Information Governance sets out the policies, processes and procedures involved in using and managing business information in order to drive maximum value, while minimising information-related risk. It applies to all corporate information, regardless of the form, function or location. It is an iterative programme that will involve all parts of the business. So, what constitutes an Information Governance programme?
Establishing a Council
As the programme will spread throughout the entire organisation, the Information Governance programme should include governance and direction from cross-functional senior level staff as part of any Information Governance Committee or Council. The Council should include people from any of the business areas that are directly affected by particular stages of the programme. It is also a sensible idea to consider rotating membership of the Council over time to reflect the current programme objectives and also to help keep the council fresh and engaged.
Defining the Value of Business Information
|Productive for user||Useless to user|
Reaching the Entire Organisation
As the programme will affect every part of the organisation, it is essential that each part is involved in developing the strategy and procedures for Information Governance in their area of the business.
The Legal department needs to be involved with anything that affects the organisation’s litigation exposures. It should help set policies for the usage and privacy rules of communications channels such as email, social media and mobile devices. It needs to be included in the policies and approvals around defensible disposal, as well as communicating with the business units about the status of legal holds. In terms of eDiscovery, the Legal department should be involved in setting the policies around where information is located, as well as how it is accessed and presented.
The Risk function will work closely with the Legal department to mitigate all aspects of information risk in terms of litigation exposures, regulatory compliance and damage to corporate reputation. It should also work closely with IT in areas such as disaster recovery and business continuity. The Risk function will also require visibility of how and where different information is stored and how it is destroyed.
Compliance should be involved in determining how information is stored and accessed as well as the establishment of internal measurements and controls on information. It should manage enterprise audit processes as well as being equipped to deal with requests from regulators and auditors.
Records Management is responsible for how paper and electronic documents are categorised, storage and managed. In addition, this function should be involved in setting in place the policies and procedures for capturing and managing new information types from BYOD, social media and Cloud services. It should work closely with Compliance to determine how information should be handled throughout its lifecycle.
The Information Governance role of IT is to efficiently manage the volume of data affecting the organisation. It should be involved in effectively optimising the use of IT infrastructure and storage, as well as removing redundant technology and systems. It will need to be involved in all aspects of the Information Governance programme to ensure that the IT solutions selected to support the programme will meet the business goals.
Information Security is responsible for an organisation’s security strategy, policy and management. This function should be involved in anything related to the security and privacy of information in use by the organisation. In addition, they will be required to work closely with Compliance and Records Management to ensure that information meets the organisation’s security and data privacy policies, while remaining compliant with industry regulations and industry standards such as ISO.