As the discipline or field of Information Governance starts to take shape, it is natural that different stakeholders will apply their own interpretation and emphasis to an IG programme. This brings the risk that it does not follow a holistic approach, and different elements of governance end up in conflict. This article positions the components that should be included in an enterprise approach to Information Governance. Please note that this is not in any specific sequence, and it must be stressed that all of the various aspects considered should be given equal emphasis.
At its core, Information Governance is an integral part of Corporate Governance, so this is a natural starting point. IG structures and frameworks must fit tightly with any corporate governance requirements. In particular, careful consideration should be given to Sarbanes Oxley, King III or other industry- or country-specific requirements.
I hesitate to place this second on the list, as that draws a natural inference as to its importance. ITIL, CobiT, ISO 12207 and ISO 15288 are well established and could be key instruments for IT Governance. The challenge is to implement IT Governance, and link it to the other governance elements discussed below, without the emphasis being purely on IT.
Obviously a critical component of Information Governance, e-discovery initiatives cannot be conducted in isolation of records management, IT Governance or any of the other factors discussed here. The emphasis in this case is that IG cannot be a legal initiative alone, and needs to partners with a number of other stakeholders.
There is a great deal of focus on records management at the moment, and ARMA have developed their Generally Accepted Record Keeping Principles (GARP) model, known as “the principles”. Whilst this has much merit, and an Information Governance Professional certification has been developed in accordance with GARP, we should caution against thinking that Information Governance belongs purely in the Records management domain. The GARP model has a structure that can be applied across all aspects of Information Governance, but the records management team shouldn’t be applying GARP and ignoring the other focus areas.
Safety, Health, Risk, Environment and Quality often get bundled together, and they form a natural group of disciplines. The information Governance programme needs to span all of these, and make sure that the unique requirements of each are included in the governance framework. I place specific emphasis on Risk and Quality, as these get special mention in Corporate Governance requirements. ISO 9001 and 31000 (Risk management), with its supporting standards are a natural starting point and tend to be well established and understood in the corporate environment. Information Security ISO 27001 has been in place for a number of years now and is well known and implemented as an Information Security standard.
is one of the cornerstones of governance, and is specifically highlighted in King III as a key element of sound Corporate Governance. Regardless of whether the information concerned is in paper, electronic or other format, or the particular information is in data or document form (structured or unstructured), the information security framework needs to apply. Privacy (Data protection) The legislative environment around privacy is becoming robust internationally (The European Union Data Protection Directive, and the Safe harbour principles spring to mind), and the IG framework has to ensure that information gathered about individuals is correctly maintained and protected. In some quarters this is seen as conflicting with Access to Information Legislation, so both poles need to be considered and built into governance rules.
This could be seen as an element of IT Governance, but it warrants special mention. Development of data models and metadata schemas are fundamental to being able to meet some of the requirements already mentioned. Any data gathered needs to be managed so that it doesn’t conflict with any of the other requirements.
This article provides a very basic summary of the factors which need to be considered when putting a holistic Information Governance framework together. It cannot be stressed strongly enough that each of the parts described above obviously have merit in their own right. Developing a more complete framework as outlined here, ensures that all parts are aligned, and the potential for conflict amongst them is reduced.
As with any emerging discipline, there will always be the potential for projects to falter, or to start off in one direction, and end up producing something completely different than initially intended. This is the first in a series of articles which provides guidance regarding things to look out for, and some steps to reduce the possibility of the information governance programme fizzling out.
This may sound so self-evident that it doesn’t warrant mentioning, but if this isn’t clearly thought out, the project will quickly lose direction, and will fail to gain the necessary traction. Due to the emergent nature of information governance, it means different things to different stakeholders. IT for example could immediately interpret it to mean IT Governance, or Big Data. The records management team may well think it is all about the Generally Accepted Record Keeping Principles. To the legal practitioners it most likely translates to e-discovery or meeting Privacy requirements. And they could all be right, so firstly understand what the key business problem is that needs fixing, and focus on that.
Governance in any form is often seen as a grudge purchase, a necessary evil. An important part of the process is to make sure that information governance delivers some form of business benefit. Regardless whether the benefit to your specific organisation lies in cost saving, reputation management, risk reduction, litigation management, reduced e-discovery costs or better customer service, understanding the benefits is critical if the rest of the leadership team is to buy-in. Information Governance could deliver all (or none) of these, and just how seriously the initiative is taken depends on how closely it is aligned to the goals of the organisation.
Strangely enough, governance comes with a cost attached. Gathering the necessary financial and human resources to make it happen is reliant on the executives buying-in to the process. It is my experience that executives only buy-in when they fully understand the exercise, and they clearly see how it can benefit their sphere of operation. If the time is taken in step 2 to align IG to the key issues facing the organisation, then buy-in becomes much easier. Due to the fact that this industry is in its early stages, the onus lies on us to make sure that we clearly understand the benefits, so that we can formulate a coherent business argument for moving forward.
Information Governance touches on almost all aspects of organisations; hence it leads to people needing to conduct business in new ways. With new approaches comes the need for a sound change management plan. Regardless of whether your approach is one of “comply or else” or adopting a more gentle, encouraging attitude, staff need to be brought along for the journey. The end result must be one where all affected staff adopt and comply with the new governance regime, and ideally they should see the benefits, not only for the organisation as a whole, but also how it affects their daily tasks.
Of course there are more things to consider, but ignoring these key issues could spell the death of true Information Governance in your workplace, and open up the potential for significant risk. Paying close attention to these four steps, as early as possible in the process, should stand you in good stead as you embark on this exciting journey.