"Information governance is red hot right now..." states Forrester's Cheryl McKinnon. But many are still confused about the definition of information governance (IG).
Adding
to that confusion are several book titles that have swapped the more
established and staid "data governance" term with the new, sexier
"information governance" moniker - but when you take a look at their
Table of Contents you will see the books are all about data governance, which is a small subset of IG.There is only one book out there that covers "true IG" from A-Z and it is the one published last year by Wiley & Sons (full disclosure: I researched and authored the book in collaboration with nine subject matter experts).
Data
governance deals with maintaining clean, non-duplicate, structured data
(databases). Structured data is typically about 10% of the total amount
of information stored in an organization, and unstructured (or
semi-structured, if some metadata is attached) information is everything
else. It is the roughly 90% of information (a/k/a content) that
organizations struggle to manage which includes email messages, word
processing documents, PDF documents, presentation slides, spreadsheets,
scanned images, and the like.
There are multiple definitions of IG out there. Our firm's definition is:
"Policy-based control of information to maximize value and meet legal, regulatory, risk, and business demands."
Or, in short:
"Security, control, and optimization of information."
Forrester's newly-minted definition is:
"A
holistic strategy for using and managing information to meet business
objectives. IG assures the quality of content and data, maximizes its
value, and ensures that security, privacy, and life-cycle requirements
are met."
Sure, it covers the bases, but how is an executive going to grasp that? Too wordy for for an elevator pitch.
Gartner defines IG as:
"The
specification of decision rights and an accountability framework to
ensure appropriate behavior in the valuation, creation, storage, use,
archiving and deletion of information. It includes the processes, roles
and policies, standards and metrics that ensure the effective and
efficient use of information in enabling an organization to achieve its
goals.”
Whew! Even worse. That's a mouthful. Maybe that’s
all true but no one can remember it. So it is not a very helpful
definition. Sounds like it was drafted by a committee.
Here's a better definition from the IG Initiative, in their 2014 Annual Report on IG, which states that IG is:
"The
activities and technologies that organizations employ to maximize the
value of their information while minimizing associated risks and costs.”
This
definition is more clear and emphasizes finding and exploiting value in
information, while keeping costs and risks as low as possible. It is a
broad definition but sharper than Gartner’s or Forrester's.
What all the definitions are getting at is what it means to govern information,
as opposed to allowing it to spiral out of control. We have seen the
consequences of this, with IG failures that were revealed when major
corporations like Anthem Health and Sony Pictures were breached. These companies obviously did not know where all their
protected health information (PHI), personally identifiable information
(PII), and confidential e-documents were located. They - and most major
corporations - do not have a current data map of where different types
of information are stored and have difficulty finding all incidences of
it. They leave this sensitive information out there floating around on
their servers unsecured, unencrypted. The consequences only become clear
after a major breach: thousands of customers and employees have been
dragged into a "life long battle" to control their personal information.
Let's
face it: perimeter security is easily breached. So sensitive
information must be identified, secured, tracked, and controlled. That
means and IG program must be in place.
Enforcing IG policy means
that information is identified (mapped) and classified and if necessary,
protected with technologies like encryption or information rights
management (IRM). IG also means that vital records - those which the
business absolutely must have to continue operations - are identified
and safeguarded. Practicing good IG also means managing the information
lifecycle: that information is kept as long as required by regulations
and laws, or internal business needs and risk assessments, and then it
is discarded according to an established retention and disposition
schedule, (unless it is subject to a legal hold). The information that
remains is higher-value to the business and can be leveraged to create
new insights that feed into management decisions.This can provide a
strategic advantage.
Corporate governance is the highest level of
governance of an organization and includes the articles of
incorporation, bylaws, shareholder agreements, policies and procedures
used to manage the relationship of the organization with its
stakeholders. A key aspect of corporate governance is IG. IG processes
are higher level than the details of data governance, but data
governance can and should be a part of an overall IG program.
The
IG approach to governance focuses not on detailed IT processes and
controls or data capture and quality processes but rather on controlling the information that is generated by IT and office systems, or their output.
To Be Clear: What is Data Governance?
A
data governance program should be a part of an information technology
(IT) governance program and an overall IG program. Data governance
involves processes and controls to ensure that information at the data level—raw
alphanumeric characters that the organization is gathering and
inputting—is true and accurate, and unique (not redundant). It involves data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and de-duplication, to eliminate redundant occurrences of data.
Organizations
often deploy master data management (MDM) tools and techniques to clean
their data and leverage business rules that can prevent inaccurate data
from being entered into a database. MDM seeks to normalize and
standardize the data and ensure there is one "single version of the
truth." MDM is a quality control tool and set of processes used to
ensure control and consistency of data over time.
Data governance focuses on data quality
from the ground up at the lowest or root level, so that subsequent
reports, analyses, and conclusions are based on clean, reliable, trusted
data in database tables. Data governance is the most rudimentary level
at which to implement IG. Data governance efforts seek to ensure that
formal management controls—systems, processes, and accountable employees
who are stewards and custodians of the data—are implemented to govern
critical data assets to improve data quality and to avoid negative
downstream effects of poor data. The biggest negative consequence of
poor or inaccurate data is poorly and inaccurately based decisions.
Summing Up the Differences
IG
consists of the overarching polices and processes to optimize and
leverage information while keeping it secure and meeting legal and
privacy obligations in alignment with stated organizational business
objectives.
Data governance consists of the processes, methods,
tools, and techniques to ensure that data is of high quality, reliable,
and unique (not duplicated), so that downstream uses in reports and
databases are more trusted and accurate. Master data management (MDM)
tools can assist in this effort.
Once the definitions of these two
information-related governance disciplines are clear, their differences
become more distinct. Data governance is done every day in
organizations. It is a focused, small part of IG, aimed at data quality
in databases, that 10% of information that must be managed. Information
governance, on the other hand, is centered around controlling the other
90% of information and is much broader and high level.
IG is a
new, maturing discipline that most organizations have not yet begun to
tackle due to its complexity and cross-functional nature. It involves
privacy, security, legal, IT, risk, and records management functions. It
must be driven from the top down by a strong executive sponsor, and IG
programs are often aimed at reducing legal costs and information risk.
These are big targets. But the payoff can be huge, not only in cost
reduction but in reducing reputational risk.
Just ask Anthem or Sony Pictures.
Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, and the author of "Information Governance: Concepts, Strategies, and Best Practices" (Wiley, 2014).