A New Framework for Defining and Approaching Information Governance

By Michael Rasmussen


Editor’s note: Today we are featuring a guest blog post from Michael Rasmussen, the GRC Pundit & Analyst at GRC 20/20 Research, LLC.

Information governance has become a critical objective for organizations. In the context of the pervasive use of information throughout the enterprise, operational reliance on information, and increased regulation and liability of information, organizations are building structured approaches to information governance. This is to ensure the proper collection, use, and control of sensitive information – intellectual property, proprietary information, regulated data, personal information – across the organizations. Privacy regulations such as the California Consumer Protection Act (CCPA) and the EU Global Data Protection Regulation (GDPR) are making information governance even a greater priority.

Over the years we have seen a lot of definitions for ‘Information Governance.’ From the straightforward, like the Information Governance Initiatives:

  • “Information governance is the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”

To the more complex, like Gartner’s:

  • “The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

However, both of these definitions do not quite deliver a clear understanding to the business on what information governance is. One is too light, the other too complex.

I am proposing a new definition for information governance which is a modification of the official definition of GRC (governance, risk management, and compliance) by the Open Compliance and Ethics Group (OCEG) . . .

  • Information governance is a capability to reliably achieve the objectives, while addressing uncertainty, and act with integrity in the collection, creation, use, storage, and disposition of information throughout the organization and its extended business relationships.

Information governance is essentially what we could call Information GRC. It starts with governance being the capability to reliably achieve objectives of information. After all, information is collected and stored for a purpose. In this context, the organization needs to manage the uncertainty to this information (risk and exposure) throughout its lifecycle. Finally, the organization needs to act with integrity to ensure the information is used for it authorized and intended purposes and not misused. However, the modern organization is not about brick and mortar wall but involves an extended array of third-party relationships that interact with that information as well and information governance extends across traditional business boundaries and into these third-party relationships as well.

What needs to change is more than a definition, but also the framework and process of information governance. Reactive, manual, and ad hoc approaches to information governances result in the inevitability of failure and exposure of information. Organizations need a cohesive information governance strategy, process, and supporting technology architecture to govern and manage the lifecycle of information.

Technology plays a critical role in enabling information governance in this vision. The right technology should make the organization more:

  • Efficient in the human and financial capital resources to monitor and manage information.
  • Effective in the proper cataloging, monitoring, control, disposition, and meeting legal and regulatory requirements of information.
  • Agile in the ability to keep up with information governance in the context of business, regulatory, legal, and risk changes.
  • Visible where access and understanding of information and data is and how it is used.
  • Consistent where the information source is understood and those that can access, manipulate it, and use to ensure its integrity.
  • Available where the information is accessible to those that are authorized to use it when they need it.

The foundational step to information governance is discovery. Organizations need to know where their data is and from there, they can control it and take action on it. A critical element needed is the ability to access the data and analyze the data in-place wherever it resides so the organization can then take action on it. This allows the organization to act on any given use-case to the information (e.g., internal policy, data audit and regulatory adherence). To be able to access, analyze and act on data in-place provides immediate insight into critical information empowering faster decisions and resolutions. It also empowers information governance teams to respond to eDiscovery collections as well as data audit and compliance initiatives quickly and effectively.