There has been a great deal of confusion around the term information governance
(IG)and how it is often confused with other similar industry terms, such as information technology (IT) governance and data governance. The definitions put forth at times have compounded the confusion by offering a convoluted definition of IG, or sometimes offering a definition of IG that is just plain incorrect, often confusing it with simple data governance. Let’s clear this up once and for all.
Gartner defines information governance as “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
Whew! Maybe that’s all true but no one can remember it.
Here’s a more straightforward definition: “Information governance is policy-based control of information to meet all legal, regulatory, risk, and business demands.”
That means that information is kept as long as required by regulations and laws, or internal business needs and risk assessments, then it is discarded according to an established retention and disposition schedule, (unless it is subject to a legal hold). The information that remains has business value and can be leveraged to create new insights that feed into management decisions.
The IG Initiative defines IG as “… the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” This definition emphasizes finding and exploiting value in information, while keeping costs and risks as low as possible. It is a broad definition but it is sharper than Gartner’s.
Corporate governance is the highest level of governance of an organization and includes the articles of incorporation, bylaws, shareholder agreements, policies and procedures used to manage the relationship of the organization with its stakeholders. A key aspect of corporate governance is IG. IG processes are higher level than the details of IT governance and much higher than data governance, but both data and IT governance can be (and should be) a part of an overall IG program. The IG approach to governance focuses not on detailed IT or data capture and quality processes but rather on controlling the information that is generated by IT and office systems, or their output.
An overall IG program should include IT governance. IT governance is the primary way that stakeholders can ensure that investments in IT create business valueand contribute toward meeting business objectives. This strategic alignment of IT with the business is challenging yet essential. IT governance programs go further and aim to elevate IT performance and deliver optimum business value, while meeting regulatory compliance demands.
Although the CIO typically has line responsibility for implementing IT governance, the CEO and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefits.
Typically, in past decades, board members did not get involved in overseeing IT governance. IT was a mystery and spooky art, and they did not want to delve into it only to get shot down by some smart-alec tech whiz. But today it is a critical and unavoidable responsibility and frameworks have been built to manage IT efforts. According to the IT Governance Institute’s Board Briefing on IT Governance, “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”
The focus is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT efficient and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information quality, and project management best practices while aligning IT efforts with the business objectives of the organization.
Several IT governance frameworks can be used as a guide to implementing an IT governance program. Although frameworks and guidance like CobiT®, ITIL, ValIT®, andISO 38500 have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for an organization depends on business factors, corporate culture, IT maturity, and staffing capability. The level of implementation of these frameworks will also vary by organization.
A data governance program should be a part of an IT governance program and an overall IG program. Data governance involves processes and controls to ensure that information at the data level—raw alphanumeric characters that the organization is gathering and inputting—is true and accurate, and unique (not redundant). It involves data cleansing ( or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and de-duplication, to eliminate redundant occurrences of data.
Organizations may use master data management (MDM) tools and techniques to clean their data and leverage business rules that can prevent inaccurate data from being entered into the database. MDM seeks to standardize the data, and ensure there is one “single version of the truth.” MDM is a quality-control tool and set of processes used to ensure control and consistency of data over time.
Data governance focuses on information quality from the ground up at the lowest or root level, so that subsequent reports, analyses, and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most rudimentary level at which to implement information governance. Data governance efforts seek to ensure that formal management controls—systems, processes, and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data. The biggest negative consequence of poor or inaccurate data is poorly and inaccurately based decisions.
Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improvement, and compliance and risk management.
Summing Up the Differences
IG consists of the overarching polices and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives. IT governance consists of following established frameworks and best practices to gain the most leverage and benefit out of IT investments and support accomplishment of business objectives.
Data governance consists of the processes, methods, tools, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate. Master data management (MDM) tools can assist in this effort.
Once the definitions of these three information-related governance disciplines are clear, their differences become more distinct.