Information Governance describes the holistic approach to managing information by implementing processes, roles and metrics to transform information into a business asset. The purpose of the Information Governance framework is to formally establish an organisation’s approach to Information Governance.
No two Information Governance programmes are the same, so each framework will be unique to the organisation but any programme should, as a minimum, cover the following areas:
A Definition of Scope
The framework should begin by establishing the full extent of the Information Governance programme. An example of this could be:
“The Information Governance framework covers all staff that create, store, share and dispose of information. It sets out the procedures for sharing information with stakeholders, partners and suppliers. It concerns the management of all paper and electronic information and its associated systems within the organisation, as well as information held outside the organisation that affects its regulatory and legal obligations.”
Roles and Responsibilities
The first major section of most frameworks clearly define key roles and their responsibilities, including:
This section should establish:
- The multi-disciplinary nature of the committee
- Key executives that will form the committee
- The committee’s role and authority
- Frequency of meetings
- Measurement and metrics
Although not all organisations create a dedicated team to drive practical implementation of the programme, where a team is put in place the team’s role and responsibility should be clearly stated. For example:
- Coordination and operational management of Information Governance projects
- Review of Information Governance compliance and ensure alignment with related policies and procedures
- The monitoring and enforcement of records management, retention and disposal policies
- Enforcement of information security policies and management of security breach incidents
Managing information risk is, perhaps, the most important element of Information Governance. Information risk management will include:
- Establishing a senior risk owner
- Establishing an information risk team
- Establishing an audit process with an oversight of information risk
- Establishing processes and procedures that allow for the assessment and mitigation of risk at an acceptable level
- Creating, monitoring and enforcing information risk policies and procedures
The information risk team will likely be line-of-business managers who will be responsible for understanding and addressing risk in their part of the business and ensuring the information is used legally.
The team’s goal is to identify, prioritise and manage risk but this is a balance between the cost of addressing and mitigating risk and the benefits that are derived by the business from that information. The framework can include an “Information Risk Tolerance” statement, such as:
‘The organisation will not accept any information risk that may results in reputational damage, financial loss, legal exposure or loss of business productivity.”
Many organisations define their information assets – data, software, hardware, services, etc – giving discrete elements to manage. The framework can:
- Define all information assets
- Establish an information asset register
- Define the executive information asset manager
- Define information asset owners
- Define policies and procedures for handling information assets
- Define security strategy and policies for information assets
Information asset owners are likely to be senior managers in different business areas responsible for managing the risks and accountabilities for the information used in their area.
Records management is another key area for Information Governance. The Framework can define the:
- Extent of information for which the Records Manager is responsible
- Records Manager’s role in the classification, retention and disposal of information
- Records Manager’s role in regulatory and legal compliance
Line managers are responsible for ensuring that they and their staff fully understand and fulfil their Information Governance responsibilities. The framework can define the manager’s role in:
- Implementing and enforcing Information Governance practices and policies
- Mitigating information risk
- Implementing the security and authorisation of information
- Ensuring that all employees understand and are equipped to comply with Information Governance processes and procedures
Staff must understand the need to properly manage the information they create and access. The framework can define the employee’s role in:
- Implementing Information Governance practices and policies
- Implementing the security and authorisation of information
- Determining the Employee’s training requirement
Information Policies
Information Governance covers a wide range of policies. The framework should set out which corporate policies are relevant to the Information Governance programme. These may include:
- Information security policy
- Records management policy
- Retention and disposal schedules
- Archiving policy
- Data privacy policy
- ICT policy
- Information sharing policy
- Remote working policy
Information Procedures
A major part of the Information Governance framework should set out how the organisation and its employees work with information. This can be broken into separate sections covering:
- Legal and regulatory compliance
- Creating and receiving information
- Acceptable content types
- Managing the volume of information
- Managing personal information
- Storing and archiving information
- Collaboration and sharing information
- Disposing of information
Working with Third Parties
As more and more information that affects a business is created and stored elsewhere it is essential to establish how the organisation operates and shares information with stakeholders, partners and suppliers. The framework should:
- Define the policies for sharing information information with third parties
- Define how the organisation can manage how third parties handle personal and confidential information
- Define how Information Governance fits within supplier relationships and contractual obligations
- Define measurement and metrics for third party meeting the organisaton’s Information Governance goals
Disaster Recovery, Contingency and Business Continuity
The framework should set out the organisation’s approach to:
- Reporting information losses
- Reporting information security breaches
- Incident management and escalation
- Back up and disaster recovery
- Business continuity management
Auditing, Measurement and Review
Information Governance is a continuous improvement process so it must be underpinned by a continuous monitoring procedure. The framework can set out the organisation’s approach to:
- Monitoring information access and use
- Monitoring effectiveness of regulatory compliance
- Monitoring the effectiveness of information security policy and procedure
- Monitoring of ICT and storage infrastructure performance
- Risk assessment and auditing
- Information Governance review
Like many things in Information Governance, there is a balance to be achieved with the Information Governance framework. The more comprehensive the document, the better. However, it shouldn’t become so large and unwieldy that it ends up gathering dust on the shelf.
