In 2010 the hospital records of 15,000 patients were discovered in a heap at a Massachusetts landfill because an independent billing agency didn't properly destroy the records it had gathered from four different area hospitals. The year before, hundreds of hospital records were found in a landfill in Alabama. Both incidents were violations of the federal Health Insurance Portability and Accountability Act, which aims to protect patient privacy, and both likely could have been prevented with an effective information governance policy.
There are countless other incidents like those that occur on a regular basis in various industries, and each should be a sobering lesson for companies about the importance of information governance. Yet with the stakes so high and missteps potentially so public, why is good information governance still so difficult to nail down?
The simple reason, analysts and consultants say, is that unless there are dire consequences, a well-designed and adequately funded information governance strategy doesn't often make the short list of priorities for most executive management teams.
"Information governance isn't a problem until it's a problem," said Steve Weissman, principal consultant at The Holly Group, a content, process and information management consultancy in Waltham, Mass. "If no one gets sued, if the district attorney doesn't come knocking, if things are working, it doesn't hit the radar screen. It's not like your business is broken if you don't have governance frameworks in place, so it tends to be invisible until some kind of event happens to make it visible."
If the maturity ladder for information governance is ranked on a scale from 1 to 5, with five being the most mature, most companies are stuck in the 2 to 3 range, according to Alan Weintraub, a principal analyst at Forrester Research Inc. in Cambridge, Mass.
A bigger purpose: Promoting business agility
Weintraub said many organizations take what he sees as a limited view of information governance—that it is solely related to mitigating the risks around regulatory compliance and possible legal actions. In Weintraub's view, and that of many other analysts, information governance is more broadly related to the roles, responsibilities, policies and procedures required to ensure information reliability and integrity for the purpose of making sound business decisions. "Good information governance isn't just about risk, it's about making the business more agile," he said.
More about information governance strategy
Read about understanding and implementing information governance best practices
Learn why measuring the success of an information governance program isn't easy
Discover how to build the business case for an information governance process
Find out the reasons creating an information governance policy is often a hard sell
With that in mind, organizations with mature information governance programs have several things in common. Typically, there is an established information governance council and a prominent executive sponsor of the effort, preferably someone who is part of top management and has influence and decision-making power that transcends organizational fiefdoms. Other common attributes include a clear understanding of who owns and is accountable for sets of information, established roles for assessing the sensitivity of information, and codified classification levels and policies that dictate who has access to what information, Weintraub said.
Another key step to ensuring information governance success is tying the program and its expected benefits to the business.
"If you fail to associate the reasons [for information governance] with business value, if I can't see a connection to the business, it will be hard," said Susan Hanley, founder and president of Susan Hanley LLC, an consultancy in Bethesda, Md., that specializes in deployments of SharePoint portal and collaboration systems. "There shouldn't be governance rules that seem arbitrary or nice to have, because people won't be able to make a connection."
Lack of a tech fix complicates things
The reality that information governance spans multiple departments and that there is no single technology fix for governance issues also complicates matters. Unlike a problem such as password security, which can be solved by requiring employees to choose complex passwords or by employing software to automatically lock down systems, enforcing information governance polices isn't as cut and dried.
"There's no switch to turn on or product to buy," said Barclay Blair, president and founder of ViaLumina Group, a New York-based consultancy that focuses on information governance. "It's a combination of human and technical solutions, and it's one of these horribly complex things from an organizational perspective that requires expertise and participation from multiple parts of the company. That makes it instantly complex."
For organizations that don't have a culture of centralized decision making, or ones in which there isn't a prominent executive championing the information governance cause, it's particularly difficult for any fledging program to gain traction. People likely won't want to make the time to go the extra mile typically required by good information governance practices unless they feel compelled to, and it's rare that rewards or accolades are handed out for complying with a governance program.
"Information governance is hard because it's disruptive and it forces people to comply with rigor and structure—it disturbs the way you work," Weintraub said. "It puts enforcements and policies in place, and no one wants that."
Beth Stackpole is a freelance writer who has been covering the intersection of technology and business for 25-plus years for a variety of trade and business publications and websites.