Information governance policy issue: Who owns a governance program?

An information governance program could be led by IT, the legal department or a business unit. And for many companies, ownership questions may not be entirely clear, analysts say.

Because successful information governance efforts are ongoing programs rather than projects with finite endings, the question of ownership is an elemental one. Someone has to secure funding, make the difficult decisions and ultimately take responsibility for an organization’s information governance policy development and enforcement processes.

In certain situations the legal department can provide an easy starting point, but the process still demands some careful thinking.

“In risk-averse or highly litigious companies, the legal department should own the information governance program, but they should hire an information management person at a high level,” said Debra Logan, an enterprise information management and governance analyst at Gartner Inc. “Lawyers understand the risk and need and they will delegate responsibility – they have a hammer and see the nails that are sticking up.”

When an information governance program is owned by a legal department, its shape tends to be focused on hunkering down to mitigate risk rather than also being open to business value, she said.

“We’ve also seen other ownership succeed in companies where data gathering costs a lot – like in oil and gas exploration. So we see these industries put geophysicists in charge of information management because there’s real business value they can demonstrate,” Logan said. Gartner has seen less traditional owners in financial services and pharmaceutical companies, too.

For most companies, though, questions of ownership are rarely clear.

“Many executives mistakenly assume that the person on the management team with ‘information’ in his or her title is taking care of the information management problem,” said Barclay Blair, president and founder of consulting and professional services firm ViaLumina Group. “However, while most CIOs view infrastructure – software, hardware, cables – as their problem, they consider the information flowing through that infrastructure to be someone else’s problem – usually the people who created the information. On the flip side, most group managers say that they do not have the authority, knowledge or money to control what happens in IT.”

Information governance policy needs can influence ownership strategies
“Ownership of governance depends on the need, pain or problem that it’s slated to address. Sometimes it’s the risk management organization. Sometimes it’s marketing. Sometimes the CEO is actually saying ‘Clean this up,’” said Jill Dyche, a partner and co-founder of Baseline Consulting Group Inc. “In any of these cases, the ownership is temporary: Governance should ultimately be cross-functional and systemic.”

The simplest answer would seem to be insisting that business unit own the information governance framework because they derive value from information. That’s not happening.

“The executive sponsor more often than not ends up being the CIO or someone downstream,” said Rob Karel, principal analyst for data management at Forrester Research Inc. “IT is often the first group that has shared cross-enterprise visibility because they are building shared architectures and services to support multiple lines of business. So very often it’s the CIO who ‘gets’ it first. They can be evangelists or the sponsor, but what they can’t do to ensure success is own the results.

CIOs still need to work with their C-level peers, to take ownership and accountability and open up resources. Business stakeholders need to articulate the impact and opportunities that high-quality trusted information can deliver – and that collaboration between business and IT is what will make an information governance strategy successful, Karel added.

So, why doesn’t a records and information management group own the information governance process? They can and do.

“The successful records and information management teams all live under the CIO and they play the role of bringing the business view to the information governance program,” said Barry Murphy, an information governance consultant and CEO of the online publication eDiscovery Journal. “They understand how users consume information, how they classify and store it, and they can go to legal and describe the regulations and decisions legal needs to make. We’ve seen too often that if legal writes the policy, it’s 45 pages of legalese.”

CIOs can get a budget and lean on legal for budget approval, Murphy added.

“When legal owns information governance, it’s usually very e-discovery-centric and is about the information that goes out to law firms – not business information that exists and the risk within it,” he said.

Once an organization decides who is ultimately responsible for an information governance program, the next step is to get people working – but these team structures are rife with pitfalls.

“Very often people will set up elaborate data structures and data stewards and policy documents around how data stewards are supposed to behave, and then say, ‘We recognize that they have day jobs, so we won’t measure them on their performance with the data,’” said Gartner analyst Anne Lapkin. “Well, if you do this, you’ve just guaranteed they won’t take information governance seriously.”

Smart organizations, Lapkin says, should write people’s data quality and data stewardship obligations into their job descriptions and make it part of their performance metrics. This doesn’t mean rewriting everyone’s job descriptions in a massive change.

“Start by finding the minimum you have to do to have an impact, and then you move out from there,” Lapkin said. “The worst thing you can do is to start out by setting up an elaborate structure and then expecting data quality to automatically improve.”

The culture conundrum and its effect on information governance policy
Perhaps the most daunting issue for an information governance program is a well-entrenched company culture.

“Implementing information governance into the culture is much harder than implementing information governance technology,” Blair said. “For many years organizations have effectively allowed knowledge workers to create, use, retain and destroy digital information with almost no enforced rules or effective controls. Information governance seeks to change that. It is not an easy change.”

“Just think about how you personally view your email at work. Even the most enlightened information governance practitioners probably feel a stab of angst at the idea of someone – or some policy – dictating how they manage their email. Multiply this feeling across hundreds or thousands of less information-governance-enlightened employees, and the change management challenge becomes clear,” Blair said.

Make sure an information governance strategy fits within your existing culture, rather than using data governance as a vehicle to change the culture, Dyche said.

“Show me a data governance program that’s too disruptive, and I’ll show you one that doesn’t get traction,” she said. “Know enough about your culture to understand whether it relies on top-down decisions or bottom-up action, and design the data governance program so that you can socialize it into the culture as opposed to making cultural exceptions to enact data governance.”

However, Murphy countered that simply raising awareness of issues has the power to shape culture.

“Organizations that get policy right tend to shape a culture so that everyone is aware of the risks and their duties in managing information,” he said. “So the creation of a policy around Twitter or Facebook for work purposes will get people thinking. There needs to be an awareness of acceptable policy, and too few don’t create acceptable use policies or don’t create realistic ones.”

Chris Maxcer is a freelance writer.

Dig Deeper on Information governance best practices