Blogs

Introduction

As I looked for a textbook to use for a course I am teaching to MBA students at Rice University on Information Governance, I discovered that, while many books have “Information Governance” in the title, none of them really matched with my own working definition of the term. So I began a quest for the true meaning of “Information Governance.”  Is it something more than “Information Management,” and, if so, what?

Information Governance?

Four years ago, Debra Logan reported that Gartner defined “Information Governance” as:

the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.

http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/  This may be right, but I am troubled by some word choices: “encourage” rather than “mandate”;  “desirable” rather than “required,” or perhaps nothing; “effective and efficient use” rather than effective and efficient use and disposal”. The Gartner definition doesn’t say “who” does this and doesn’t explain how this is different from “Information Management.”  It doesn’t mention legal requirements.

George Socha and Tom Gelbmann, building on the success of their E-discovery Reference Model (the EDRM), have created the Information Governance Reference Model.

 http://www.edrm.net/resources/guides/igrm  Peeling back the covers of the Information Governance Reference Model, one quickly concludes that it is merely a restatement of the contents of the “Information Management” box in the EDRM (which, incidentally, was originally labelled “Records Management”), with “Unified Governance” added as something that ties all the elements together.

John Mancini, the president at AIIM, has discussed the concept of “Information Governance” at some length, http://www.digitallandfill.org/ and the folks at ARMA have a certification process by which one can become an “Information Governance Professional.” http://www.arma.org/r2/igp-certification While both AIIM and ARMA cover the information portion of the topic well, they seem to struggle with bridging the discussion into “Governance.”  Others, in the Governance, Risk Management and Compliance arena, make clear the linkage between “Governance” and risk management and compliance, but generally with little reference to “Information.” See OCEG’s “GRC Capability Model ‘Red Book’ 2.0.”  (The current version, 2.1, doesn’t address this as well).

What I really need is a textbook that links the current discussions of “Information Governance” with the ongoing discussions of Governance, Risk Management, and Compliance. I haven’t found one. Perhaps the upcoming publications by Robert Smallwood and Barclay Blair will fill this gap. In the meantime, I wanted to offer a conceptual model for “Governance” and “Management.” This model applies to all corporate operations, including those related to “Information.”

Governance Defined

To investigate “Information Governance,” we need to disaggregate and define the separate terms, and then re-combine them. 

What does “governance” mean? How do we create a distinction in language between “governance” and “management”?  Are they both something that gets done and the people who do it? Is the difference merely the difference between structure and execution, or meta-structure and execution?  Is it the difference between Congress and the President?

One definition of “governance” focuses on establishing the rules of behavior and taking steps to make sure that they are followed. Another focuses on the decision-making processes used by the governing authority, as the Gartner definition does. OECD combines the two and defines the related term of “corporate governance” as the

[p]rocedures and processes according to which an organisation is directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among the different participants in the organisation – such as the board, managers, shareholders and other stakeholders – and lays down the rules and procedures for decision-making.

http://stats.oecd.org/glossary/detail.asp?ID=6778

Sometimes aspects of “governance” are captured in a RACI matrix, which plots who is responsible, who is accountable, who must be consulted, and who must be informed. The reference in the Federal Sentencing Guidelines (more on that in a minute) to “the governing authority” provides a key, and this key may be a missing link.

 First, a story. In response to the Arab Oil Embargo in 1973, the federal government in effect required the states to lower their highest speed limit to 55 miles an hour. Some states were more diligent than others in enforcing this 55 mph speed limit. Maryland, where I lived at the time, was one of the more diligent, and developed the reputation for issuing tickets to drivers who were exceeding the speed limit by even a mile or two per hour. Drivers heading south on I-95 were reminded of the 55 mph speed limit by huge signs at the state line.

So what’s the moral? The government had established the requirement of 55 mph. The highway department erected the new signs. The state police chose to enforce this requirement strictly. The word spread. People slowed down. Where’s the “governance”? While the legislature established the requirements (55 mph), that by itself was not sufficient to ensure compliance. Other states erected the same signs (controls), but did not have the same level of compliance. Ensuring compliance required management (the state police) to establish a reputation for strictly enforcing the requirements and thereby a more compliant culture. Compliance ensued.

The Governing Authority

Anyone involved in significant compliance activities for a corporation is familiar with the Federal Sentencing Guidelines. These are the tests by which a corporation can attempt to avoid criminal liability for the acts of one of its employees, arguing that there was a corporate policy against that behavior and the employee had gone rogue. The Department of Justice provides these guidelines as a measure of whether a corporation’s policies on compliance with the law are a policy in fact or merely a policy on paper.  If the compliance of law policy is deemed effective, the Corporation may get some relief in the sentencing stage. See Chapter 8 of the Guidelines Manual,

 http://www.ussc.gov/Guidelines/2013_Guidelines/Manual_PDF/2013_Guidelines_Manual_Full.pdf Randolph Kahn and Barclay Blair made the connection between these Guidelines and information management in Information Nation, first published in 2004.

The Guidelines provide that, to have an effective program,

an organization shall --

(1)   exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

But who does this for the organization?

The first of ten tests under the Federal Sentencing Guidelines is that “[t]he organization’s governing authority shall be knowledgeable about the content and operation of the program….” So, as in the “Miracle on 34^th Street,” the Department of Justice, an agency of the US government, has determined that the “who” is the “governing authority”:  the Board of Directors.

Next Installment

In the second installment I propose a new model for distinguishing between “Governance” and “Management.”