Most companies still have lots of work to do to turn their information governance into “mature” programs, where they can extract value and insight from their troves of data while minimizing security and privacy risks.
The good news is that progress is being made—albeit slowly.
That’s according to the findings of a new report from the Information Governance Initiative (IGI), a think tank dedicated to advancing information governance practices and technology; it polled 100,000 IG professionals on the subject. The report asked companies about the maturity of their IG functions, what IG projects they’re currently undertaking, the timeframe and costs involved in achieving those projects, and more.
“To date, very few organizations have taken a coordinated approach to how they manage and monetize their data,” says Barclay Blair, IGI founder and executive director.
Overall, most companies rate the maturity of their IG programs as “nascent”—that is, they have some elements in place and are building the foundation, but many relevant information-related functions remain missing or underdeveloped. Many others rated their programs as “intermediate,” meaning they are building the framework and structure, according to the IGI report.
“Many organizations are beginning to acknowledge the need for proactive IG functions, but most have been slow to develop and implement these functions in a sustainable and consistent fashion,” says Eric Robinson, a solution architect for Kroll Ontrack.
In its simplest terms, information governance is a cross-disciplinary approach of governing and managing data across disparate systems and business functions. Historically, companies have struggled to manage risks across several siloed risk management functions: cyber-security, records management, privacy, legal, and more. The goal, in theory, is to have visibility into all those pockets of data at once.
“An information governance function can help those functions to work together to consider information risks holistically and to develop a broader strategy and viewpoint around managing enterprise information risk,” says David Remnitz, head of forensic technology and discovery services leader for EY.
Typically, information governance gets kick-started by a risk event—such as litigation or an investigation—when the company suddenly realizes it has no idea what data it has or where that data resides. “Often, no single function possesses the tools and expertise to help the company respond effectively to an event,” Remnitz says.
“To date, very few organizations have taken a coordinated approach to how they manage and monetize their data.”
Barclay Blair, Founder, Information Governance Institute
In addition to litigation and an investigation, the surge of cyber-attacks is also driving companies to ask probing questions about their data security and retention policies: What data do we keep? What data do we throw away? What data do we invest time and money managing? “Cyber-security is a huge driver for organizations to get their information house in order,” Blair says.
To put a formal structure around some of the answers to those questions, some companies—MasterCard, Aon, McKesson, and Autotrader.com, to name a few—have appointed information governance officers, tasked with owning and coordinating the company’s information governance program.
In the early stages of an information governance program, many companies said the role of the chief information governance officer (new acronym time: CIGO) is to build a foundation of information governance. That requires someone with sufficient authority and leadership skills to see that the work gets done, according to the IGI report. As a company’s information governance improves, CIGO’s role is to develop the framework and structure of an information governance program and then maintain and improve on the IG program as it develops and matures.
According to the report, CIGO has three primary tasks:
Information leadership. At most organizations, nobody “owns” the information problem. CIGO fills this leadership gap by taking on accountability for the governance of information in all forms across an organization.
Inter-departmental coordination. Information-related functions often operate in isolation. Information governance needs a leader who can coordinate, call the shots, and drive governance across all information facets in an organization.
Balancing risk and value. Information is a business asset, creating both risks and value. The CIGO must find the right balance between the risk and value.
One way to get started with the coordinating process is to form a steering committee. “That typically is where a lot of organizations are starting with their information governance efforts,” says Laurie Fischer, a managing director at Huron Consulting Group.
According to the report, however, most companies (58 percent) said they do not have a steering committee in place. Thirty-seven percent said that they do, and 5 percent were not sure.
Current IG Projects
UPCOMING IG PROJECTS
How many projects do practitioners have planned in the coming year? See below for results from an Information Governance Initiative survey.
Source: Information Governance Initiative.
The IGI report also said many companies have multiple information governance projects underway or planned in the next year. Sixty-nine percent identified updating policies and procedures as one project they are undertaking, followed by scanning paper documents (50 percent), and data consolidation and cleanup (47 percent) as their second- and third- most common projects.
Other common projects include the migration of unstructured information from one system to another (46 percent); defensible deletion (42 percent); and decommissioning an archive or system (40 percent).
“Data mapping is a foundational element in the information governance process,” Robinson says. “It is necessary to start with a base understanding of what and where data exists.” Only after that happens can you start to leverage all that day, either for regulatory requirements or for business intelligence purposes.
On a practical level, Robinson says, some IG projects might entail:
Identifying critical assets that require a higher level of protection from cyber-risk;
Identifying information that may have been compromised in a breach; and
Identifying redundant, trivial, and obsolete information, and disposing of that data to reduce e-discovery costs, supporting more effective management of information.
“In practice, IG projects can play a role in a wide variety of enterprise risk management initiatives,” Remnitz says. “Mature IG organizations are actively managing these risks before a risk event occurs; less mature organizations respond to them only as or after they occur.”
Getting an information governance project off the ground can take a significant amount of time. According to the IGI report, the plurality (35 percent) of practitioners said it takes longer than a year to get an information governance project started. Another 22 percent said it takes at least a year, while 16 percent said six months. Only 10 percent said it takes three months or less.
The average number of information governance projects that companies are taking on vary greatly by size. Companies that have 10,000 or more employees are working on an average of seven information governance projects at once, spending an average of $777,000. On the lowest end, companies with up to 1,000 employees are undertaking up to four projects at once, spending an average of $186,000.