulatory compliance; acceptable content types, how personal information is managed; how information is stored, archived and disposed of; and how information is shared. It is also essential to establish how the organization operates and shares information with stakeholders, partners and suppliers. The framework should define the policies and procedures for sharing information with third parties, how the IG process influences contractual obligations and how the organization will determine whether third parties are meeting its information governance goals.
• Disaster recovery and business continuity. The framework should clearly outline company procedures in the event of a data breach, including how to report information losses and breaches, incident management specifics, disaster recovery processes, business continuity strategies, and auditing of these DR and BC processes.
• Continuous monitoring. The framework should outline plans for quality assurance of information governance processes, including how the company will monitor information access and use, measure regulatory compliance adherence, maintain effective security, conduct risk assessments and periodically review the information governance program as a whole.

Information Governance: Models and Methodologies^[9]

There are several models and methodologies now available to help companies towards enacting Information Governance in their organizations including Information Coalition's Information Governance Model, ARMA's Information Governance Professional (IGP) DACUM Chart, and EDRM's Information Governance Reference Model.

• ARMA International, the association of Records Managers, made an early attempt at developing a list of activities associated with information governance in their Information Governance Professional DACUM Chart, in support of their Information Governance Professional (IGP) Certification. Their overall IGP Certification came with other resources as well.
• EDRM modified their eDiscovery Reference Model and transformed it their Information Governance Reference Model, and it, along with its' supporting materials can help organizations define the stakeholder groups to information governance.
• Information Coalition's Information Governance Model (which is the only Open Source model available) is a tool to help define the activities underlying the various stakeholder groups as well as the authorities, supports, processes, capabilities, structures, and infrastructure underlying a comprehensive Information Governance plan. In addition to The Information Governance Model, the Information Coalition is the producer of The Information Governance Conference and are currently in the process of defining, in conjunction with the community, an open source body of knowledge for the information profession as a whole, called the Information Body of Knowledge or InfoBOK.

The Challenge of Information Governance (See Figure 2.)^[10]

Not only is the volume of enterprise data doubling every 12 to 18 months, but data may be stored in hundreds of silos across an organization and anywhere around the world. An increasingly mobile and flexible workforce is also using multiple devices to access their data, forcing organizations to respond by delivering better connections and more modern applications to meet user expectations. Expectations for access anytime, anywhere, on almost any device makes the information challenge harder still. Information Governance must extend across the organization to address these concerns of growth, risk, efficiency and costs, but it can be a significant challenge to plan and manage. ECM systems must be scalable and flexible enough to address the information challenge.

Figure 2. source: Oyster-IMS

Information Governance Vs. Data Governance^[11]

Information governance speaks to the accountability framework or who is responsible for what, as well as who can make decisions about the information asset. Its goal is to make sure that all information resources and investments support the business goals effectively and efficiently and that they enable the healthcare organization to accomplish its strategic goals. Information governance is led, not just sponsored, by executive leadership at the enterprise level. Data governance is more narrowly focused and it is focused on one specific type of information resource, the data. It is the management of the availability, usability, integrity, and security of the data employed in an organization. Data is unprocessed information. Data governance is led at the business unit level. Data governance is a component of information governance. With the need for business intelligence, data governance has become a priority in many organizations to be able to produce reports to meet the regulatory needs. A strong information governance program mitigates the information management crises by assessing risks, understanding gaps, and doing some advanced planning and putting policies, procedures, and tools in place that let professionals proactively manage data and information enterprise-wide.

Benefits of Information Governance^[12]

Information Governance is a key part of any overall information management strategy.

• Information Is an Asset: The key benefit that information governance can provide to an organization is to help ensure the proper management, governance and protection, plus access to, your valuable information. Treating information as the asset that it is helps to ensure that your business can fully leverage its internal knowledge. This enables you to derive real business value from your content when and where needed to make business decisions that drive success.
• Risk Mitigation: Although too much focus and fear-mongering has been placed in this area in the past – risk mitigation is a true benefit of any information governance program. While the shift to a value-based argument for information governance is long-overdue, the mitigation of undue risk to the organization is still a substantial benefit of implementing a comprehensive and strategic information governance plan. Through the implementation and enforcement of policies you can help to minimize the risks caused by unmanaged silos of content that jeopardize compliance programs, evolving privacy standards and legal discovery processes today.
• eDiscovery: A successful eDiscovery plan rests hard and fast on the foundation of a comprehensive information governance strategy. Access to properly managed content will speed response and the legal insight via early case assessment and can help drive more accurate business decisions and case management. Additionally balancing retention and legal removal of content provides for defensible disposition of your redundant, outdated and trivial content (ROT) to help remove undue risk based on your policies.
• Compliance: Businesses need to adhere to a variety of regulations and legislative mandates. These could involve
  • Archive requirements and time periods for certain types of information
  • Supervision and review requirements for all communications involving broker dealers
  • Various privacy regulations such as data sovereignty regulations in Europe and/or other mandates for how to store personally identifiable information
  • Defensible disposition and chain of custody audits

Your ability to easily report, go through audits and show good faith in your efforts to meet compliance mandates and be a compliant business is a significant benefit of your information governance strategy and program.

• Security: In an era riddled with hackers and breaches coming from all directions, security is paramount. Information governance helps to ensure that an organization’s intellectual property is protected. IT is typically focused on your firewall and security infrastructure – guarding the perimeter and the gatehouse. An information governance strategy enhances security by adding security personnel “strolling the grounds” by creating and enforcing policies to technically secure information as well as policies around the people aspect of security – permissions, access control, audit trails, etc.
• Management and Control of Dark Data and Big Data: While these two concepts are two of the most recent buzzwords created to help describe the huge growth of information, they are, in the end, just describing data. With proper planning and management, this information can be analyzed and leveraged for business insight – and this can be more effectively completed within the confines of your information governance program. In fact, in a recent study by Unisphere, 97% of those with a big data initiative thought that data security and privacy were important, very important or critical to big data analytics. For big data initiatives to move beyond the knowledge gathering and pilot phases, they will require big governance to help answer the questions of who owns the data, how do we ensure privacy and how does big data impact retention as well as value of an asset?
• Clearing out Digital Debris: Removing this clutter of your information landscape speeds the ability to find your information assets as well as results in improved productivity for your knowledge workers. Through constant disposal of unnecessary content, search engines and users no longer have to weed their way through older and often irrelevant information. This impacts daily decision making of business users, legal and compliance users. The cost of storage to an organization’s bottom line from ROT shouldn’t be overlooked. Raw storage capacity is cheap (relatively), which leads to the perception that “storage is cheap”. However, in the real world, this misperception creates real costs when managing this stored information, not to mention the potential risk it can cause. As an example, the Information Governance Initiative (IGI) has a recent paper focused on the cost of information. At an estimated $9 TCO per GB/per month, a fictional company used to illustrate how much storage costs would pay $1.1 million/year on storage and infrastructure (this excludes staffing costs). Based on experience, if 40% of the information on this organization’s network is junk, spending the time required to eliminate the junk would create $442,400 in storage cost savings per year. A potential 30% to 40% saving on storage spend would be significant, regardless of the actual size of the organization.
• Agility: Information has become untethered from location. You no longer sit at a desk with a PC and/or retrieve a file from your file room (or at least not as often!). Employees access and act on information through laptops, tablets, smart phones, and who knows, maybe their watch soon. Information governance helps to ensure that your information is accessible only on the appropriate device by the appropriate employees. Even when your content is on the edge of your organization, it’s under control. With information under control, your organization gains the agility to act and respond quickly to events, accidents, press activities, FOIA inquiries, market changes and more. Knowing where your information is and that is it the correct information, allows you to trust your data and respond quickly to market demands. This can be critical in a customer-centric and competitive market.
• Decreased Data Migration Cost and Complexity: As your storage infrastructure ages, or as you transition to the cloud, you will need to move your data to newer, more advanced platforms and technology. The more data that you need to migrate, the more costly and complex the migration can be. An information governance program’s continual pruning of content helps to ensure that you are spending dollars to only move useful data, not ROT.
• Management of all content types: Lastly, a comprehensive information governance program and platform treats all content types as equals (of sorts). Whether structured, semi-structure or unstructured, all content should be overseen by your governance policies. Whether database content, transactional data, reports, mortgage applications, contracts, work in process documents, audio files, videos, instant messages, tweets or status entries; your company’s information assets represent your organization’s body of work. With the continued advancement of technology and the expected impact of the IoT this will become even more important as more transactional data will be available to mine for big data initiatives as well. Do not ignore elements such as IoT, structured data or social as ephemeral, as a sound information governance strategy also includes these (and whatever is next) assets as potential business records.

In conclusion, Information Governance is a framework that is supported by people, processes, and technology. It is laudable in its effort to pull together what may have been previously disparate functions across an organization in order to create a consistent, compliant, and collaborative approach to managing information for risk, cost, and its value to the organization. The Information Governance Program construction will be different from company to company, but its intent should remain firm. Information Governance is not a project with a defined time span, but a program with requisite support from executives. Most institutions will go through many iterations implementing and administering the Information Governance Program, including the establishment of a Governance Council. It is important to go into the process with the understanding that there is no “silver bullet” or all-inclusive piece of technology that will provide your institution with instant governance over the entirety of your information. The Information Governance Program needs to be adaptable as the business and regulatory environments change. Merger, acquisition, and divestiture activity is common in many industries and may result in potential new lines of business, new geographic locations, new technology, cultural and organizational shifts, new members to sit on the Council, and much more. It is important to remember that Information Governance is a framework — it is not static and must reflect current and emerging requirements for the management and use of information as an asset, and potential liability, of the organization.

See Also

• IT Governance

References

Further Reading

• What is Information Governance? And Why is it So Hard? Debra Logan
• Defensible Disposal: You Can't Keep All Your Data Forever Forbes
• Information Governance: Concepts, Strategies and Best Practices Robert F. Smallwood
• Information Governance: Current situation analysis and implementation strategy Republic of Estonia, Ministry of Economic Affairs and Communications