by Peter Sloan, Husch Blackwell LLP

February 5, 2014

         

If anything cries out for organizational governance today, surely it is information.   Data volumes are rising relentlessly; information is flowing in and out of organizations more pervasively than ever; and mobile computing, cloud services, big data analytics, and social networking are fundamentally transforming the organization’s relationship with information.  Meanwhile, the compliance environment grows yet more complicated, as organizations, regulators, and the courts wrestle with the repercussions of massive data breaches, the evolving scope of e-discovery, and allocation of responsibility for the retention and protection of information.  Shortcomings of the traditional practices used by organizations to deal with information are becoming clear, as is the need for a new, comprehensive approach.  And that fresh approach has been dubbed “Information Governance.”

But what exactly is Information Governance?  Despite widespread use of the term,[1] few definitions have been offered.  With due deference to Shakespeare’s Juliet,[2] and also to Justice Stewart,[3] names and definitions matter. They are particularly important when the subject, unlike roses and pornography, has not been with us for a very long time.  And Information Governance indeed is a new approach for addressing information issues.  To be more precise, Information Governance involves a new reconciliation of departmental interests (such as those of IT, Legal, Compliance, Records Management, and lines of business) and of traditional information disciplines (such as records & information management, privacy & data security, and litigation preservation & discovery)—in essence, connecting familiar building blocks in a new, different, and more effective way, to better serve the organization as a whole.  So, definitional clarity is essential here, precisely because Information Governance involves a fundamental change in established perspectives and practices.

What definitions have been proffered for Information Governance?  According to Gartner, the global information technology research and advisory company, Information Governance is “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.  It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”[4]  ARMA International similarly defines Information Governance as “a strategic framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align and contribute to the organization’s goals.”[5]

The Compliance, Governance, and Oversight Council (“CGOC”) has defined Information Governance as “the discipline of managing information according to its legal obligations and its business value, which enables defensible disposal of data and lowers the cost of legal compliance.”[6] 

Most recently, the Sedona Conference has defined Information Governance as “an organization’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.”[7] 

While each of these definitions has its strengths, here’s what I like about the Sedona Conference definition:[8] 

  • Success with Information Governance requires strategic commitment by the organization’s leadership, which is best accomplished when clear benefits accrue to the organization.  Embedding compliance, risk management, and value into the definition communicates a clear “why” for pursuing Information Governance.  These words articulate concrete, strategic benefits for the organization as a whole, and they also anchor the endeavor’s purpose. 
  • The terms “coordinated’ and “inter-disciplinary” succinctly capture the essence of Information Governance, addressing the strategic “what” that is being accomplished.  The most challenging aspect of adopting Information Governance is bridging across traditional information silos.  To be successful with Information Governance, the organization’s individual departments and functions such as Legal, IT, Records, Compliance, and lines of business must coordinate so that decisions about the organization’s information will reflect the needs of the organization as a whole, rather than parochial interests.  And success with Information Governance also requires inter-disciplinary assessment and decision-making, so that information decisions are not based solely on the limited perspectives of traditional disciplines such as records & information management, privacy & data security, and litigation preservation & discovery.  This is the essential feature of Information Governance, through which the organization expands its perspective to consider all aspects and angles of information compliance, risk, and value.

The Sedona definition does not prescribe the particulars of how Information Governance is implemented, referring instead to the organization’s “approach” to accomplishing this coordinated, inter-disciplinary effort, and leaving the specifics of the implementation “how” to supporting guidance.  I think that’s prudent, because there will be various approaches for implementing Information Governance, and the definition should not be too limiting.  Reality suggests that different organizations adopting the Information Governance approach will operate at different points on a maturity continuum.  Some, frankly, will begin by simply getting the right people together in the room to thoroughly explore all angles to information-related decisions at the organization before they are made.  Others will put in place elements of structure, direction, and resources to support Information Governance efforts, along with mechanisms for accountability.  Yet others will establish robust control systems for Information Governance, based upon applicable information-related standards[9] or modeled upon standards for internal control systems generally.[10] 

Years from now, perhaps most organizations will be well along the path of this maturity continuum, and hopefully so.  And yes, organizations certainly will need authoritative guidance on implementation frameworks, strategies, and options for building Information Governance programs. But my hunch is that, at least in the short term, different organizations will pursue Information Governance programming in a wide variety of ways.  While I may feel strongly about the importance of conducting Information Governance assessments and setting program objectives, followed by establishing structure, direction, resources, and accountability for an effective Information Governance program, these are specifics of implementation — the How, rather than the definitional What and Why.

 

[1]  A simple Google search for “Information Governance” on February 3, 2014 yielded 1,250,000 search results.

[2]  “What’s in a name?  That which we call a rose by any other name would smell as sweet ….”  Shakespeare, Romeo and Jul
iet, Act 2, Scene 2.

[3]  “I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so.  But I know it when I see it, and the motion picture involved in this case is not that.”  Jacobellis v. Ohio, 378 U.S. 184, 197 (1964) (Stewart, J., concurring).

[4]  See Gartner IT Glossary, http://www.gartner.com/IT-Glossary/information/governance (last visited January 29, 2014).

[5]  See Glossary of Records and Information Management Terms, 4th Ed. (ARMA TR 22-2012). 

[6]    The CGOC’s definition of information governance is found Information Governance Benchmark Report in Global 1000 Companies, CGOC 1, 8 (2010).

[7]  The Sedona Conference, the Sedona Conference Commentary on Information Governance (Public Comment Version) (2013), Available at https://thesedonaconference.org/publications.

[8]  Full disclosure — I am a Sedona Conference Working Group 1 participant and contributed to its Commentary on Information Governance.  I am also a member of ARMA International and have participated in the CGOC.  Obviously, my views are my own and are not attributable to these fine organizations.

[9]  Various standards provide organizations guidance on assessing information practices and providing structure, direction, resources, and accountability for information governance.  See International Standard ISO 15489‑1, Records Management; International Standard ISO 30301, Management Systems for Records; International Standard ISO/IEC 27001, Information Security Management Systems; and ISO/IEC 27001:2005(E).  See also The Generally Accepted Recordkeeping Principles, ARMA (Feb. 17, 2013).

[10] See COSO, Internal Control-Integrated Framework, Executive Summary (May 2012).  A COSO-based internal control system is the combination of five integrated components, including a control environment, risk assessment, control activities, information and communication, and monitoring activities.  Id. at 4-5.