Message Image  

AIIM Open Forum

 View Only

Information Governance: Clearing Up the Confusion

By Robert Smallwood posted 02-11-2015 14:30

  

"Information governance is red hot right now..." states Forrester's Cheryl McKinnon. But many are still confused about the definition of information governance (IG).

Adding to that confusion are several book titles that have swapped the more established and staid "data governance" term with the new, sexier "information governance" moniker - but when you take a look at their Table of Contents you will see the books are all about data governance, which is a small subset of IG.There is only one book out there that covers "true IG" from A-Z and it is the one published last year by Wiley & Sons (full disclosure: I researched and authored the book in collaboration with nine subject matter experts).

Data governance deals with maintaining clean, non-duplicate, structured data (databases). Structured data is typically about 10% of the total amount of information stored in an organization, and unstructured (or semi-structured, if some metadata is attached) information is everything else. It is the roughly 90% of information (a/k/a content) that organizations struggle to manage which includes email messages, word processing documents, PDF documents, presentation slides, spreadsheets, scanned images, and the like.

There are multiple definitions of IG out there. Our firm's definition is:

"Policy-based control of information to maximize value and meet legal, regulatory, risk, and business demands."

Or, in short:

"Security, control, and optimization of information."

Forrester's newly-minted definition is:

"A holistic strategy for using and managing information to meet business objectives. IG assures the quality of content and data, maximizes its value, and ensures that security, privacy, and life-cycle requirements are met."

Sure, it covers the bases, but how is an executive going to grasp that? Too wordy for for an elevator pitch.

Gartner defines IG as:

"The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Whew! Even worse. That's a mouthful. Maybe that’s all true but no one can remember it. So it is not a very helpful definition. Sounds like it was drafted by a committee.

Here's a better definition from the IG Initiative, in their 2014 Annual Report on IG, which states that IG is:

"The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”

This definition is more clear and emphasizes finding and exploiting value in information, while keeping costs and risks as low as possible. It is a broad definition but sharper than Gartner’s or Forrester's.

What all the definitions are getting at is what it means to govern information, as opposed to allowing it to spiral out of control. We have seen the consequences of this, with IG failures that were revealed when major corporations like Anthem Health and Sony Pictures were breached. These companies obviously did not know where all their protected health information (PHI), personally identifiable information (PII), and confidential e-documents were located. They - and most major corporations - do not have a current data map of where different types of information are stored and have difficulty finding all incidences of it. They leave this sensitive information out there floating around on their servers unsecured, unencrypted. The consequences only become clear after a major breach: thousands of customers and employees have been dragged into a "life long battle" to control their personal information.

Let's face it: perimeter security is easily breached. So sensitive information must be identified, secured, tracked, and controlled. That means and IG program must be in place.

Enforcing IG policy means that information is identified (mapped) and classified and if necessary, protected with technologies like encryption or information rights management (IRM). IG also means that vital records - those which the business absolutely must have to continue operations - are identified and safeguarded. Practicing good IG also means managing the information lifecycle: that information is kept as long as required by regulations and laws, or internal business needs and risk assessments, and then it is discarded according to an established retention and disposition schedule, (unless it is subject to a legal hold). The information that remains is higher-value to the business and can be leveraged to create new insights that feed into management decisions.This can provide a strategic advantage.

Corporate governance is the highest level of governance of an organization and includes the articles of incorporation, bylaws, shareholder agreements, policies and procedures used to manage the relationship of the organization with its stakeholders. A key aspect of corporate governance is IG. IG processes are higher level than the details of data governance, but data governance can and should be a part of an overall IG program.

The IG approach to governance focuses not on detailed IT processes and controls or data capture and quality processes but rather on controlling the information that is generated by IT and office systems, or their output.

To Be Clear: What is Data Governance?

A data governance program should be a part of an information technology (IT) governance program and an overall IG program. Data governance involves processes and controls to ensure that information at the data level—raw alphanumeric characters that the organization is gathering and inputting—is true and accurate, and unique (not redundant). It involves data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and de-duplication, to eliminate redundant occurrences of data.

Organizations often deploy master data management (MDM) tools and techniques to clean their data and leverage business rules that can prevent inaccurate data from being entered into a database. MDM seeks to normalize and standardize the data and ensure there is one "single version of the truth." MDM is a quality control tool and set of processes used to ensure control and consistency of data over time.

Data governance focuses on data quality from the ground up at the lowest or root level, so that subsequent reports, analyses, and conclusions are based on clean, reliable, trusted data in database tables. Data governance is the most rudimentary level at which to implement IG. Data governance efforts seek to ensure that formal management controls—systems, processes, and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data. The biggest negative consequence of poor or inaccurate data is poorly and inaccurately based decisions.

Summing Up the Differences

IG consists of the overarching polices and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives.

Data governance consists of the processes, methods, tools, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate. Master data management (MDM) tools can assist in this effort.

Once the definitions of these two information-related governance disciplines are clear, their differences become more distinct. Data governance is done every day in organizations. It is a focused, small part of IG, aimed at data quality in databases, that 10% of information that must be managed. Information governance, on the other hand, is centered around controlling the other 90% of information and is much broader and high level.

IG is a new, maturing discipline that most organizations have not yet begun to tackle due to its complexity and cross-functional nature. It involves privacy, security, legal, IT, risk, and records management functions. It must be driven from the top down by a strong executive sponsor, and IG programs are often aimed at reducing legal costs and information risk. These are big targets. But the payoff can be huge, not only in cost reduction but in reducing reputational risk.

Just ask Anthem or Sony Pictures.

Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, and the author of "Information Governance: Concepts, Strategies, and Best Practices" (Wiley, 2014).



#InformationGovernance
0 comments
117 views

Permalink