Most organisations understand that the information they possess is their most valuable asset. However, what many enterprises also fail to realise, is that if not properly managed, that same information can also be a significant source of risk. To manage that risk, many organisations turn to and invest in information governance.

While regulatory compliance or a reactionary incident are often the drivers for implementing or reviewing information governance, there are a wide range of benefits to be realised. It’s crucial that organisations take a proactive approach to information management, have a thorough understanding of information governance, its basic principles and why good information governance is a vital component of good business practice.

Poor Information Governance Can Have Significant Consequences

Poor information governance can have costly consequences. Consider the following examples;

• The Marriott Hotel Group was hacked and the breach revealed 25 million unencrypted passport numbers
• Poor recordkeeping caused a gas and oil company to obliterate seismic lines, each worth $6 million
• In an unrecognised oversight, Facebook staff had access to millions of users’ passwords, violating basic information security practices
• An insurance company had in storage one million boxes of information, including 20,000 which hadn’t been opened, containing an estimated $1.5 million worth of unprocessed claims

Knowing the many consequences of inadequate information governance, conversely, it’s easy to understand why it’s worth investing time, money and effort into a holistic information governance program.

The Benefits of Good Information Governance

Like it or not, organisations run on metrics, and the biggest obstacle to implementing, maintaining or improving information governance is justifying the return on investment and the ability to articulate the benefits. Effective information governance will:

• Turn unstructured information into valuable business data
• Afford greater protection to information and intellectual property
• Enable information to easily be found and accessed by appropriate individuals, thereby improving employee productivity
• Improve regulatory compliance with policy, procedures and frameworks
• Reduce the risk of lost information, non-compliance and security breaches
• Increase business agility through improved decision making
• Reduce costs for information storage through identification of redundant, trivial and obsolete information (ROT), and appropriate disposal of information that is no longer required to be maintained
• Facilitate collaboration between employees, customers and partners through the provision of technology platforms such as the Office 365 suite
• Reduce duplication of effort from lost or undiscoverable information
• Ensure consistent information policies across the organisation
• Encompass and manage new and evolving communication channels, for example social media

While creating these plans requires numerous resources, a thorough information governance policy is an investment worth making, and one that will reap future dividends.

For organisations endeavouring to update or create a new information governance policy, we have identified eight core principles to help achieve a thorough, well thought through plan.

The Eight Core Information Governance Principles

Principle 1: Garner Support to Drive Compliance

Start at the top and obtain support from an executive on the leadership team. They will help communicate the importance of information governance (IG), the organisation’s goals and objectives, and act as the driving force across business units.

Ensure organisation wide support by involving and consulting key stakeholders and staff across the business. For example, IT will need to be involved when selecting technology platforms or addressing information security. The legal team will be able to assist with identifying relevant policies, standards, and laws that apply to the handling of information (i.e. data privacy policies or the Notifiable Data Breach scheme). The records management team will have in-depth knowledge of the records management system or enterprise content management system (ECM). Business managers will best understand their business unit’s needs, where existing information lives, and how it’s currently being managed. And don’t underestimate the importance of input from end users, as a lack of change management and end user adoption can quickly derail the best of plans.

Principle 2: Develop and Communicate a Clear Policy and Framework

A policy is key to setting the tone for information governance in an organisation and is somewhat like a mission or vision statement for information management (IM). It outlines IM expectations and practices to lay the foundation for an overarching framework. The policy should explain the benefits of good information governance, outline roles and responsibilities, demonstrate a commitment to meeting business, legislative and regulatory requirements and guide IM practices.

An information governance framework goes one step further and is more granular in nature. It establishes crucial standards, processes and procedures relating to information assets, the legal, regulatory and business context in which assets are created, used and managed, and communicates each employee’s responsibility. The policy should be easy to understand and holistic in nature. It should cover the use of social media in all its various forms, email, instant messaging apps, cloud computing and mobile devices.

To drive success, your organisation’s policy and framework should be regularly reinforced and communicated to employees by senior leadership. These efforts are more likely to succeed in organisations that foster a culture where information management is understood and valued.

When setting out to develop your IG policy, utilise resources such as those provided by The National Archives of Australia and existing examples of local policies and frameworks to help you formulate your information governance framework.

Principle 3: Ensure Information Integrity

Information is only valuable if it is correct, authentic and trustworthy, therefore ensuring information integrity is a crucial inclusion in information governance principles. This principle focuses on the consistency of methods used to create, retain, preserve, distribute and track information. Eliminating ROT (redundant, obsolete and trivial information) plays a large part in this effort, as do document audit trails. Document audit trails will assist in legal proceedings to show a document’s history and movement, and guard against claims that it has been altered, tampered with or deleted. Technology will play an integral role in this, however, consider including policy provisions for the movement of information between branches or agencies, management of physical documents and protocols for machinery of government (MoG) changes.

Principle 4: Control Information for Efficient Use

Controlling information throughout its lifecycle is a key principle and cornerstone of information management, involving organisation, classification, retention and disposal of information. The following measures should be considered as part of your strategy;

• Link and group information semantically within a repository and implement an organisation-wide taxonomy or business classification scheme. This may require you to revisit your information architecture
• Develop consistent metadata standards whilst considering relevant standards such as the AGLS Metadata Standard and the Australian Government Recordkeeping Metadata Standard version 2.2, and regularly review its relevancy and compliance
• Implement a retention and disposal schedule, and again consider state-based and national standards such as Queensland’s General Retention & Disposal Schedule (GRDS). Ensure it details how information is to be disposed of or archived
• Once again, technology is a key aspect in the aforementioned tasks, therefore organisations choose and customise your records management / enterprise content management systems carefully. When selected a records management system, consider these important characteristics of an effective eDRMS
• Ensure all repositories, including email, cloud storage, network and hardware drives are consolidated and managed the same manner, otherwise consider how you’ll handle your content migration strategy

Principle 5: Protect and Secure Information

In this age of increasingly frequent security breaches, a proactive approach to information security is required. Robust encryption of devices, equipment, physical files and anything stored digitally is practiced by most large, industry leading organisations, but is something smaller organisations lag behind in. Consider how your organisation will protect physical records, especially in the event of a disaster such as a flood or fire.

Information privacy overlaps somewhat with information security, and precautionary measures should be implemented to safeguard personally identifiable information (PII), protected health information (PHI), and other confidential or sensitive information. Consider who should have access to sensitive organisational information, how you’ll protect it from unauthorised access, and how this may affect criteria for enterprise search and password protection.

For further direction, The Australian Cyber Security Centre (ACSC) gives some effective tips on cyber security in its Stay Smart Online Guide.

Principle 6: Mitigate Risk Through Information Governance

To mitigate risk, organisations require a firm understanding of all possible threats that could impact operations and many businesses will undertake a risk assessment to assist in this process. Risks can include financial (i.e. monetary GDPR penalties), legal and compliance related, lost or reduced productivity, security and reputational.

Mitigating information related risks can be accomplished through an information governance program. This program should aim to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, or essential to business continuity.

Often employees or organisations are hesitant to dispose of information, thinking it better to retain information longer than required, compared to accidentally disposing of information before its time. Unfortunately, this creates risk also. Not only can data storage costs blow out quickly, having excess information is a potential liability in the event of a cyberattack, and can be called into evidence unnecessarily during legal proceedings. Defensible deletion should be utilised to methodically, legally and ethically dispose of information once it has served its purpose.

Principle 7: Derive Value from Information

Organisations should consider information as an asset and measure both its value and cost. To derive value from information, companies need to invest in technology and information systems that can be used to gain a competitive advantage and contribute directly to profits. This includes data analytics to improve or develop new services or products, or data sharing systems to enhance, for example, the allocation of resources and delivery routes for a large logistics company.

Principle 8: Monitor and Audit for Continuous Improvement

Information governance programs are not a ‘set it and forget it’ activity. For the initiative to be successful, regular monitoring and review is required. From this it should be relatively easy to identify where there may be gaps or shortcomings. As organisations evolve and grow, there will often be changes in the business environment, technology use or business strategy which can impact information governance. Seek feedback and input from employees at various levels across business units. The best improvements can come from those who deal with the information systems the most, so listen to their feedback. Regular information governance audits will ensure a high level of compliance. Consider involving an external team of specialists, such as ourselves, to ensure an objective and accurate review. And don’t forget to regularly communicate your IG policy and framework, from the top down.

The Framework For Solid Information Governance

Implementing an information governance program is a monumental undertaking, however it is worth the time, effort and resources. Review and incorporate these core principles when developing your policy and framework, and consider enlisting the help of an information management specialist to assist with your efforts.