There has been a great deal of confusion around the term information governance (IG) and how it is often confused with other similar industry terms, such as information technology (IT) governance and data governance. The few texts that exist have compounded the confusion by offering a limited definition of IG or, sometimes, offering a definition of IG that is just plain incorrect, often confusing it with simple data governance. I will provide clear definitions of these related terms in this post.

IG is policy-based control of information to meet all legal, regulatory, risk and business demands. That means that information is kept as long as required by regulations and laws, or internal business needs and risk assessments, then it is discarded according to an established retention and disposition schedule. This reduces risks and costs since less information is housed and the potential legal risk lurking in information that has lost business value is mediated. The information that remains has business value and can be leveraged to create new insights that feed into management decisions. Another definition from the IG Initiative states “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” This definition emphasizes finding and exploiting value in information, while keeping costs and risks as low as possible.

Corporate governance is the highest level of governance in an organization and a key aspect of it is IG. IG processes are higher level than the details of IT governance and much higher than data governance, but both data and IT governance can be (and should be) a part of an overall IG program. The IG approach to governance focuses not on detailed IT or data capture and quality processes but rather on controlling the information that is generated by IT and office systems.

IT governance

An overall IG program should include IT governance. Most people in the IG space miss this point. IT governance is the primary way that stakeholders can ensure that investments in IT create business value and contribute toward meeting business objectives. This strategic alignment of IT with the business is challenging yet essential. IT governance programs go further and aim to elevate IT performance and deliver optimum business value, while meeting regulatory compliance demands.

Although the CIO typically has line responsibility for implementing IT governance, the CEO and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefits.

MORE: IT Risks Are Prevalent: Do You Have Enough IT Audit Coverage?

Typically, in past decades, board members did not get involved in overseeing IT governance. But today it is a critical and unavoidable responsibility. According to the IT Governance Institute’s
Board Briefing on IT Governance, “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”

The focus is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT efficient and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information quality and project management best practices while aligning IT efforts with the business objectives of the organization.

Several IT governance frameworks can be used as a guide to implementing an IT governance program. Although frameworks and guidance like CobiT®, ITIL and ISO 38500 have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for an organization depends on business factors, corporate culture, IT maturity and staffing capability. The level of implementation of these frameworks will also vary by organization.

Data governance

A data governance program should be a part of an overall IG program. Data governance involves processes and controls to ensure that information at the data level—raw alphanumeric characters that the organization is gathering and inputting—is true and accurate and unique (not redundant). It involves data cleansing (or data scrubbing) to strip out corrupted, inaccurate or extraneous data and de-uplication to eliminate redundant occurrences of data.

Data governance focuses on information quality from the ground up at the lowest or root level, so that subsequent reports, analyses and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most rudimentary level at which to implement information governance. Data governance efforts seek to ensure that formal management controls—systems, processes and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data. The biggest negative consequence of poor or inaccurate data is poorly and inaccurately based decisions.

Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improvement and compliance and risk management.

Summing up the differences

IG consists of the overarching polices and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives. IT governance consists of following established frameworks and best practices to gain the most leverage and benefit out of IT investments and support accomplishment of business objectives. Data governance consists of the processes, methods and techniques to ensure that data is of high quality, reliable and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate. Once the definitions of these three information-related governance disciplines are clear, their differences become more distinct.

Robert Smallwood is a founding partner of IMERGE Consulting and executive director of the E-Records Institute. Follow him on Twitter @RobertSmallwood