Best Practices for Information Governance

By Robert Smallwood posted 04-29-2015 11:39


Information governance (IG) is a new and developing hybrid "super discipline" that crosses multiple functional boundaries, principally records management, information security, risk management, legal and e-discovery issues, information technology (IT), Big Data analytics, privacy, and more.

IG is rapidly evolving. As such, best practices are still being formed and fine tuned. This process of testing, proving, and sharing best practices will continue as best practices are expanded, revised, and refined.

In the course of researching and writing three books on IG in the last three years, I scoured blogs, books, new articles, and reports---anything I could find on IG, then I interviewed key IG practitioners and distilled all that information into the chapters of my books. In the course of this work certain IG best practices bubbled to the surface, and they were reinforced by research and real-world data.

The list will grow, change, and expand. In fact, a focus group of IG professionals could probably double the size of the list I have created within a few hours. The goal is to push understanding of IG best practices out to those who are contemplating or embarking on IG programs in an effort to improve their odds for success.

The most relevant study of IG best practices is one that is conducted for your organization and surveys your industry and what some of your more progressive competitors (or even your own business units) are doing in IG. Often the best way to accomplish such a study is by engaging a third-party consultant, who can more easily contact, study, and interview your competitors in regard to their practices. Business peer groups and trade associations also can provide some consensus as to emerging best practices.

Here are 28 IG best practices covering crucial foundational elements and a number of areas in which IG has an impact or should be a major consideration:

1. Executive sponsorship is crucial. Securing an executive sponsor at the senior management level is key to successful IG programs. It is not possible to require managers to take time out of their other duties to participate in a project if there is no executive edict.
2. IG is not a project but rather an ongoing program. It must be an "evergreen" program. Compare the IG program to a workplace safety program. Regular reviews are conducted to ensure the program is being followed, and adjustments are made based on the findings. The effort never ends.[ii]

3. A cross-functional team is required to implement IG. Since IG requires elements of a number of established disciplines, representatives from the key areas must be included in the planning and implantation effort. At a minimum, you will need team leaders from legal, IT, records management, information security, compliance and risk management, human resources, and executive management. Ideally, the IG team is led by a Chief IG Officer who has the authority to make things happen. Members from corporate communications, knowledge management, finance and accounting, and other functional areas also may be needed. Depending on the scenario, representatives from certain major business units within the organization should be included.
4. IG is a key underpinning for a successful records management (RM) program. Practicing good IG is the essential foundation for building a legally defensible RM program; it provides the basis for consistent, reliable methods for managing documents and records. Having trusted and reliable records, reports, and databases allows managers to make key decisions with confidence. And accessing that information and business intelligence in a timely fashion can yield a long-term sustainable competitive advantage, creating more agile enterprises.
5. Using an IG framework or maturity model is helpful in assessing and guiding IG programs. Various models are offered, such as The Principles from ARMA International for records management (RM); the Information Governance Reference Model, which grew out of the Electronic Discovery Reference Model (found at;[iii] or the MIKE2.0 framework, which was developed by the consulting firm Bearing Point and released to the public domain. Another RM tool that is particularly used in the Australian market for records management projects is Designing and Implementing Recordkeeping Systems (DIRKS). Ultimately, organizations should customize their IG framework for their own purposes, and it should go far beyond basic RM.
6. Defensible deletion or remediation of data debris that no longer has value is critical in the era of Big Data. You must have IG polices in place and be able to prove that you follow them consistently and systematically in order to justify, to the courts and regulators, deletion of information. With a smaller information footprint, organizations can more easily find what they need and derive business value from it.[iv] Data debris must be eliminated regularly and consistently, and to do this, processes and systems must be in place to cull out valuable information and discard the data debris. An IG program sets the framework to accomplish this.
7. IG policies must be developed before enabling technologies are deployed to assist in enforcement. After the policy-making effort, seek out the proper technology tools to leverage and assist in monitoring, auditing, and enforcement.
8. A records retention schedule (RRS) and legal hold notification (LHN) process are two primary elements of a fundamental IG program. These are the basics. Implementation of a RRS and LHN process will require records inventorying, taxonomy development, metadata normalization and standardization, and a survey of LHN best practices.
9. The first step in information risk compliance planning is to consider the applicable laws and regulations that apply to your organization in the jurisdictions in which it conducts business. Federal, provincial, state, and even municipal laws and regulations may apply to the retention of data, documents, and records. Organizations operating in multiple jurisdictions must be compliant with laws and regulations that may cross national, state, or provincial boundaries. Legally required privacy requirements and retention periods must be researched for each jurisdiction (state, country) in which the business operates, so that all applicable laws are complied with.
10. Developing a risk profile is a basic building block in enterprise risk management, which assists executives in understanding the risks associated with stated business objectives and in allocating resources within a structured evaluation approach or framework. There are multiple ways to create a risk profile, and the frequency with which it is created, the external sources consulted, and stakeholders who have input will vary from organization to organization.[v] A key tenet to bear in mind is that simpler is better and that sophisticated tools and techniques should not make the process overly complex. A Top 10 list of threats, their likelihood, potential impact, and risk mitigation steps is a good start.
11. An information risk mitigation plan is a critical part of the IG planning process. An information risk mitigation plan helps in developing risk mitigation options and tasks to reduce the specified risks and improve the odds of achieving business objectives.[vi] 

12. Proper metrics are required to measure the conformance and performance of your IG program. You must have an objective way to measure how you are doing, which means numbers and metrics. Assigning some quantitative measures that are meaningful before rolling out the IG program is essential.
13. IG programs must be audited for effectiveness. Periodic audits will tell you how your organization is doing and where to fine-tune your efforts. To keep an IG program healthy, relevant, and effective, changes and fine-tuning will always be required.
14. Senior management must set the tone and lead sponsorship for vital records program governance and compliance. Vital records are those most critical business records your organization needs to continue operations. Although e-records are easier to protect and backup, they also present unique challenges. Most vital records today are e-records and distinct steps must be taken to protect and preserve them, and those measures need to be tested periodically.
15. Business processes must be redesigned to improve and optimize the management and security of information and especially electronic records, before implementing enabling technologies. Using electronic records management (ERM) and workflow or business process management (BPM) software fundamentally changes the way people work. Greater efficiencies can be gained with business process redesign (versus simply using ERM systems as electronic filing cabinets to speed up poor processes).
16. E-mail messages, both inbound and outbound, should be archived automatically and (preferably) in real time. This ensures that spoliation (i.e., the loss of proven authenticity of an e-mail) does not occur. Real-time archiving preserves legal validity and forensic compliance. Additionally, e-mail should be compressed to save storage space, and indexed to facilitate the searching process. All messages should be secured in a single repository, whether virtual or physical. With these measures, the authenticity and reliability of e-mail records can be ensured.
17. An enterprisewide retention schedule is preferable because it eliminates the possibility that different business units will have conflicting records retention periods. For example, if one business unit discards a group of records after 5 years, it would not make sense for another business unit to keep the same records for 10 years. Where enterprisewide retention schedules are not possible, smaller business units, such as divisions or regions, should operate under a consistent retention schedule.
18. Personal archiving of e-mail messages should be disallowed. Although users will want to save certain e-mail messages for their own reasons, control and management of e-mail archiving must be at the organization level or as high of a level as is practical, such as departmental, division or region.
19. Destructive retention of e-mail helps to reduce storage costs and legal risk while improving “findability” of critical records. It makes good business sense to have a policy to, say, destroy all e-mail messages after 90 or 120 days that are not flagged as potential records (which, e.g., help document a transaction or a situation that may come into dispute in the future) or those that have a legal hold or are anticipated to.
20. Take a practical approach and limit public cloud use to documents that do not have long retention periods and carry a low litigation risk. If people need storage and collaboration features, they will find a way to use them. Some guidelines must be set. Doing this will reduce the risk of compromising or losing critical documents and e-records. Of note: Some ‘purpose-built’ cloud apps are highly secure, but most file synch and share offerings are not built with robust security controls, and they mostly lack RM functionality and mass migration capabilities, so you do not want to store too much there without a clear strategy.
21. Manage social media content by IG policies and monitor it with controls that ensure protection of critical information assets and preservation of business records. Your organization must state clearly what content and tone is acceptable in social media use, and it must retain records of that use, which should be captured in real time. If a record only occurs on social media, it must be captured and scheduled for retention. If it occurs anywhere else, then capture it there. Basic RM rules apply to social media posts just as any other type of record.
22. International and national standards provide effective guidance for implementing IG. Although there are no absolutes, researching and referencing International Organization for Standardization (ISO) standards and others must be a part of any IG effort. There are several e-records management ISO standards which provide guidance, but are not testable. In the U.S. (and largely worldwide) DoD 5015.2 is a widely-accepted, testable standard, although it is outdated and does not make allowances for cloud use, management of records-in-place, or vertical applications. The fledgling MoReq 2010 European standard is also testable (though that process has sputtered), and allows for aggregations of records as they are updated over time, differences in RM needs for vertical markets such as health care, defense, and financial services, and it also provides for managing records-in-place.
23. To provide comprehensive e-document security throughout a confidential document’s lifecycle, documents must be secured upon creation using sophisticated technologies, such as encryption or information rights management (IRM) technology. IRM acts as a sort of “security wrapper” that denies access without proper credentials. Document access and use by individuals having proper and current credentials is also tightly monitored. IRM software controls the access, copying, editing, forwarding, and printing of sensitive documents using a policy engine that manages the rights to view and work on an e-document. Access rights are set by levels or “roles” that employees are responsible for within an organization.
24. Privacy by design - compliance with privacy regulations should be built in to business processes and automated as much as possible. When managing personal information including protected health information (PHI), personally identifiable information (PII), and credit card information (PCI) privacy considerations should be paramount. Some U.S. states require the destruction of PHI/PII/PCI soon after transactions with this sensitive personal data have been completed or when the peson in question is no longer a customer.

25. Creating standardized metadata terms should be part of an IG effort that enables faster, more complete, and more accurate searches and retrieval of records. This is important not only in everyday business operations but also when delving through potentially millions of records during the discovery phase of litigation. Good metadata management also assists in the maintenance of corporate memory and in improving accountability in business operations.[vii] Using a standardized format and controlled vocabulary provides a “precise and comprehensible description of content, location, and value.”[viii] Using a controlled vocabulary means your organization has standardized a set of terms used for metadata elements that describe records. This ensures consistency across a collection and helps with optimizing search and retrieval functions and records research as well as with meeting e-discovery requests, compliance demands, and other legal and regulatory requirements.
26. Master data management (MDM) software is crucial to a data governance program - MDM software helps to determine and maintain a 'single version of the truth' or in other words, to ensure that a single non-duplicated copy of clean data is kept.

27. IT governance frameworks such as ISO 38500, IT Infrastructure Library (ITIL) and COBIT5  are essential tools - to assist organizations in achieving their business objectives in software development and computing services. They are guides for the governance and management of enterprise information and technology assets.

28. Some digital information assets must be preserved permanently as part of an organization’s documentary heritage.[ix] It is critical to identify records that must be kept long term (more than 10 years) as early in the process as possible; ideally, these records should be identified prior to or upon creation. Long term digital preservation (LTDP) applies to content that is born digital as well as content that is converted to digital form. Digital preservation is defined as long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span that the information is required to be retained. There are established and proven LTDP processes, standards, and models.

Consider these 28 IG best practices, massage them, edit them, add to them, chop them, and customize them for your own purposes. As a whole, the IG brain trust can move the discipline forward.

I'd love to continue the dialogue and debate. Feel free to reach out and connect here, by email, or on Twitter.

Follow me on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!


Robert Smallwood is an author, educator, speaker, and consultant. He is Managing Director of the Institute for IG at IMERGE Consulting, at He teaches comprehensive courses on IG and E-records management for corporate and public sector clients. Smallwood is the author of 3 leading books on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).


 [i] Economist Intelligence Unit, “The Future of Information Governance,” (accessed October 9, 2013).

[ii] Monica Crocker, e-mail to author, June 21, 2012.

[iii] EDRM, “Information Governance Reference Model (IGRM) Guide,” (accessed November 30, 2012).

[iv] Randolph A. Kahn,, Nov. 28, 2012.

[v] John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171.

[vi] Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 4th ed. (Newtown Square, Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.

[vii] Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records, p. 34 (London: Facet, 2005).

[viii] Minnesota State Archives, Electronic Records Management Guidelines, “Metadata,” March 12, 2012,

[ix] Charles Dollar and Lori Ashley, e-mail to author, August 10, 2012.