Information governance (IG) is a new and developing hybrid "super
discipline" that crosses multiple functional boundaries, principally
records management, information security, risk management, legal and
e-discovery issues, information technology (IT), Big Data analytics,
privacy, and more.
IG is rapidly evolving. As such, best practices
are still being formed and fine tuned. This process of testing,
proving, and sharing best practices will continue as best practices are
expanded, revised, and refined.
In the course of researching and writing three books on IG
in the last three years, I scoured blogs, books, new articles, and
reports---anything I could find on IG, then I interviewed key IG
practitioners and distilled all that information into the chapters of my
books. In the course of this work certain IG best practices bubbled to
the surface, and they were reinforced by research and real-world data.
list will grow, change, and expand. In fact, a focus group of IG
professionals could probably double the size of the list I have created
within a few hours. The goal is to push understanding of IG best
practices out to those who are contemplating or embarking on IG programs
in an effort to improve their odds for success.
The most relevant
study of IG best practices is one that is conducted for your
organization and surveys your industry and what some of your more
progressive competitors (or even your own business units) are doing in
IG. Often the best way to accomplish such a study is by engaging a
third-party consultant, who can more easily contact, study, and
interview your competitors in regard to their practices. Business peer
groups and trade associations also can provide some consensus as to
emerging best practices.
Here are 28 IG best practices covering
crucial foundational elements and a number of areas in which IG has an
impact or should be a major consideration:
1. Executive sponsorship is crucial.
Securing an executive sponsor at the senior management level is key to
successful IG programs. It is not possible to require managers to take
time out of their other duties to participate in a project if there is
no executive edict.
2. IG is not a project but rather an ongoing program. It
must be an "evergreen" program. Compare the IG program to a workplace
safety program. Regular reviews are conducted to ensure the program is
being followed, and adjustments are made based on the findings. The effort never ends.[ii]
3. A cross-functional team is required to implement IG. Since
IG requires elements of a number of established disciplines,
representatives from the key areas must be included in the planning and
implantation effort. At a minimum, you will need team leaders from
legal, IT, records management, information security, compliance and risk
management, human resources, and executive management. Ideally, the IG
team is led by a Chief IG Officer who has the authority to make things
happen. Members from corporate communications, knowledge management,
finance and accounting, and other functional areas also may be needed.
Depending on the scenario, representatives from certain major business
units within the organization should be included.
4. IG is a key underpinning for a successful records management (RM) program.
Practicing good IG is the essential foundation for building a legally
defensible RM program; it provides the basis for consistent, reliable
methods for managing documents and records. Having trusted and reliable
records, reports, and databases allows managers to make key decisions
with confidence. And accessing that information and business
intelligence in a timely fashion can yield a long-term sustainable
competitive advantage, creating more agile enterprises.
5. Using an IG framework or maturity model is helpful in assessing and guiding IG programs. Various
models are offered, such as The Principles from ARMA International for
records management (RM); the Information Governance Reference Model,
which grew out of the Electronic Discovery Reference Model (found at
or the MIKE2.0 framework, which was developed by the consulting firm
Bearing Point and released to the public domain. Another RM tool that is
particularly used in the Australian market for records management
projects is Designing and Implementing Recordkeeping Systems (DIRKS).
Ultimately, organizations should customize their IG framework for their
own purposes, and it should go far beyond basic RM.
6. Defensible deletion or remediation of data debris that no longer has value is critical in the era of Big Data. You
must have IG polices in place and be able to prove that you follow them
consistently and systematically in order to justify, to the courts and
regulators, deletion of information. With a smaller information
footprint, organizations can more easily find what they need and derive
business value from it.[iv]
Data debris must be eliminated regularly and consistently, and to do
this, processes and systems must be in place to cull out valuable
information and discard the data debris. An IG program sets the
framework to accomplish this.
7. IG policies must be developed before enabling technologies are deployed to assist in enforcement. After
the policy-making effort, seek out the proper technology tools to
leverage and assist in monitoring, auditing, and enforcement.
A records retention schedule (RRS) and legal hold notification (LHN)
process are two primary elements of a fundamental IG program. These
are the basics. Implementation of a RRS and LHN process will require
records inventorying, taxonomy development, metadata normalization and
standardization, and a survey of LHN best practices.
first step in information risk compliance planning is to consider the
applicable laws and regulations that apply to your organization in the
jurisdictions in which it conducts business. Federal,
provincial, state, and even municipal laws and regulations may apply to
the retention of data, documents, and records. Organizations operating
in multiple jurisdictions must be compliant with laws and regulations
that may cross national, state, or provincial boundaries. Legally
required privacy requirements and retention periods must be researched
for each jurisdiction (state, country) in which the business operates,
so that all applicable laws are complied with.
Developing a risk profile is a basic building block in enterprise risk
management, which assists executives in understanding the risks
associated with stated business objectives and in allocating resources
within a structured evaluation approach or framework.
There are multiple ways to create a risk profile, and the frequency with
which it is created, the external sources consulted, and stakeholders
who have input will vary from organization to organization.[v]
A key tenet to bear in mind is that simpler is better and that
sophisticated tools and techniques should not make the process overly
complex. A Top 10 list of threats, their likelihood, potential impact,
and risk mitigation steps is a good start.
11. An information risk mitigation plan is a critical part of the IG planning process.
An information risk mitigation plan helps in developing risk mitigation
options and tasks to reduce the specified risks and improve the odds of
achieving business objectives.[vi]
12. Proper metrics are required to measure the conformance and performance of your IG program.
You must have an objective way to measure how you are doing, which
means numbers and metrics. Assigning some quantitative measures that are
meaningful before rolling out the IG program is essential.
13. IG programs must be audited for effectiveness.
Periodic audits will tell you how your organization is doing and where
to fine-tune your efforts. To keep an IG program healthy, relevant, and
effective, changes and fine-tuning will always be required.
14. Senior management must set the tone and lead sponsorship for vital records program governance and compliance.
Vital records are those most critical business records your
organization needs to continue operations. Although e-records are easier
to protect and backup, they also present unique challenges. Most vital
records today are e-records and distinct steps must be taken to protect
and preserve them, and those measures need to be tested periodically.
Business processes must be redesigned to improve and optimize the
management and security of information and especially electronic
records, before implementing enabling technologies.
Using electronic records management (ERM) and workflow or business
process management (BPM) software fundamentally changes the way people
work. Greater efficiencies can be gained with business process redesign
(versus simply using ERM systems as electronic filing cabinets to speed
up poor processes).
16. E-mail messages, both inbound and outbound, should be archived automatically and (preferably) in real time.
This ensures that spoliation (i.e., the loss of proven authenticity of
an e-mail) does not occur. Real-time archiving preserves legal validity
and forensic compliance. Additionally, e-mail should be compressed to
save storage space, and indexed to facilitate the searching process. All
messages should be secured in a single repository, whether virtual or
physical. With these measures, the authenticity and reliability of
e-mail records can be ensured.
17. An enterprisewide
retention schedule is preferable because it eliminates the possibility
that different business units will have conflicting records retention
periods. For example, if one business unit discards a
group of records after 5 years, it would not make sense for another
business unit to keep the same records for 10 years. Where
enterprisewide retention schedules are not possible, smaller business
units, such as divisions or regions, should operate under a consistent
18. Personal archiving of e-mail messages should be disallowed.
Although users will want to save certain e-mail messages for their own
reasons, control and management of e-mail archiving must be at the
organization level or as high of a level as is practical, such as
departmental, division or region.
19. Destructive retention of e-mail helps to reduce storage costs and legal risk while improving “findability” of critical records.
It makes good business sense to have a policy to, say, destroy all
e-mail messages after 90 or 120 days that are not flagged as potential
records (which, e.g., help document a transaction or a situation that
may come into dispute in the future) or those that have a legal hold or
are anticipated to.
20. Take a practical approach
and limit public cloud use to documents that do not have long retention
periods and carry a low litigation risk. If people need
storage and collaboration features, they will find a way to use them.
Some guidelines must be set. Doing this will reduce the risk of
compromising or losing critical documents and e-records. Of note: Some
‘purpose-built’ cloud apps are highly secure, but most file synch and
share offerings are not built with robust security controls, and they
mostly lack RM functionality and mass migration capabilities, so you do
not want to store too much there without a clear strategy.
Manage social media content by IG policies and monitor it with controls
that ensure protection of critical information assets and preservation
of business records. Your organization must state
clearly what content and tone is acceptable in social media use, and it
must retain records of that use, which should be captured in real time.
If a record only occurs on social media, it must be captured and
scheduled for retention. If it occurs anywhere else, then capture it
there. Basic RM rules apply to social media posts just as any other type
22. International and national standards provide effective guidance for implementing IG.
Although there are no absolutes, researching and referencing
International Organization for Standardization (ISO) standards and
others must be a part of any IG effort. There are several e-records
management ISO standards which provide guidance, but are not testable.
In the U.S. (and largely worldwide) DoD 5015.2 is a widely-accepted,
testable standard, although it is outdated and does not make allowances
for cloud use, management of records-in-place, or vertical applications.
The fledgling MoReq 2010 European standard is also testable (though
that process has sputtered), and allows for aggregations of records as
they are updated over time, differences in RM needs for vertical markets
such as health care, defense, and financial services, and it also
provides for managing records-in-place.
provide comprehensive e-document security throughout a confidential
document’s lifecycle, documents must be secured upon creation using
sophisticated technologies, such as encryption or information rights
management (IRM) technology. IRM acts as a sort of
“security wrapper” that denies access without proper credentials.
Document access and use by individuals having proper and current
credentials is also tightly monitored. IRM software controls the access,
copying, editing, forwarding, and printing of sensitive documents using
a policy engine that manages the rights to view and work on an
e-document. Access rights are set by levels or “roles” that employees
are responsible for within an organization.
24. Privacy by design -
compliance with privacy regulations should be built in to business
processes and automated as much as possible. When managing personal
information including protected health information (PHI), personally
identifiable information (PII), and credit card information (PCI)
privacy considerations should be paramount. Some U.S. states require the
destruction of PHI/PII/PCI soon after transactions with this sensitive
personal data have been completed or when the peson in question is no
longer a customer.
25. Creating standardized
metadata terms should be part of an IG effort that enables faster, more
complete, and more accurate searches and retrieval of records.
This is important not only in everyday business operations but also
when delving through potentially millions of records during the
discovery phase of litigation. Good metadata management also assists in
the maintenance of corporate memory and in improving accountability in
Using a standardized format and controlled vocabulary provides a
“precise and comprehensible description of content, location, and
Using a controlled vocabulary means your organization has standardized a
set of terms used for metadata elements that describe records. This
ensures consistency across a collection and helps with optimizing search
and retrieval functions and records research as well as with meeting
e-discovery requests, compliance demands, and other legal and regulatory
26. Master data management (MDM) software is crucial to a data governance program - MDM
software helps to determine and maintain a 'single version of the
truth' or in other words, to ensure that a single non-duplicated copy of
clean data is kept.
27. IT governance frameworks such as ISO 38500, IT Infrastructure Library (ITIL) and COBIT5 are essential tools -
to assist organizations in achieving their business objectives in
software development and computing services. They are guides for the
governance and management of enterprise information and technology
28. Some digital information assets must be preserved permanently as part of an organization’s documentary heritage.[ix]
It is critical to identify records that must be kept long term (more
than 10 years) as early in the process as possible; ideally, these
records should be identified prior to or upon creation. Long term
digital preservation (LTDP) applies to content that is born digital as
well as content that is converted to digital form. Digital preservation
is defined as long-term, error-free storage of digital information, with
means for retrieval and interpretation, for the entire time span that
the information is required to be retained. There are established and
proven LTDP processes, standards, and models.
Consider these 28 IG
best practices, massage them, edit them, add to them, chop them, and
customize them for your own purposes. As a whole, the IG brain trust can
move the discipline forward.
I'd love to continue the dialogue and debate. Feel free to reach out and connect here, by email, or on Twitter.
Follow me on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!
Robert Smallwood is an author, educator, speaker, and consultant. He is Managing Director of the Institute for IG at IMERGE Consulting, at www.IGTraining.com.
He teaches comprehensive courses on IG and E-records management for
corporate and public sector clients. Smallwood is the author of 3 leading books
on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).
Economist Intelligence Unit, “The Future of Information Governance,”
(accessed October 9, 2013).
[ii] Monica Crocker, e-mail to author, June 21, 2012.
[iii] EDRM, “Information Governance Reference Model (IGRM) Guide,”
http://www.edrm.net/resources/guides/igrm (accessed November 30, 2012).
[iv] Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, Nov. 28, 2012.
[v] John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171.
[vi] Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 4th ed. (Newtown Square, Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.
[vii] Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records, p. 34 (London: Facet, 2005).
Minnesota State Archives, Electronic Records Management Guidelines,
“Metadata,” March 12, 2012,
[ix] Charles Dollar and Lori Ashley, e-mail to author, August 10, 2012.