As the discipline or field of Information Governance starts to take shape, it is natural that different stakeholders will apply their own interpretation and emphasis to an IG programme. This brings the risk that it does not follow a holistic approach, and different elements of governance end up in conflict. This article positions the components that should be included in an enterprise approach to Information Governance. Please note that this is not in any specific sequence, and it must be stressed that all of the various aspects considered should be given equal emphasis.
At its core, Information Governance is an integral part of Corporate Governance, so this is a natural starting point. IG structures and frameworks must fit tightly with any corporate governance requirements. In particular, careful consideration should be given to Sarbanes Oxley, King III or other industry- or country-specific requirements.
I hesitate to place this second on the list, as that draws a natural inference as to its importance. ITIL, CobiT, ISO 12207 and ISO 15288 are well established and could be key instruments for IT Governance. The challenge is to implement IT Governance, and link it to the other governance elements discussed below, without the emphasis being purely on IT.
e-discovery and retention management
Obviously a critical component of Information Governance, e-discovery initiatives cannot be conducted in isolation of records management, IT Governance or any of the other factors discussed here. The emphasis in this case is that IG cannot be a legal initiative alone, and needs to partners with a number of other stakeholders.
There is a great deal of focus on records management at the moment, and ARMA have developed their Generally Accepted Record Keeping Principles (GARP) model, known as “the principles”. Whilst this has much merit, and an Information Governance Professional certification has been developed in accordance with GARP, we should caution against thinking that Information Governance belongs purely in the Records management domain. The GARP model has a structure that can be applied across all aspects of Information Governance, but the records management team shouldn’t be applying GARP and ignoring the other focus areas.
Safety, Health, Risk, Environment and Quality often get bundled together, and they form a natural group of disciplines. The information Governance programme needs to span all of these, and make sure that the unique requirements of each are included in the governance framework. I place specific emphasis on Risk and Quality, as these get special mention in Corporate Governance requirements. ISO 9001 and 31000 (Risk management), with its supporting standards are a natural starting point and tend to be well established and understood in the corporate environment. Information Security ISO 27001 has been in place for a number of years now and is well known and implemented as an Information Security standard.
is one of the cornerstones of governance, and is specifically highlighted in King III as a key element of sound Corporate Governance. Regardless of whether the information concerned is in paper, electronic or other format, or the particular information is in data or document form (structured or unstructured), the information security framework needs to apply. Privacy (Data protection) The legislative environment around privacy is becoming robust internationally (The European Union Data Protection Directive, and the Safe harbour principles spring to mind), and the IG framework has to ensure that information gathered about individuals is correctly maintained and protected. In some quarters this is seen as conflicting with Access to Information Legislation, so both poles need to be considered and built into governance rules.
Master data management
This could be seen as an element of IT Governance, but it warrants special mention. Development of data models and metadata schemas are fundamental to being able to meet some of the requirements already mentioned. Any data gathered needs to be managed so that it doesn’t conflict with any of the other requirements.
This article provides a very basic summary of the factors which need to be considered when putting a holistic Information Governance framework together. It cannot be stressed strongly enough that each of the parts described above obviously have merit in their own right. Developing a more complete framework as outlined here, ensures that all parts are aligned, and the potential for conflict amongst them is reduced.