Establishing an information governance program

1
Louise Spiteri
School of Information Management
Establishing an Information
Governance Program

Agenda
1. Definition of Information governance
2. Value of Information governance
3. Principles of Information governance
4. Information governance models
5. Information governance council
2March 30, 2017. Kanata, ON.

3
What is information governance?
3
March 30, 2017. Kanata, ON.

How do you define information
governance?
March 30, 2017. Kanata, ON. 4

Some definitions
•Gartner: The specification of decision rights and an
accountability framework to ensure appropriate behavior
in the valuation, creation, storage, use, archiving and
deletion of information. It includes the processes, roles
and policies, standards and metrics that ensure the
effective and efficient use of information in enabling an
organization to achieve its goals (http://gtnr.it/2lE4K2)
•Information governance is the activities and technologies
that organizations employ to maximize the value of their
information while minimizing associated risks and costs
(iginiative.com).

Activities that are part of IG
•Records management
•Compliance
•Storage and archiving
•Security
•Risk management
•eDiscovery
Any others?

7
The value of IG
7

Why do we need IG?
•Exponential growth of digital data
•Increased complexity of regulatory environment
•Business value and risks are often unknown and
unmanaged
•Increased sharing of information outside the organization
•Prevalence of social networking and mobile applications
•Increased risk of security breaches or data loss

Data management
•The volume of information continues to explode
exponentially and has become more mobile, making
the job of protecting it even more difficult as
requirements to do so increase.

Regulatory environment
Traditional activities, such as
records management, are no
longer sufficient to meet the
demands of the business or the
ever increasing and more
complex legal and regulatory
requirements.
Legal discovery requirements continue to become more
standardized with courts having less tolerance for
noncompliance to established standards.

Business value
• Most organizations are quickly realizing the need to manage
information more effectively on an enterprise basis.
• The evolution of information management governance is an
essential business requirement to mitigate risk, reduce cost, and
increase revenue
• Market pressure for increased revenue is driving efforts to find
creative ways for organizations to leverage the large volumes of
information they retain to increase market share, drive revenue,
and maintain a competitive advantage

Data breaches, 1
http://bit.ly/2m303eg

Data breaches, 2

14
Principles of Information
Governance
14

Guiding principles, 1
•Educate all employees regarding their Information
Governance duties and responsibilities.
•Confirm the authenticity and integrity of information.
•Recognize that the official record is electronic (unless
otherwise specified).
•Store information in an enterprise-approved system or
record-keeping repository.
•Classify information under the correct record code.

•Control the unnecessary proliferation of information.
•Dispose of information when it reaches the end of its
legal and operational usefulness.
•Secure customer and enterprise confidential/personally
identifiable information.
•Comply with subpoena, audit, and discovery requests for
information.

•Align all lines of business systems and
applications to Information Governance
standards.
•Ensure that third parties that hold customer or
enterprise information comply with your
organization’s Enterprise Information Governance
standards

19
Information Governance Models
19

Information Governance Reference
Model (IGRM)
http://bit.ly/2m38Qgg

Background to the IGRM
• The IGRM was developed by EDRM, now a part of the Duke Law
Center for Judicial Studies, which creates practical resources to
improve e-discovery and information governance.
• EDRM developed this model to create a framework by which to
bring together the key players in information governance:
• Business users who need information to operate the
organization,
• IT departments who must implement the mechanics of
information management, and
• Legal, risk, and regulatory departments who understand the
organization’s duty to preserve information beyond its
immediate business value.

Components of IGRM
•IGRM represents the functional areas that are directly
responsible for the governance of information across an
enterprise.
•The model weights the involvement of the functional
constituents: Business and IT have larger, more complex
roles, Legal and RIM slightly less, and Information
Privacy and Security share the smallest component as
they are more specifically focused in their duties.

Key functions in IGRM, 1
•Legal: responsible for determining the risk profile
of an organization based on litigation exposures,
international privacy requirements, intellectual
property protection, working environment, and
more.
•Discovery: responsible for the communication,
instruction, and coordination with business units
or individuals related to information that must be
located, preserved, and produced to satisfy
litigation requirements

•Risk: responsible for the protection of the organization’s
brand, finances, and operations by managing and
mitigating risk exposures. This requires a full
understanding of the organization’s risk profile (litigation,
investigations, regulatory requirements, protection of
private information, and protection of intellectual
property).
•Compliance: responsible for ensuring that the
organization is aware of, and meets the requirements of
rules and regulations imposed by a variety of
authorities (federal, state/provincial, and local
governments; regulatory agencies; data privacy
authorities, and industry groups).

•RIM: responsible for the development and publication
of the RIM Program policy for paper and electronic
records.
•IT: responsible for the management of the high volume of
data being created and received, and the reduction of
costs, particularly around redundant technologies and
storage.
•Privacy: responsible for managing the risks and
business impacts of privacy laws and policies, and the
use of personally identifiable information.

•Security: responsible for the development,
implementation, and management of the organization’s
security vision, strategy, policy, and programs.
•Information Architecture: responsible for the
organization of information and database development
to support the business needs.
•Business: responsible for compliance with the
Information Governance policies.

27
Generally Accepted
Recordkeeping Principles
27

Scope
• The Generally Accepted Recordkeeping Principles (The
Principles), were created by ARMA International as a common set
of principles that describe the conditions under which business
records and related information should be maintained.
• The Principles were designed to guide:
• CEOs in determining how to protect their organizations in the
use of information assets;
• Legislators in crafting legislation meant to hold organizations
accountable; and
• Records management professionals in designing
comprehensive and effective records management programs.

The Principles, 1
Accountability: A senior executive shall oversee the information
governance program and delegate responsibility for records and
information management to appropriate individuals, The
organization adopts policies and procedures to guide personnel and
ensure that the program can be audited.
Transparency: An organization’s business processes and
activities, including its information governance program, shall be
documented in an open and verifiable manner, and
the documentation shall be available to all personnel
and appropriate interested parties.
Integrity: An information governance program shall be constructed
so the information generated by or managed for the organization
has a reasonable and suitable guarantee of authenticity and
reliability.

The Principles, 2
Protection: An information governance program shall
be constructed to ensure a reasonable level of protection to records
and information that are private, confidential, privileged, secret,
classified, essential to business continuity, or that otherwise require
protection.
Compliance: An information governance program shall
be constructed to comply with applicable laws and other binding
authorities, as well as with the organization’s policies.
Availability: An organization shall maintain records and information
in a manner that ensures timely, efficient, and accurate retrieval of
needed information.

The Principles, 3
Retention: An organization shall maintain its records
and information for an appropriate time, taking into
account its legal, regulatory, fiscal, operational,
and historical requirements.
Disposition: An organization shall provide secure
and appropriate disposition for records and information
that are no longer required to be maintained by applicable
laws and the organization’s policies

The IG Maturity Model
• The Maturity Model for Information Governance is designed to provide
organizations a more complete picture of what effective information
governance looks like.
• The model is based on the eight principles as well as a foundation of
standards, best practices, and legal/regulatory requirements.
• The maturity model defines characteristics of various levels of
recordkeeping programs. For each principle, the maturity model associates
various characteristics that are typical for each of the five levels in the
model

Levels 1-2
Level 1 (Sub-standard): This level describes an
environment where recordkeeping concerns are either not
addressed at all, or are addressed in a very ad hoc manner.
Organizations that identify primarily with these descriptions
should be concerned that their programs will not meet legal
or regulatory scrutiny.
Level 2 (In Development): This level describes an
environment where there is a developing recognition that
recordkeeping affects the organization, and that the
organization may benefit from a more defined information
governance program. However, in Level 2, the organization
is still vulnerable to legal or regulatory scrutiny since
practices are ill-defined and still largely ad hoc in nature.

Levels 3-4
Level 3 (Essential): This level describes the essential or minimum
requirements that must be addressed in order to meet the organization's legal
and regulatory requirements. Level 3 is characterized by defined policies and
procedures, and more specific decisions taken to improve recordkeeping.
However, organizations that identify primarily with Level 3 descriptions may still
be missing significant opportunities for streamlining business and controlling
costs.
Level 4 (Proactive): This level describes an organization that is initiating
information governance program improvements throughout its business
operations. Information governance issues and considerations are integrated
into business decisions on a routine basis, and the organization easily meets its
legal and regulatory requirements. Organizations that identify primarily with
these descriptions should begin to consider the business benefits of information
availability in transforming their organizations globally.

Level 5
Level 5 (Transformational): This level describes an
organization that has integrated information governance
into its overall corporate infrastructure and business
processes to such an extent that compliance with the
program requirements is routine. These organizations
have recognized that effective information governance
plays a critical role in cost containment, competitive
advantage, and client service.

36
Information Governance Council
36

IG oversight
• A senior-level Information Governance Council is important to the
success of any organization-wide IG program. It is important to
include senior representatives of a number of different roles to
ensure that all aspects of IG are understood, championed, and
monitored.
• The Council is responsible for approving an enterprise-
wide Information Governance strategy, developing operating
procedures for the Council, providing guidance about technology
and standards, assisting in the securing of funds, and advocating
the business value of information governance

Examples of roles in IG Council
• CIO
• Legal
• Chief Data Officer
• Chief Health Information
Officer
• Discovery or Litigation Officer
• Risk Management
• Compliance Officer
• Records and Information
Manager
• Chief Data Privacy Officer
• Information Technology Security
• Information Technology
Infrastructure
• Critical Line of Business
• International (Regional) Leaders

39
Best Practices for IG Council
39

Suggested practices, 1
Senior executive support
• It is important to have a supportive executive sponsor.
Focus on outcomes or targeted action items
• The Council should meet regularly (e.g., quarterly) with a clear
agenda and ensuring that the concerns of each functional area are
addressed. Topics could include the following, with specific targets
or outcomes
• key performance indicator metrics
• consideration of new technology
• change management
• budget

Suggested practices, 2
Self assessment
•Have a self-assessment program to enable managers to
reflect on good practices, and to identify and address
potential weaknesses in the design or execution of
internal processes that mitigate key operational risks and
costs.
Efficient use of technology
•Use tools such as data analytics, auto-classification tools,
and automated ways in which to monitor progress and to
detect non-compliance.

42
Questions?
42

Contact information
Dr. Louise Spiteri
Louise.Spiteri@dal.ca
http://about.me/louisespiteri

Establishing an information governance program

More Related Content

What's hot (20)

Similar to Establishing an information governance program (20)

More from Louise Spiteri (19)

Recently uploaded (20)

Establishing an information governance program