Mobile, social, and cloud computing empower employees to create, publish, and disseminate information like never before. In addition to the changing technology landscape, increasing compliance and legal demands place increased pressure on organizations to get more information “under control.”
An increasing number of organizations are therefore starting to look at creating formal information governance programs. The industry analyst firm Gartner was early to adopt the term “information governance” to describe a strategic approach to managing enterprise information and content.
What is Information Governance?
Information governance (IG), in Gartner’s words, is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information.
It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. IG starts with looking at how information is collected, how it is recorded (on paper and computers), how it is then stored, how it is used (whether for audit, research or performance management) and then on what basis it is shared with others, both inside and outside the organization.
Organizations that operate in the knowledge economy will want to establish an information governance framework to meet external regulations, but also to guide users’ behavior with respect to corporate content. How employees assess the value of content, create, store, use and preserve it can all be tied to an accountability framework designed to meet organizational goals.
It is a high‐level guiding set of principles to protect, preserve and share content that is important to the enterprise.
What Activities Are Part of Information Governance?
Information Governance is a broad term, which often encompasses several activities. The most common are:
- Records Management
- Compliance
- Storage and archiving
- Security
- Risk management
- Privacy
- Data loss prevention
- eDiscovery
The purpose of information governance is to have one program to manage it all. Information governance seeks to meet the needs of the total organization (Compliance, IT, and lines of business) with optimized information management practices.
This graphic depicts the Information Governance Reference Model as developed by EDRM.net.
Managing information throughout its lifecycle from a broader perspective than just retention, legal obligation, or IT functionality. IG includes policy, standards, procedures, tools, and training. It covers all technologies including mobile, social, and cloud.
Any new information governance initiatives should start by identifying or reviewing what is already in place such as:
- Does the organization have any structures, roles and accountabilities for managing information?
- Are there any policies, objectives and strategies in place for managing information?
- What are the current information governance capabilities, understood in terms of resources and knowledge (e.g., capital, time, people, processes, systems, and technologies)?
- What are the existing information systems, information flows and decision making processes (both formal and informal)?
- Are there any standards, guidelines and models adopted by the organization for managing information?
- What are the relationships with, and perceptions and values of, internal stakeholders and the organization’s culture?
Principles for Good Information Governance (IG)
Detailed below are 10 principles which are a good starting point towards establishing good information governance (IG) –
Executive Sponsorship
No IG effort will survive and be successful if it does not have an accountable, responsible executive sponsor. The sponsor must drive the effort, clear obstacles for the IG team or steering committee, communicate the goals and business objectives that the IG program addresses, and keep upper management informed on progress.
Stakeholder Consultation
Those who work most closely to information are the ones who best know why it is needed and how to manage it, so business units must be consulted in IG policy development. The IT department understands its capabilities and technology plans and can best speak to those points. Legal issues must always be deferred to the in-house council or legal team. The records management department knows records. Business unit managers and analysts know their respective operations. A cross-functional collaboration is needed for IG policies to hit the mark and be effective. The result is not only more secure information but also better information to base decisions on and closer adherence to regulatory and legal demands.
Information policy development and communication
Clear policies must be established for the access and use of information, and those policies must be communicated regularly and crisply to employees. For instance, policies for the use of email, instant messaging, social media, cloud computing, mobile computing, and posting to blogs and internal sites must be developed in consultation with stakeholders and communicated clearly. This includes conveying clearly to employees what the consequences of violating IG policies are.
Information Integrity
This area considers the consistency of methods used to create, retain, preserve, distribute, and track information. Adhering to good IG practices include data governance techniques and technologies to ensure quality data. Information integrity means there is the assurance that information is accurate, correct, and authentic.
IG efforts to improve data quality and information integrity include de-duplicating (removing redundant data) and maintaining only unique data to reduce risk, storage costs, and information technology (IT) labor costs while providing accurate, trusted information for decision makers. Supporting technologies must enforce policies to meet legal standards of admissibility and preserve the integrity of information to guard against claims that it has been altered, tampered with, or deleted (called “spoliation”). Audit trails must be kept and monitored to ensure compliance with IG policies to assure information integrity.
Information Organization and Classification
This means standardizing formats, categorizing all information, and semantically linking it to related information. It also means creating a retention and disposition schedule that spells out how long the Information (e.g. e-mail, e-documents, spreadsheets, reports) and records should be retained and how they are to be disposed of or archived.
Information, and particularly documents, should be classified according to a global or corporate taxonomy that considers the business function and owner of the information, and semantically links related information. Information must be standardized in form and format. Tools such as document labeling can assist in identifying and classifying e-documents. Metadata associated with documents and records must be standardized and kept up-to-date. Good IG means good metadata management and utilizing metadata standards that are appropriate to the organization.
Information Security and Privacy
This means securing information in its three states: at rest, in motion, and in use. It deals with means implementing measures to protect information from damage, theft, or alteration by malicious outsiders and insiders as well as non-malicious (accidental) actions that may compromise information.
For instance, an employee may lose a laptop with confidential information, but if proper IG policies are enforced using security-related information technologies, the information can be secured. This can be done by access control methods, data or document encryption, deploying information rights management software, using remote digital shredding capabilities, and implementing enhanced auditing procedures. Information privacy is closely related to information security and is critical when dealing with personally identifiable information (PII), protected health information (PHI), and other confidential or sensitive information.
Information Accessibility
Accessibility is vital not only in the short term but also over time using long-term digital preservation (LTDP) techniques when appropriate (generally if information is needed for over five years). Accessibility must be balanced with information security concerns.
Information accessibility includes making the information as simple as possible to locate and access, which involves not only the user interface but also enterprise search principles, technologies, and tools. It also includes basic access controls, such as password management, identity and access management, and delivering information to a variety of hardware devices.
Information Control
Document management, data management, and report management software must be deployed to control the access to, creation, updating, and printing of data, documents and reports. When information is declared a business record, it must be assigned to the proper retention and disposition schedule to be retained for as long as the records are needed to comply with legal retention periods and regulatory requirements.
Also, non-record information must be classified and scheduled. And information that may be needed or requested in legal proceedings must be preserved and safeguarded through a legal hold process.
Information Governance Monitoring and Auditing
To ensure that guidelines and policies are being followed and to measure employee compliance levels, information access and use must be monitored. To guard against claims of spoliation, use of e-mail, social media, cloud computing, and report generation should be logged in real time and maintained as an audit record. Technology tools such as document analytics can track how many documents or reports users’ access and print and how long they spend doing so.
Continuous Improvement
IG programs are not one-time projects but rather ongoing programs that must be reviewed periodically and adjusted to account for gaps or shortcomings as well as changes in the business environment, technology usage, or business strategy.
The Information Governance Maturity Model
The Information Governance Maturity Model classifies organizations into five distinct levels:
- Substandard
Here an organization is barely considering information governance risks and doesn’t have the most basic of systems and processes in place.
- In Development
An organization has realized the importance of information governance and is putting a governance program in place, but is still facing substantial risks because of a lack of systems and processes.
- Essential
Information governance now plays a central role within the organization and meets the minimum regulatory and legal requirements associated with information governance.
- Proactive
As the name of this level suggests, the organization is proactive in its approach to information governance and not content to merely meet the minimum requirements; it is aiming to continuously improve.
- Transformational
Meeting requirements have become utterly routine. Information governance has evolved to the point where the focus is not merely on regulation and legal requirements but is now offering a competitive advantage and even improving client service.
Are You Planning to Implement an Enterprise Content Management System?
Understanding Information Governance is vitally important when designing effective Enterprise Content Management systems. Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.
The goal of a holistic approach to information governance is to make information assets available to those who need it, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, enables the company to reduce the legal risks associated with unmanaged or inconsistently managed information and be more agile in response to a changing marketplace.
An important goal of IG is to provide employees with data they can trust and easily access while making business decisions.
In case you have any further questions related to this topic, feel free to reach out to us.
Author
