What is Information Governance & How to Get Started
The explosive growth of information is our era’s most significant defining characteristic. In this Age of Information, the amount of data, the uses for that data, the number of data sources, and the routes it travels all grow at exponential rates. The growth creates new industries for defining, collecting, accessing, processing, and curating information.
In such an environment, everybody recognizes the essence of information governance, but how to undertake this massive task is harder to grasp.
Today’s organizations experience explosive growth in the volume and variety of the data they collect, process, and store. Unfortunately, many do not understand the types of data they handle and what value it has. Which means they cannot use or maintain it properly. As a result, they fail to achieve the success level they would have if they kept proper management over the data.
Organizations can also suffer serious financial, legal, and reputational consequences over poor data management. Information governance helps to avoid a similar fate.
So, what is Information Governance (IG) and what role does it play in today’s business environment? This guide sheds some light on IG – an emerging data management area that focuses on business processes and compliance.
What is Information Governance (IG)?
IG refers to a strategic approach to maximize the value of data and mitigate the risks associated with the creation, use, and sharing of enterprise information. It recognizes the information as an organizational asset that requires high-level oversight and coordination to ensure accountability, protection, integrity, and appropriate preservation of enterprise information.
IG aims to break down silos and avoid any fragmentation in information management, which ensures that it remains trustworthy and that organizations experience ROI in the processes, technology, and people they use to manage information.
Information governance has many formal definitions, but Gartner’s is the most widely accepted. It defines IG as an accountability framework that ensures appropriate behavior in the creation, valuation, use, archiving, deletion, and storage of information. It includes the standards and metrics, roles and policies, and the processes required to ensure effective and efficient information use and enable organizations to achieve their goals.
IG processes help manage the use of information records, such as customer information, employee records, medical records, and intellectual property. Your company’s IG professionals should work with your leadership and any other stakeholders in the creation of policies that specify how your employees should handle all corporate information assets.
The critical goals of Information governance include the following:
- Understanding and promoting the value of data assets
- Effectively resolving any data related issues and creating processes that prevent future occurrences
- Enforcing conformance to standards and policies relating to information governance
- Defining and approving data strategies, standards, policies, and associated metrics and procedures
- Communicating data policies clearly with the relevant people
- Sponsoring, tracking, and overseeing the delivery of data management projects
Information Governance Frameworks
To help you clearly define information governance goals and processes, you can develop frameworks to outline your organization’s approach formally. The framework outlines and answers who, what, where, when, how, and why questions.
You should tailor your framework to fit your organization’s unique needs, but it should define the areas discussed below:
1. Scope: It establishes the extent of your information governance program including a clear outline of its overall goals, the types of data that the program will manage, and what staff members will help achieve these goals.
2. Policies and Procedures: The framework defines the overall corporate policies and procedures that are relevant to the IG program as a whole. It includes data security, retention and disposal schedules, records management, information sharing policies, and privacy.
3. Roles and Responsibilities: The framework should define the information governance program’s essential functions, including what IG responsibilities specific departments and employees will have as part of its integration and implementation.
4. Internal and External Data Management: An IG framework defines how the organization and its employees manage specific data. Relevant sections include legal and regulatory compliance, management of personal information, acceptable content types, how information is shared, and how data is stored and archived.
It is also vital to establish how organizations operate and share information with their partners, stakeholders, and suppliers. Your framework should define the policies and procedures established for sharing information with third parties, how the information governance process influences contractual obligations and how you will determine whether your partners and third parties meet your IG goals.
What more, your framework should clearly outline procedures in the event of data breaches, including how to report violations and information losses, disaster recovery processes, incident management specifics, business continuity strategies, and how you will audit these disaster recovery and business continuity processes.
Finally, your framework should outline your process of continuous monitoring. Include plans for quality assurance of IG processes such as how you will monitor information access, measure regulatory compliance adherence, conduct risk assessments, maintain adequate security, and review the IG program as a whole.
Information Governance vs. Data Governance
Many people, and organizations, consider IG and data governance as the same thing. Although both are essential for companies to achieve their business objectives, and despite some overlap between them, they are not identical.
Information governance gets organizations business value from their data assets. It’s the technologies and activities that organizations employ to maximize their information value while minimizing associated costs and risks.
On the other hand, data governance refers to the control of information at business-unit levels to ensure it is accurate and reliable. Its programs involve procedures to manage data usability, availability, integrity, and security.
In short, data governance keeps garbage from getting in, while IG refers to the decisions you make in using data.
Here are some examples of the types of activities involved in both areas to help illustrate the differences.
- Data governance activities include the management of metadata, data operations, data management, data architecture, data quality, and master data.
- IG, on the other hand, concerns itself with an organization’s data lifecycle management. It includes activities and processes such as personal information exchange, regulatory compliance audits, records, retention schedule, e-discovery, and data privacy protection.
Data governance is the responsibility of IT, but IG has a broader scope. You can use IG to meet business and compliance needs concerning the use and retention of data, which makes it a strategic discipline that plays a significant part in your corporate governance.
Applying IG and data governance together can result in information management practices that help you deliver higher business value.
Why is Information Governance Important?
Information is a vital resource in any organization or business. Without it, business operations are not possible. Accordingly, companies make investments in processes, technology, and people to ensure that information can support the enterprise.
Due to the significant investments associated with the creation, use, protection, and sharing of information, organizations view it as a type of business asset, not unlike the equipment, buildings, and financial resources needed to run the business.
Oversight and stewardship of resources or assets is the primary aim of any business governance. What’s more, just like any other asset, the information requires management to ensure that you address its value and associated risks responsibly.
Information governance provides businesses with a disciplined approach to managing the risks and value associated with information.
Since IG is still an emerging field, numerous questions exist around its role in business processes. However, a properly implemented IG program allows organizations to do the following:
- Support business needs, priorities, and strategic objectives, which vary based on things like organization culture, available resources, and the level of stakeholder engagement
- Avoid data breaches
- Achieve regulatory compliance and reduce associated risks such as penalties
- Improve data analytics capabilities
- Improve the ROI in enterprise business intelligence
- Build control over outsourced IT and proliferating systems
- Increase employee awareness about key information policies
- Reduce the costs of information storage and eDiscovery (document discovery technology)
For example, due to the challenges that the healthcare industry is currently facing, with relation to changes in care, payment models, requirements to partner with to others, new customer expectations, technology, and increased regulation, information governance is now more critical than ever. It is the best way for healthcare and related organizations to ensure that their information is reliable and that they can trust it to meet all their diverse needs.
IG allows you to make decisions driven by the needs of your organization and not technology. It also eliminates accidental decision-makers (people who happen to possess data at a particular point during its cycle) because they tend to make decisions independently of other stakeholder needs.
How to Get Started
To identify the best place to start your IG initiative, you need to figure out a way to support your organization’s strategic efforts with reliable information and data.
Organizations usually have a mission and vision that guides them along as they conduct business and develop strategies to help achieve their goals. Thus, taking a careful look at those business strategies and goals can give you a strong hint about where and how to start your IG initiative.
Since you cannot achieve any organizational goal without useful information, the best place to start your IG initiative is identifying a problem (pain point) with information that requires addressing, or even a business opportunity that reduces costs and enhances revenue.
Such strategic alignment means that you should put your IG needs as part of a broader strategy that will help achieve your organizational goals. Your goals can be extensive and varied, such as better management of space (real estate), expanding service offerings through the acquisition and integration of other businesses, creating new customer service protocols, or reducing your costs.
Since IG is a set requirement of responsibility and rights to allow the suitable function of various information aspects, the provision of decision rights determines data ownership and who has the right to make decisions about it.
Therefore, by defining owners and decision-makers, you can assign responsibility and accountability to data decisions, which is probably an essential concept to implement when creating your IG policy. Accountability is vital since as data dependence grows, you can make business decisions by default, usually by selecting the easiest path and often in isolation from other considerations.
Key Information Governance Areas
You should consider the following key areas when creating your information governance policy:
Usage policy: You can contain a lot of security risk using a well-defined usage policy that specifically details who can access data and under what circumstances.
Accountability: You should create a position such as Chief Data Officer or dedicate a department to the creation of standard policies to ensure that someone in your organization is responsible for data-handling policies.
Records Management: Large organizations could store up to 10 petabytes of information annually, which is costly. Using IG, you could save on storage costs by identifying and storing data that has value. According to Compliance, Governance, and Oversight Council’s (CGOC) resource guide, 69 percent of retained enterprise data is “debris” and does not have any business, legal, or regulatory value.
Compliance: Laws, business needs, and regulations govern how you keep your information. After that, you should discard it as per an established lifecycle schedule base on legal, regulatory, and business requirements.
Education: As with all other company policies, the training of your employees, partners, and vendors about your IG program competes the circle.
Technology: A complete IG can also address IT governance. It can provide IT specialists with policies such as the creation of storage hierarchies or obtaining appropriately scaled access schemes.
Benefits of Information Governance
- Safer and secure data. An effective IG policy allows you to create rules, standards, regulations, and responsibilities geared towards keeping data safe and secure.
- IG increases productivity because it facilitates collaboration through intelligence information sharing.
- Reduced costs. A clear IG policy allows your organization to save money because it becomes more discerning of what data you store, in what media you store it, and for how long. It also reduces wasteful duplication of effort.
- Efficient data access. IG allows you to access usable and meaningful data easily because it is classified, secured, and supported by clear policies.
- Risk management. Information policies that classify data allow you to scale risk as per the data types, which focuses on high security where it is required.
- Business intelligence. Efficient and easy access to trending and historical data allows developers and marketers to make better-informed decisions.
- Lifecycles efficiencies. IG removes data silos, which means you can gain more value from your data at every point in its lifecycle.
- Regulatory Compliance. Without well-classified and easily accessible data, the process of gathering data for regulatory requirements becomes a nightmare.
- IG dramatically reduces the costs of litigation and discovery. It enables fast and thorough e-Discovery because it allows easy identification and access to only the appropriate information.
- IG increases business agility due to improved decision-making processes. It outlines how the organization will avail information to business users, which reduces compartmentalization and bureaucracies.
- Shortened sales cycles increase profitability.
- Helps companies provide better customer service. IG has set the standard for how you organize, categorize and access information.
- IG improves employee productivity by providing as few versions of pieces of information or a document as possible, making information easy to store and access.
Information Governance Laws and Regulations
As corporate data volumes grow and technological innovations continually expand business capabilities, regulations that put strict laws and mandates on the IG process have become the norm. This is true for data security and privacy since personally identifiable information (PIN) has recently become a massive target for nefarious online actors and hackers.
Privacy laws have started expanding globally, creating new information security governance obligations. Many industries have become subject to regulations requiring the retention of electronic communications and records for a minimum period. These regulations include directives from federal agencies such as the Department of Justice and Environmental Protection Agency or the Securities and Exchange Commission.
Regulatory reporting requirements also mandate organizations to provide a detailed annual account of compliance. A sound business records management process provides evidence to demonstrate compliance.
What’s more, compliance rules such as the Foreign Corrupt Practices Act, require organizations to attest the authenticity of their IG programs and records.
There exist numerous industry and government requirements related to data security, records management, and data retention that can affect your IG strategy. Below are some of the essential laws that all organizations operating in the US need to know.
- Sarbanes-Oxley Act of 2002 (SOX): It’s a critical regulation that applies to all public companies. SOX standardizes record management practices without exception. It requires the implementation of controls over risk mitigation process and corporate financial records. It also stipulates that companies must keep business records for at least five years.
- Health Insurance Portability and Accountability Act (HIPAA): It applies to healthcare providers as well as health information organizations and other covered business associate and entities that store, manage, and transmit protected health information.
- The Federal Records Act (44 USC 31) and related statutes: Require federal agencies to create complete records that document all their activities. They should also file records for safe storage practices, efficient retrieval, and proper disposal.
- The Gramm-Leach-Bliley Act (GLBA): It requires financial institutions to protect their customers’ nonpublic personal information. They must store financial records securely until when they are no longer needed, then they must destroy them to ensure that nobody can access them.
- Foreign Account Tax Compliance Act (FATCA)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Federal Rules of Civil Procedure
Measuring Information Governance Progress
Assessment tools such as the IG Maturity Model and the IG Reference Model help companies measure the progress of their information governance progress. The IG Reference Model provides corporations, industry associations, analyst firms, and other interested parties a tool that allows them to communicate to and with stakeholders concerning processes, practices, and responsibilities of their IG program.
On the other hand, the IG Maturity Model is based on ARMA’s eight Generally Accepted Recordkeeping Principles. The maturity model defines the characteristics of various recordkeeping program levels that range from substandard to transformational IG. The goal of organizations is to reach the top transformational level where IG strategies are integrated into the overall corporate infrastructure or business processes to help boost cost containment, client services, and competitive advantage.
IG is a set requirement of responsibility and rights to allow the suitable function of various aspects of information that include creation, valuation, use, storage, deletion, and archiving. To use data effectively, IG includes policies, purposes, processes, and standards that help organizations achieve their goals.
Information governance brings organizations significant benefit and value, especially as their data collection and stores grow and regulatory oversight increases. The development and implementation of a sound IG strategy help organizations ensure data availability, control costs, mitigate cyber risks, and meet regulatory challenges. Get started today before your organization suffers a security breach, faces a lawsuit, fails an audit, or suffers reputational damage.
Veritas customers include 98% of the Fortune 100, and NetBackup™ is the #1 choice for enterprises looking to backup large amounts of data.
Learn how Veritas keeps your data fully protected across virtual, physical, cloud and legacy workloads with Data Protection Services for Enterprise Businesses.
Also recommended for you:
Need an enterprise-level data protection plan for your organization? We can help.