There has been a great deal of confusion around the term information governance (IG), and how it is distinct from other similar industry terms such as information technology (IT) governance and data governance. Some books, articles, and blogs have compounded the confusion by offering a limited definition of IG, or sometimes offering a definition of IG that is just plain incorrect, often confusing it with data governance. Even so-called “experts” confuse the terms!
So in this chapter we will spell out the differences and include examples in hopes of clarifying what the meaning of each is, and how they are related.
All three terms are a subset of corporate governance, and in the above sequence, become increasingly broad in their approach. Data governance can be seen as part of IT governance, which is also a part of a broader program of information governance.
We will now delve into more detailed definitions and a comparison of the three.
Data governance expert Robert Seiner, author of the book Non-Invasive Data Governance, and also the editor of The Data Administration Newsletter for over 20 years, pioneered the concept of “non-invasive data governance.” In his approach, Seiner focuses on what can get done toward improving data governance without major disruptions to the business or redesigning business processes. Bob offers his definition of data governance: “Data governance is the execution and enforcement of authority over the definition, production and usage of data.”1 He goes on to say, “My definition intentionally has some grit and some teeth—I fully stand behind having strong definition especially if it catches people's attention and opens the door for greater discussion. At the end of the day, true governance over data or information requires executed and enforced authority.”
But his clients sometimes like to tone it down, softening the definition. Seiner notes, “Some of my clients ponder that the definition is too aggressive. These clients do not like the words ‘execution and enforcement’ so they tame it down to something less aggressive like ‘formalized behavior for the management of data.’ That is my definition of data stewardship.”
Data governance involves processes and controls to ensure that data at the most basic level—raw data that the organization is gathering and inputting—is true and accurate, and unique (not redundant). It involves data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and de-duplication, to eliminate redundant occurrences of data. It also usually involves implementing Master Data Management (MDM, which is discussed in more detail in Chapter 10 on IG for IT).
Data governance focuses on data quality “from the ground up” at the lowest or root level, so that subsequent reports, analyses, and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most fundamental level at which to implement information governance. Data governance efforts seek to assure that formal management controls—systems, processes, and policies—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data. DG efforts also hold data stewards accountable for information quality and accuracy.
Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improvement (BPI), and compliance and risk management.
Everyone in an organization wants good quality data to work with. But it isn't so easy to implement a data governance program. First of all, data is at such a low level that executives and board members are typically unaware of the details of the “smoky back room” of data collection, cleansing, normalization, and input. So it is difficult to gain an executive sponsor and funding to initiate the effort.2 And if a data governance program does move forward, there are challenges in getting business users to adhere to new policies. This is a crucial point, since much of the data is being generated by business units. But there are some general guidelines that can help improve a data governance program's chances for success:
IT governance is the primary way that stakeholders can ensure that investments in IT create business value and contribute toward meeting business objectives.5 This strategic alignment of IT with the business is challenging, yet essential. IT governance programs go further and aim to “improve IT performance, deliver optimum business value and ensure regulatory compliance.”6
Although the CIO typically has line responsibility for implementing IT governance, the CEO and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefits.
Typically, in past decades, board members did not get involved in overseeing IT governance. But today it is a critical and unavoidable responsibility. According to the IT Governance Institute's Board Briefing on IT Governance, “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.”7
The focus is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT efficient and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information quality, and project management best practices, while aligning IT efforts with the business objectives of the organization.
There are several IT governance frameworks that can be used as a guide to implementing an IT governance program. (They are introduced below in a cursory, way, as a detailed discussion of them is best suited for other books focused solely on IT governance.)
Although frameworks and guidance like COBIT® and ITIL have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for your organization depends on business factors, corporate culture, IT maturity, and staffing capability. The level of implementation of these frameworks will also vary by organization.
COBIT (Control Objectives for Information and [related] Technology) is a process-based IT governance framework that represents a consensus of experts worldwide. It was codeveloped by the IT Governance Institute and ISACA and first released in 1996, as a set of control objectives to assist auditors. COBIT 5 was released in 2012, and the current version is COBIT 2019.
COBIT is a high-level framework and de facto standard to guide software development efforts. It holds IT departments accountable for contributing to business objectives. COBIT has been harmonized with other standards and best practices contained in ITIL (IT Infrastructure Library), COSO (Committee of Sponsoring Organizations of the Treadway Commission), ISO 27001/2, PMBOK (Project Management Book of Knowledge), and other “accepted practices” in IT development and operations.8 COBIT addresses business risks, control requirements, compliance, and technical issues.9
COBIT offers IT controls that:
COBIT consists of detailed descriptions of processes required in IT and also tools to measure progress toward maturity of the IT governance program. It is industry agnostic and can be applied across all vertical industry sectors, and it continues to be revised and refined.11
COBIT is broken out into three basic organizational levels and their responsibilities: (1) Board of directors and executive management; (2) IT and business management; and, (3) line level governance, security, and control knowledge workers.12
The COBIT model draws upon the traditional “plan, build, run, monitor” paradigm of traditional IT management, only with variations in semantics. There are four IT domains in the COBIT framework, which contain 34 IT processes and 210 control objectives that map to the four IT processes: (1) plan and organize, (2) acquire and implement, (3) deliver and support, and, (4) monitor and evaluate. Specific goals and metrics are assigned, and responsibilities and accountabilities are delineated.
Val IT is a newer value-oriented framework that is compatible with and complementary to COBIT. Its principles and best practices focus is on leveraging IT investments to gain maximum value. 40 key Val IT essential management practices (analogous to COBIT's control objectives) support three main processes: Value Governance, Portfolio Management, and Investment Management. Val IT and COBIT “provide a full framework and supporting tool set” to help managers develop policies to manage business risks and deliver business value while addressing technical issues and meeting control objectives in a structured, methodic way.13
ITIL (Information Technology Infrastructure Library) is a set of process-oriented best practices and guidance originally developed in the UK to standardize delivery of IT service management. ITIL is applicable to both the private and public sectors and is the “most widely accepted approach to IT service management in the world.” 14 Again, as with other IT governance frameworks, ITIL provides essential guidance for delivering business value through IT, and it “provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation, and growth.”15
ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000), the International Service Management Standard for organizational certification and compliance.16 ITIL 2011 is the latest revision (as of this printing), and it consists of five core published volumes that map the IT service cycle in a systematic way:
ISO/IEC 38500:2015 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effective and efficient use of IT.19 Based primarily on AS 8015, the Australian IT governance standard, it “applies to the governance of management processes” that are performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.
The ISO 38500 standard comprises three main sections:
- Scope, Application and Objectives
- Framework for Good Corporate Governance of IT
- Guidance for Corporate Governance of IT
It is largely derived from AS 8015, the guiding principles of which were to:
- Establish responsibilities
- Plan to best support the organization
- Acquire validly
- Ensure performance when required
- Ensure conformance with rules
- Ensure respect for human factors
The standard also has relationships with other major ISO standards, and embraces the same methods and approaches. It is certain to have a major impact upon the IT governance landscape.20
Corporate governance is the highest level of governance in an organization and a key aspect of it is information governance (IG). According to the Sedona Conference, IG programs are about minimizing information risks and costs and maximizing information value.21 This is a compact way to convey the key aims of IG programs, and it is what should be emphasized when the merits of an IG program are discussed. The definition of IG can be distilled further to a more succinct “elevator pitch” definition of IG, which is “security, control, and optimization” of information. (See Chapter 1 for more detailed definitions.)
IG processes are higher level than the details of IT governance, and much higher level than data governance, but both of the aforementioned can be (and should be) a part of an overall IG program. In fact, often IG programs are launched from successful (and funded) data governance programs.
IG programs are driven from the top down but implemented from the bottom up.
The IG approach to governance focuses not on detailed IT or data capture and quality processes, but rather on controlling the information that is generated by IT, office systems, and external systems, that is, the output of IT. IG efforts seek to manage and control information assets to lower risk, ensure compliance with regulations, and to improve information quality and accessibility while implementing information security measures to protect and preserve information that has business value.22
IG programs focus on breaking down traditional functional group “siloed” approaches to maximize the value of information. Mature IG programs employ the principles of infonomics to measure and monetize information. But these programs rely on robust, effective data governance programs to provide good, clean data so that calculations and analytics that are applied yield true and accurate results.
When making the business case for IG, and articulating its benefits, it is useful to focus on its central impact. If there is a business case to apply infonomics and gain new value from information, the benefits may be quite clear in terms of monetizing information, or leveraging it in a barter transaction. However, putting cost-benefit numbers to IG programs often is difficult, unless you also consider the worst-case scenario of loss or misuse of corporate or agency records. What is losing the next big lawsuit worth? How much are confidential merger and acquisition (M&A) documents worth? How much are customer records worth? How much could a GDPR or HIPAA fine be, and what is the risk?
Frequently, executives and managers do not understand the value of IG until it is a crisis, an expensive legal battle is lost, heavy fines are imposed for noncompliance, or executives go to jail.
There are some key outputs from implementing an IG program. A successful IG program should enable organizations to:
IG consists of the overarching polices and processes to optimize and leverage information, while controlling its access, keeping it secure, and meeting legal and privacy obligations, in alignment with stated organizational business objectives.
IT Governance consists of following established frameworks and best practices to gain the most leverage and benefit out of IT investments and support accomplishment of business objectives.
Data governance is the execution and enforcement of authority over the definition, production, and usage of data,24 and consists of the processes, methods, and techniques to ensure that data at the root level is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate.
18.190.219.65