There has been a great deal of confusion around the term information governance (IG) and how it is distinct from other similar industry terms, such as information technology (IT) governance and data governance. They are all a subset of corporate governance, and in the above sequence, become increasingly more granular in their approach. Data governance is a part of broader IT governance, which is also a part of even broader information governance. The few texts that exist have compounded the confusion by offering a limited definition of IG, or sometimes offering a definition of IG that is just plain incorrect, often confusing it with simple data governance.

So in this chapter we spell out the differences and include examples in hopes of clarifying what the meaning of each term is and how they are related.

Data Governance

Data governance involves processes and controls to ensure that information at the data level—raw alphanumeric characters that the organization is gathering and inputting—is true and accurate, and unique (not redundant). It involves data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and de-duplication, to eliminate redundant occurrences of data.

Data governance focuses on information quality from the ground up at the lowest or root level, so that subsequent reports, analyses, and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most rudimentary level at which to implement information governance. Data governance efforts seek to ensure that formal management controls—systems, processes, and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data. The biggest negative consequence of poor or inaccurate data is poorly and inaccurately based decisions.

Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improvement, and compliance and risk management.

Data Governance Strategy Tips

Everyone in an organization wants good-quality data to work with. But it is not so easy to implement a data governance program. First of all, data is at such a low level that executives and board members are typically unaware of the details of the “smoky back room” of data collection: cleansing, normalization, and input. So it is difficult to gain an executive sponsor and funding to initiate the effort.¹ And if a data governance program does move forward, there are challenges in getting business users to adhere to new policies. This is a crucial point, since much of the data is being generated by business units. But there are some general guidelines that can help improve a data governance program's chances for success:

• Identify a measureable impact. A data governance program must be able to demonstrate business value, or it will not get the executive sponsorship and funding it needs to move forward. A readiness assessment should capture the current state of data quality and whether an enterprise or business unit level effort is warranted. Other key issues include: Can the organization save hard costs by implementing data governance? Can it reach more customers or increase revenue generated from existing customers?²
• Assign accountability for data quality to business units, not IT. Typically, IT has had responsibility for data quality, yet it is mostly not under that department's control, since most of the data is being generated in the business units. A pointed effort must be made to push responsibility and ownership for data to the business units that create and use the data.
• Recognize the uniqueness of data as an asset. Unlike other assets, such as people, factories, equipment, and even cash, data is largely unseen, out of sight, and intangible. It changes daily. It spreads throughout business units. It is copied and deleted. Data growth can spiral out of control, obscuring the data that has true business value. So data has to be treated differently, and its unique qualities must be considered.
• Forget the past; implement a going-forward strategy. It is a significantly greater task to try to improve data governance across the enterprise for existing data. Remember, you may be trying to fix decades of bad behavior, mismanagement, and lack of governance. Taking an incremental approach with an eye to the future provides for a clean starting point and can substantially reduce the pain required to implement. A proven best practice is to implement a from-this-point-on strategy where new data governance policies for handling data are implemented beginning on a certain date.

• Manage the change. Educate, educate, educate. People must be trained to under-stand why the data governance program is being implemented and how it will benefit the business. The new policies represent a cultural change, and people need supportive program messages and training in order to make the shift.³

IT Governance

IT governance is the primary way that stakeholders can ensure that investments in IT create business value and contribute toward meeting business objectives.⁴ This strategic alignment of IT with the business is challenging yet essential. IT governance programs go further and aim to “improve IT performance, deliver optimum business value and ensure regulatory compliance.”⁵

Although the CIO typically has line responsibility for implementing IT governance, the CEO and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefits.

Typically, in past decades, board members did not get involved in overseeing IT governance. But today it is a critical and unavoidable responsibility. According to the IT Governance Institute's Board Briefing on IT Governance, “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.”⁶

The focus is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT efficient and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information quality, and project management best practices while aligning IT efforts with the business objectives of the organization.

IT Governance Frameworks

Several IT governance frameworks can be used as a guide to implementing an IT governance program. (They are introduced in this chapter in a cursory way; detailed discussions of them are best suited to books focused solely on IT governance.)

Although frameworks and guidance like CobiT® and ITIL have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for an organization depends on business factors, corporate culture, IT maturity, and staffing capability. The level of implementation of these frameworks will also vary by organization.

CobiT®

CobiT (Control Objectives for Information and related Technology) is a process-based IT governance framework that represents a consensus of experts worldwide. Codeveloped by the IT Governance Institute and ISACA (previously known as the Information Systems Audit and Control Association), CobiT addresses business risks, control requirements, compliance, and technical issues.⁷

CobiT offers IT controls that:

• Cut IT risks while gaining business value from IT under an umbrella of a globally accepted framework.
• Assist in meeting regulatory compliance requirements.
• Utilize a structured approach for improved reporting and management decision making.
• Provide solutions to control assessments and project implementations to improve IT and information asset control.⁸

CobiT consists of detailed descriptions of processes required in IT and also tools to measure progress toward maturity of the IT governance program. It is industry agnostic and can be applied across all vertical industry sectors, and it continues to be revised and refined.⁹

CobiT is broken out into three basic organizational levels and their responsibilities: (1) board of directors and executive management; (2) IT and business management; and (3) line-level governance, and security and control knowledge workers.¹⁰

The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of traditional IT management, only with variations in semantics. The CobiT framework is divided into four IT domains—(1) plan and organize, (2) acquire and implement, (3) deliver and support, and (4) monitor and evaluate—which contain 34 IT processes and 210 control objectives. Specific goals and metrics are assigned, and responsibilities and accountabilities are delineated.

The CobiT framework maps to the international information security standard, ISO 17799, and is also compatible with IT Infrastructure Library (ITIL) and other “accepted practices” in IT development and operations.¹¹

ValIT®

ValIT is a newer value-oriented framework that is compatible with and complementary to CobiT. Its principles and best practices focus is on leveraging IT investments to gain maximum value. Forty key ValIT essential management practices (analogous to CobiT's control objectives) support three main processes: value governance, portfolio management, and investment management. ValIT and CobiT “provide a full framework and supporting tool set” to help managers develop policies to manage business risks and deliver business value while addressing technical issues and meeting control objectives in a structured, methodic way.¹²

ITIL

ITIL (Information Technology Infrastructure Library) is a set of process-oriented best practices and guidance originally developed in the United Kingdom to standardize delivery of IT service management. ITIL is applicable to both the private and public sectors and is the “most widely accepted approach to IT service management in the world.”¹³ As with other IT governance frameworks, ITIL provides essential guidance for delivering business value through IT, and it “provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth.”¹⁴

ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000), the International Service Management Standard for organizational certification and compliance.¹⁵ ITIL 2011 is the latest revision (as of this printing), and it consists of five core published volumes that map the IT service cycle in a systematic way:

1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement¹⁶

ISO 38500

ISO/IEC 38500:2008 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effective and efficient use of IT.¹⁷ Based primarily on AS 8015, the Australian IT governance standard, it “applies to the governance of management processes” that are performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.

The ISO 38500 standard comprises three main sections:

1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT

It is largely derived from AS 8015, the guiding principles of which were:

• Establish responsibilities
• Plan to best support the organization
• Acquire validly
• Ensure performance when required
• Ensure conformance with rules
• Ensure respect for human factors

The standard also has relationships with other major ISO standards, and embraces the same methods and approaches.¹⁸

Information Governance

Corporate governance is the highest level of governance in an organization, and a key aspect of it is IG. IG processes are higher level than the details of IT governance and much higher than data governance, but both data and IT governance can be (and should be) a part of an overall IG program. The IG approach to governance focuses not on detailed IT or data capture and quality processes but rather on controlling the information that is generated by IT and office systems.

IG efforts seek to manage and control information assets to lower risk, ensure compliance with regulations, and improve information quality and accessibility while implementing information security measures to protect and preserve information that has business value.¹⁹ (See Chapter 1 for more detailed definitions.)

Impact of a Successful IG Program

When making the business case for IG and articulating its benefits, it is useful to focus on its central impact. Putting cost-benefit numbers to this may be difficult, unless you also consider the worst-case scenario of loss or misuse of corporate or agency records. What is losing the next big lawsuit worth? How much are confidential merger and acquisition documents worth? How much are customer records worth? Frequently, executives and managers do not understand the value of IG until it is a crisis, an expensive legal battle is lost, heavy fines are imposed for noncompliance, or executives go to jail.

There are some key outputs from implementing an IG program. A successful IG program should enable organizations to:

• Use common terms across the enterprise. This means that departments must agree on how they are going to classify document types, which requires a cross-functional effort. With common enterprise terms, searches for information are more productive and complete. This normalization process begins with developing a standardized corporate taxonomy, which defines the terms (and substitute terms in a custom corporate thesaurus), document types, and their relationships in a hierarchy.
• Map information creation and usage. This effort can be buttressed with the use of technology tools such as data loss prevention, which can be used to discover the flow of information within and outside of the enterprise. You must first determine who is accessing which information when and where it is going. Then you can monitor and analyze these information flows. The goal is to stop the erosion or misuse of information assets and to stem data breaches with monitoring and security technology.
• Obtain “information confidence”—that is, the assurance that information has integrity, validity, accuracy, and quality; this means being able to prove that the information is reliable and that its access, use, and storage meet compliance and legal demands.
• Harvest and leverage information. Using techniques and tools like data mining and business intelligence, new insights may be gained that provide an enterprise with a sustainable competitive advantage over the long term, since managers will have more and better information as a basis for business decisions.²¹

Summing Up the Differences

IG consists of the overarching polices and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives.

IT governance consists of following established frameworks and best practices to gain the most leverage and benefit out of IT investments and support accomplishment of business objectives.

Data governance consists of the processes, methods, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate.

Notes

1. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com eBook, http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-ook_1104.pdf, accessed March 11, 2013.

2. Ibid.

3. Ibid.

4. M.N. Kooper, R. Maes, and E.E.O. RoosLindgreen, “On the Governance of Information: Introducing a New Concept of Governance to Support the Management of Information,” International Journal of Information Management 31 (2011): 195–a120, http://dl.acm.org/citation.cfm?id=2297895. (accessed November 14, 2013).

5. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,” ISACA Journal 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx

6. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p.18.

7. Ibid., p.26.

8. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Technology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance,” http://www-304.ibm.com/industries/publicsector/fileserve?contentid=187551 (accessed March 11, 2013).

9. Phillips, “IT Governance for CEOs and Members of the Board.”

10. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Technology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance.”

11. Ibid.

12. Ibid.

13. www.itil-officialsite.com/ (accessed March 12, 2013).

14. ITIL, “What Is ITIL?” www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx (accessed March 12, 2013).

15. Ibid.

16. Ibid.

17. “ISO/IEC 38500:2008 “Corporate Governance of Information Technology” www.iso.org/iso/catalogue_detail?csnumber=51639 (accessed November 14, 2013).

18. ISO 38500 www.38500.org/ (accessed March 12, 2013).

19. www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/ (accessed November 14, 2013).

20. ARMA International, Glossary of Records and Information Management Terms, 4th ed. TR 22–2012 (from ARMA.org).

21. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” CTO Edge, March 9, 2011, www.ctoedge.com/content/three-steps-trusting-your-data-2011