IG Assessment Models: Use the Right Tool for the Job

Last Updated: July 24, 2019By
[glossary_exclude]Tool Time

Organizations are ramping up IG programs in today’s risk and regulatory environment that increasingly emphasize the need to reduce information risks and costs, while maximizing information value. The first principle from The Sedona Conference’s® Commentary on Information Governance articulates this maxim:

  1. Organizations should consider implementing an IG program to make coordinated decisions about information for the benefit of the overall organization that address information-related requirements and manage risks while optimizing value.

Organizations considering or reshaping IG programs may want to consider various approaches to assessing the current state of their IG processes, and the fourth principle states:

  1. The strategic objectives of an organization’s IG program should be based upon a comprehensive assessment of information-related practices, requirements, risks, and opportunities.

There are various “IG Maturity Models” available that can be leveraged in the IG effort, and they are each suited for certain business scenarios. We’ll review some leading approaches.


This model from the Compliance, Governance, and Oversight Council (CGOC), is a broad, encompassing, and detailed tool with a research-based focus that measures IG maturity on 22 IG-related processes.

The IGPMM was developed in 2012, and updated in 2017 to include considerations for cloud computing, cyber-security, and privacy. It is a comprehensive model based on the input of over 3,600 Legal, IT, and RIM professionals, and is applicable to all industries. The IGPMM heavily emphasizes IT, legal, privacy and security processes.

IG Processes are assessed based on four defined levels of maturity. Notably, In the IGPMM, RIM constitutes only one of the 22 processes that are measured for IG program maturity, whereas there are seven IT processes, six Legal/E-discovery processes, and four for Privacy and Security. (This model may have some bias; IBM is a founding sponsor of the CGOC and certainly is positioned mostly in the IT space). This author believes that, based on industry trends and Best Practices, the importance of Privacy and Security roles in IG will continue to increase and are generally of more significance to IG programs than IT everyday processes such as System Provisioning (which is included in the CGOC model). The CGOC Model also includes a Risk Heat Map to help plan the necessary actions to take, and a Process Score Card.


For the assessment of records and information management (RIM) functions within IG programs, the IG Maturity Model from ARMA International, “which is based on the Generally Accepted Recordkeeping Principles®, as well as the extant standards, best practices, and legal/regulatory requirements that surround information governance—is meant to be deployed as a quality improvement tool.” There are eight Principles in the model and assessments are made based on five levels of maturity, from Substandard to Transformational. The Model has not been updated for a decade.


For healthcare specifically, the newer (and less mature) IG Adoption Model™ from AHIMA measures maturity of 10 organizational “competencies” AHIMA states these are tied directly to Merit-based Incentive Payment System (MIPS) performance categories and help organizations improve performance under the Medicare Access and CHIP Reauthorization Act (MACRA). However, the status of this model is in question, as AHIMA recently announced it is pulling back from the IG market. When looking at component IG areas, there are other maturity models to consider. For example, for analytics functions, the HIMSS Analytics Adoption Model for Analytics Maturity (AMAM); for e-health records, the HIMSS Maturity Model for Electronic Medical Record (MMEMR) and the Continuity of Care Maturity Model (CCMM) and also the Electronic Patient Record Maturity Model (EPRMM) for systems that manage all patient information.


It may be helpful to use certain standards to help guide IG program efforts, such ISO 31000 for risk management, ISO 27001/2 for information security, ISO 38500 for IT governance, ISO 22301 for business continuity, ISO 9000 quality guidelines for healthcare, and other standards that may be relevant to the IG program focus.


Once an IG program is in place, its effectiveness needs to be assessed periodically, every 12-24 months. This follows the 11th Sedona Principle:

  1. An organization should periodically review and update its IG program to ensure that it continues to meet the organization’s needs as they evolve.

IG program assessments can utilize several tools, and using the right tool(s) for the job is key to success.[/glossary_exclude]


recent posts

About the Author: Robert Smallwood

Robert F. Smallwood, MBA, CIP, IGP, is a thought leader in Information Governance, having published seven books on IG topics, including the world's first IG textbook which is being used in many graduate university programs as well as to guide corporate IG training programs.