The Information Governance Imperative
Information Governance is a key issue for organisations in today’s security conscious world.
The imperative driving this surge in interest is twofold, but is essentially all about risk management:
- The fast pace of the evolving digital world can disrupt existing businesses that don’t have a proactive Information Governance program; and
- Effective leadership of Information Governance is the key to ensuring appropriate strategies, priorities, policies and processes are successfully embedded in an organisation to maximise the opportunities and minimise the risks arising from the information it holds.
The value for organisations is to enable the delivery of better outcomes by minimising the risk and maximising the value of the information they hold.
The value to individual Information Governance professionals is to keep them up to date with the latest developments and international global thinking and ensure the professional discipline of Information Governance is recognised as a key component to managing the exponential rise in data in the information age.
What is Information Governance?
While the concepts of information and governance are not new, the discussion around Information Governance has emerged as a necessary discipline to deal with the vast amounts of information being generated everyday by organisations. The challenge for organisations, whether in business, government or non-for-profit, is in developing a strategic, top-down approach to managing all aspects of information within the organisation.
- What information is required to be held?
- What information the organisation can use to deliver benefits to the bottom line?
- Security of information – how it is and will be kept secure and how personally identifiable information is securely managed.
In short, Information Governance:
- Ensures that information is managed to achieve the strategic objectives of the organisation; and
- Provides the framework, systems and processes for ensuring the value of information is maximised and risks are minimised.
Cybersecurity and Information Governance
Relentless cyberattacks, the potential of data and privacy breaches and the ever increasing volume of information present an enormous risk to organisations.
Significant cybersecurity investment, including the latest technology and best systems in place, is unlikely to prevent all breaches. And even if your cybersecurity technology and systems are first rate, there is always the issue of human failure – for example, employees leaving laptops or mobile phone in public places, or employees who download unauthorised software, or the problem of rogue employees and increases in information theft from within organisations.
In the event of a successful data breach the issues become – what information will be accessible to a cybercriminal, and what safeguards have you put in place in relation to sensitive data or data containing personal identifiable information? A holistic and strategic approach to cybersecurity, privacy, records and information management is critical to ensure that data and privacy breaches are minimised.
Information as an Organisational Asset
Organisations need to consider information as an asset and measure both the value and costs of the data they hold. This means measuring the financial benefits derived from the value of data held as well the costs and subsequent savings from risk management investments.
On the value side
This includes investments in technology tools that can be used for competitive advantage and deliver benefits directly to the bottom line – such as:
- Data analytics to improve or develop new services or products;
- Data analytics to increase efficiencies in manufacturing processes;
- Data analytics to improve delivery of services by government to citizens; or
- Contract management technology to maximise financial returns of contracts;
- Analytic tools for auditing to prevent or detect early fraudulent activity.
On the risk side
This includes strategic investments in technology and systems to minimise the risks and costs of data and privacy breaches arising from the exponential rise in the amount of data that is being held and stored by organisations, such as:
- Systems and technology tools to reduce the amount of data being stored by organisations – that is, minimising the amount of redundant, outdated and trivial (ROT) data so there is less overall data;
- Systems and technology to ensure that sensitive business data and information containing personally identifiable information has enhanced security and is more difficult to locate or access in the event of a successful cyberattack; and
- Technology to search, identify, and review information in the discovery and production process in litigation and regulatory inquiries.
The Cost of Information
Is often only fully understood after the event, such as:
- Following a cyberattack and a data and/or privacy breach – with costs including business interruption costs, damage to reputation, potential regulatory investigation and litigation, including the costs of responding to regulatory investigations, potential sanctions and the cost of any litigation and subsequent pay-outs;
- Implementation of new technology system – with the additional costs incurred in dealing with excessive amounts of ROT, stored at additional cost. This is likely to delay implementation of a new system and impede management of information going forward unless addressed to accord with best practice information management;
- Litigation or regulatory investigations or commission of Inquiries – where the costs of document production are enormous due to the vast amount of data that needs to be searched, identified as relevant, reviewed and produced in accordance with legal requirements, or the potential sanctions and costs of not being to produce all documents that were required to be kept either in accordance with legal obligations or Legal Holds.
Susan Bennett LLM(Hons), MBA
Susan is a lawyer and business advisor with over twenty years’ experience and has worked closely with corporate and government clients to deliver tailored legal and risk management solutions that meet client needs and strategic objectives.
If you would like assistance reviewing your current IG ecosystem, please contact Susan on +61 2 8226 8682 or email firstname.lastname@example.org