Information governance (IG) provides a unified strategic framework for the control, security, optimization and effective use of information.
This article outlines how an overarching IG framework enables alignment of policies, procedures, people and technologies.
When information is effectively governed data will be optimized and associated risks and costs minimized.
Data and information are increasingly becoming the lifeblood of organizations. However, the exponential amounts of data being collected by companies and government alike, together with the risks and costs of holding and securing this information, have created a new set of issues for those responsible for organizational governance.
A healthy circulatory system increases overall health and improves our ability to function. Likewise, the optimal use of data and information will improve the effectiveness of an organization. This article explains why identifying and coordinating the areas, people and technologies responsible for keeping the lifeblood of your organization in good health is key to effective information governance (IG).
IG provides a unified strategic framework for the control, security, optimization and effective use of information. It is an essential part of good corporate governance, assisting organizations to maximize the value of information while minimizing risks and costs by providing a mechanism to align policies and processes, people and technologies across an organization.
The IG diagram below shows different areas and activities within an organization responsible for the security, control, optimization and risk management of data and information. There may be more or fewer areas according to the type and size of the organization. The key to implementing an effective information governance framework is to first identify all the areas and professionals responsible to ensure the areas are aligned and can collaborate to deliver on organizational objectives. With this in place, policies and processes also need to be aligned across the organization in accordance with overarching organizational strategic goals.
With a strong IG framework in place, IG projects can then be prioritized within the purview of the senior executive with overall responsibility for information governance and/or the IG steering committee with the involvement of appropriate cross-function professionals. Projects involving data and technology are planned and executed addressing the needs of business users, technology and cybersecurity, legal/privacy regulatory compliance, lifecycle management, records compliance and long-term preservation.
Each area of IG is like an organ in the body of the organization — each with its purpose, and together they combine to form the life-supporting systems which carry out the organization’s vital functions
The InfoGovANZ Elements of Information Governance diagram depicts the alignment and coordination required between different IG areas and activities. This visualization, which can be adjusted as necessary to align with the areas within your organization, provides a clearer understanding of how an overarching IG Framework enables alignment of policies, procedures, people and technologies.
Each area of IG is like an organ in the body of the organization — each with its purpose, and together they combine to form the life-supporting systems which carry out the organization’s vital functions. Just like the body, the functions of these essential systems overlap, interact and rely on each other to support life. Understanding the interrelationships and dependencies of the system as a whole:
Provides a useful framework for implementing a cohesive and comprehensive IG framework
Helps to prioritize and guide projects that link to information governance
Makes it easy to recognize and adapt to technology trends and best practice IG
Ensures organizations have a strong IG framework that protects them, their employees and the customers they serve.
Often organizations focus on only a few elements or areas of the information quagmire. Enhancing the value of data being optimized through the use of technology and data analytics to deliver value and returns directly to the bottom line is a common driver due to the financial benefits. Investment in enhanced cybersecurity to prevent cyberattacks and data breaches has also increased over recent years due to mandatory notification regulatory requirements and more visible cyber-threats.
However, more than a third of data breaches are caused by human error rather than a technology-based exploit. When phishing attacks are included, about half of data breaches can be attributed to human error. These breaches are entirely preventable but remain a significant risk to organizations. Privacy-by design, security-by-design and privacy impact assessments (PIAs) are core to the best practice of managing personal information. Effective IG can assist organizations to ensure that personal information breach risks, which can be life threatening to an organization, as hemorrhage is to us, are identified and resolved.
Getting to know the information governance elements
The Elements of Information Governance diagram is a tool for organizations to use when establishing information governance for the first time or to ensure all aspects of information governance have been included in an existing information governance framework.
Information Governance (IG) is front and center and is represented by a digital pine cone, ‘the third eye’ (1). In IG, the pine cone analogy is fitting as it represents the center or navigation starting point of all activities. It demonstrates how a robust IG framework provides the structure and mechanism to enable insights and effective guidance and control.
Six icons surround the IG center — here’s what they represent concerning information governance:
The People icon highlights effective IG is impossible without the involvement of the right people. It is situated in the upper left position of center next to elements that demonstrate the important role people play in an organization, both internally and externally. Internally, the people represent the collaboration across organizational silos and the effective innovation with security by design and privacy by design, and importantly the protection and security of information by employees. Externally, people in an organization must protect consumers’ and privacy by ensuring compliance with privacy regulations, act socially responsible and adhere to the ethical use of data.
The Lightbulb icon is located above the IG center just under the top line connection of elements. It denotes new, innovative and impactful and technologies.
The Dollar Sign icon is in the upper right position from the IG center, parallel to the people icon. It is close to those elements that identify from data optimization (i.e., data analytics), as well as controlling and minimizing costs by reducing risks.
The Cog/Gear icon is at the lower right of the IG center near those elements that are largely procedural functions. This icon represents workings and processes of the organization, meaning the data and information being used across the organization and the need for collaboration and alignment with strategic organizational goals.
The House icon is directly under the IG center and atop the bottom-line connection of elements. The house icon serves as a reminder that requires a top-down strategic approach built on a strong foundation of clear policies and procedures.
The Lock icon is in the lower-left position of the IG center, parallel to the cog/gear icon. Its protective function symbolizes the importance of data and information.
The elements link to the icons and the IG center in a continuous chain. All of the elements must combine and connect to provide an effective information governance system. This requires the interaction and collaboration of relevant professionals for an organization to have a complete information governance framework.
The elements on the top and middle rows to the left reflect people-focused activities, while those to the right are data-focused activities. The elements on the bottom row are information-focused and reflect foundation services.
Cybersecurity & Info Security — cybersecurity focuses on the perimeter, while information security secures the information within the system
AI & Ethics — implementing artificial intelligence through an ethical-based process based on a data impact assessment
Data Analytics & Infonomics — deriving the value of information from data analytics
Business Intelligence — the hardware, software, staffing and strategy used to glean intelligence from data
Legal & eDiscovery — the identification and retrieval of documents for litigation and ensuring such documents can be readily identified and produced to reduce costs; incorporating the use of AI in eDiscovery
Privacy & Data Protection — privacy by design and robust privacy policies as part of the overall governance framework
Data Governance — controlling data at the data level and ensuring integrity through appropriate systems and processes
Risk & Compliance — a coordinated strategy for managing the organization’s risk and corporate compliance concerning regulatory requirements
Content Services — preserving and protecting content; information access, sharing and collaboration
Information & Records Management — how information is being managed and the activities to systematically control the creation, distribution, use, maintenance and disposition of information
Information Lifecycle Management — best practices for managing data and information throughout its lifecycle
Archiving & Long-term Digital Preservation — storing information in ways that can be readily retrieved many years into the future
Summary of Elements
Taken together, all the icons and elements represent the different interlocking areas and activities that deal with data and information in organizations.
A systematic approach to information governance begins with an Information Governance Framework that encompasses policies, procedures, people and technology. This includes:
Identifying all the areas and technologies within your organization — that is, the IG Elements in your organization;
Putting strategic objectives and priorities in place for managing, controlling and securing the data and information your organization collects, uses and stores;
Implementing measures to protect the organization’s intellectual property;
Complying with regulatory and legal obligations including record-keeping obligations and, in particular changing privacy regulations;
Optimizing the value of information to support the organization’s objectives while managing risks and costs, such as those associated with a data breach and eDiscovery.
The key to ensuring the effectiveness of information governance is top-down board and senior executive leadership that supports robust policies and procedures that are aligned across the organization and with overarching organizational goals, which deliver value to the organization. Top-down board leadership setting the overall IG framework is the ‘brain’, leading a data-driven organization with an ethical and privacy culture.
The senior executive with overall responsibility for information governance and/or the IG steering committee are the organizational ‘third-eye’. They set IG project priorities, provide guidance and encourage cross-functional collaboration, oversee implementation and review outcomes. Policies, processes, technologies and people all work together to enable efficient data flow including optimization, regulatory compliance and appropriate data and information disposal. When information is effectively governed with data optimized and associated risks and costs minimized, then the overall performance of the business will increase — delivering the benefits of a healthy data and information circulatory system.
This article was previously published in the February 2020 issue of Governance Directions and is reprinted with permission.
The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.[/glossary_exclude]
SUSAN BENNETT is a leading Information Governance expert and an international privacy lawyer, based in Sydney, Australia. She established her own business seven years ago, Sibenco Legal & Advisory, and subsequently Information Governance ANZ. Prior to this, Susan spent over 20 years specializing in large-scale commercial litigation, inquiries, and royal commissions. Susan holds a Master of Law and a Master of Business Administration, and is a Certified Information Privacy Professional (CIPP/E). She is also Chair of the Sedona WG6 APAC Committee and a Fellow of the Governance Institute of Australia. She may be reached at [email protected]