Information governance is in the air.
Two days after my last article published, “Push for Strategic Governance in Information Management," Forrester Research released a report called “Reboot your Information Governance Program with an Outside-In Perspective.” Cheryl McKinnon (@cherylmckinnon), an old friend, lead the creation of that report and followed it up with a blogpost, “Information Governance: Not a Product, Not a Technology, Not a Market.”
McKinnon and her colleagues suggest that we view information governance “as a corporate objective, enabled by programs, projects, priorities, people and technology.” This aligns well with my recommendation to take a strategic approach to information governance.
Governance of IT vs. Governance of Information
We covered the difference between IT governance and information governance in my last post, but let's build on that topic a little. While I'm sure that everyone who visits this site knows that the I in IT is for information, not everyone will understand the nuance or importance of the "I."
To put it in context: the governance of enterprise IT -- with all it entails -- is potentially a massive endeavor, with many sub areas and topics. Some might consider information governance a sub-domain of IT Governance. I would argue, as I think McKinnon and her co-authors from Forrester would, that IG is a broad and complex area all of its own.
The Information Governance Initiative has an approach worth noting. In its own words:
IGI is a cross-disciplinary consortium and think tank dedicated to advancing the adoption of Information Governance practices and technologies through research, publishing, advocacy and peer-to-peer networking.”
The multi-disciplinary aspect is key here. If you look at the IGI’s advisory board and leadership team you see lawyers, records management experts, ILTA and ARMA officers, etc. Taking a fully integrative, multidisciplinary approach is important for many aspects of our business technology topics, be it social collaboration, information and knowledge management, process management, etc.
This approach is depicted in the simple diagram below. Note that McKinnon suggests IG strategies should be business focused rather than just aiming to meet the compliance department's requirements.
The IGI seems to be in agreement too:
We believe that IG contains multiple facets that must be part of the conversation, including, at a minimum:
- Information security
- Data science
- Electronic discovery
- Business management
- Business intelligence
- Records management
- Risk Management
- IT and Infrastructure Management"
Where Does IG Strategy Sit in the Broader Enterprise IT Governance Strategy?
Two organizations champion these two agendas through certification courses. Let's map the different domains of knowledge the two certifications address to see how IG might fit in the broader governance of IT. The two organizations and their certification courses are:
- ARMA, with its Information Governance Professional (IGP) certification
- ISACA, with its Certificate in Governance of Enterprise Information Technology (CGEIT)
|ISACA CGEIT||ARMA IGP|
Domain 1: Framework for the Governance of Enterprise IT -- The definition, establishment and management of a framework for the governance of enterprise IT in alignment with the mission, vision and values of the enterprise.
|Developing IG Framework -- Establishing the parameters of the organization's IG efforts, including developing policies and standards the organization should meet; defining the authority, roles and responsibilities the organization must establish.|
|Domain 2: Strategic Management -- Ensure that IT enables and supports the achievement of enterprise objectives through the integration and alignment of IT strategic plans with enterprise strategic plans.||Developing IG Strategic Plan -- Developing a strategic plan that demonstrates an in-depth understanding of the organization's business goals, corporate culture, financial resources and commitments.|
|Domain 3: Benefits Realization -- Ensure that IT-enabled investments are managed to deliver optimized business benefits and that benefit realization outcome and performance measures are established, evaluated and progress is reported to key stakeholders.||Managing Information Risk and Compliance -- Understanding and mitigating information-related risks through such activities as researching and monitoring legal, regulatory and industry-specific compliance requirements; and creating and monitoring internal policies and procedures.|
|Domain 4: Risk Optimization -- Ensure that an IT risk management framework exists to identify, analyze, mitigate, manage, monitor, and communicate IT related business risk, and that the framework for IT risk management is in alignment with the enterprise risk management (ERM) framework.||Managing Information Risk and Compliance -- understanding and mitigating information-related risks through such activities as researching and monitoring legal, regulatory and industry-specific compliance requirements; and creating and monitoring internal policies and procedures.|
|Domain 5: Resource Optimization -- Ensure the optimization of IT resources including information, services, infrastructure and applications, and people, to support the achievement of enterprise objectives.||Aligning Technology with the IG Framework -- Partnering with IT leadership to understand the organization’s technology landscape, the ways technology is used by the business, and how to align the IG and Technology teams’ strategies and operations, including hardware, software and data lifecycle management.|
OK, so my mapping is not entirely scientific. You are free to disagree with it because there is of course no official mapping between between the two certificate programs, despite the close relationship between the two industry bodies. However there are obvious themes which connect back to my assertion in my last article -- take a strategy-lead approach, develop governance frameworks, deal with risk, and align business and IT aims, goals and objectives.
To finish up where we began, McKinnon notes in her report that organizations need to align their IG investments to their broader business technology agendas.
I don’t think any of us assume that aligning IG, IT governance and business technology strategies is going to be easy, but if it was easy it wouldn't be as much fun, would it?