Information Governance: the Risks of Getting it Wrong

“So what are your thoughts about how to build the business case for implementing good records and information practices and processes using an electronic document records management system?” I enquired of the client.

“It’s simple” she said. “It’s a compliance issue.”

Not compliance, I thought. That is not going to cut it.

“Hmm,” I mused out loud. “Are there any occasions where inconsistent data or the unavailability of information or the late access to full information causes harm to people or even death?”

“Oh yes,” came the reply. “Death is known to have occurred.”

Information Governance is often seen as maintaining compliance. For example, the means by which we protect personal information from being revealed to others without authority to do so. However, it is much more than that.

It is about reducing the risks – as in the case above – of allowing harm to befall people, assets, or the environment, or indeed the reputation of our organisation.

Even more than that though, it is about managing information as an asset, ensuring that we, as an organisation, manage our information in a manner consistent with our organisational strategy and desired organisational culture. It is about developing practices, with the underlying policies, processes, and procedures required to support them, that are subject to continuous improvement as new trends emerge internally and externally.

An information governance framework

Creating and sustaining an Information Asset Governance Framework contains six key components (See Fig 1):

  • Strategy
  • Policy
  • Systems
  • Support
  • Quality assurance
  • Continuous improvement

article - unlocking value information - asset governance

Figure 1: Information Governance Framework

Weaknesses in each component of the framework can lead to undesirable and at times unconscionable unintended consequences.


A study by Forbes (Forbes, 2014) revealed that 85% of their survey respondents agreed that their organisations treated information as a strategic asset and nearly all 95% believed that information management was essential to business success. However, the way that organisations acted – as reported by the same study – indicates that what they actually did compared with what they wished they did are a long way apart.

The report states: “When asked where responsibility for data quality resided, 79% of the IT managers said it was with IT, but 74% of the finance, sales, and marketing, respondents said it was their own job to assure data quality.” Unsurprisingly, the fragmentation of data ownership was seen as the number one impediment (41%) in creating an enterprise information management programme.

If organisations cannot agree, and do not set in place a set of actions to agree who owns an asset, they cannot be serious about managing information as an asset.

The implications for failure at this very first step of determining the strategy for managing information assets is that the criteria for making all subsequent decisions are never set and decisions are made on an ad-hoc basis. Often these decisions are made with vested interests at heart, creating a patchwork quilt of data and information systems with no intent of ever having a single source of truth. Once, I found more than a hundred disparate systems and formal databases – without even a single sketch of what the information architecture is supposed to be – masquerading as an information system.

The leaders of most organisations must stop fooling themselves into believing that they treat information as an asset. They must confront the reality that they pay lip service to the importance of information except when poor information management causes a hot issue to which they are forced to respond by their stakeholders. They must look at the actions of the organisation and, if they are serious, spend some time and effort determining their information management strategy, ensuring it is aligned with their organisational strategy.

Without a coherent information asset strategy, the impact on customers, staff, regulatory compliance, business process efficiency and effectiveness will be all too familiar and negative.


An information governance structure should have policies regarding both structured (e.g. customer database) and unstructured (e.g. emails) data. The policies should cover accountability and responsibility for the information ownership, quality, and lifecycle treatment including security classification, retention, and disposal.

Policies provide the rules by which information is managed. Processes and procedures provide written guidance for all staff on how to execute their roles and manage information in line with the corporate and information asset management strategies. For example, contract processes need to be aligned with policies governing vendor information.

When policies are non-existent or lax, staff are unclear about what they are to do. People who believe in the benefits of managing information assets will create their own version of information management processes and procedures without any guidance provided by a policy context. People who do not prioritise the management of information assets will do the minimum required to have access to their own information in a manner that suits them.

The result of this set of circumstances in large organisations is a multitude of isolated and inconsistently applied information management practices with poor access to important information beyond individuals and teams. When people leave the organisation, their knowledge leaves with them including where to find information.


Systems should be selected based on their functionality and ease of use. The required functionality should be determined based on how information assets can be best managed to improve productivity, offer better internal and external services, and reduce risk in line with both the organisation strategy and the information management strategy.

This means taking into account existing and proposed business systems and understanding how they manage information (usually structured information), and not falling into the trap of considering an electronic document and records management system as ‘The’ system.

Having a narrow view of ‘The’ system causes organisations to fall into silos of information with a three way competition between IT, the business, and the records and information management team over how information should be managed. In turn this causes myths and stories abound over what each pet grouping of systems can and cannot do. As a result, organisations fail to take advantage of the capability of systems reducing their overall efficiency and effectiveness in their management of information assets.

For example, we have experienced instances where the Legal department held fiercely on to their perceived need for a specialist case management system, when an existing EDRMS could be configured to perform the same functions, with enhanced access and control of access to key information related to any particular legal matter. Whilst notes about decisions and the timeline of actions taken in regard to a previous matter were easily available in the case management system, the related documents which provided the context to the decision were not, and had to be separately searched for in other systems including shared drives. The end result of not taking a holistic view of information assets and their management and the real capabilities of systems, resulted, in this example, in duplicated research efforts and potentially flawed decision making through the context of decisions regarding of previous legal matters not being readily available.


Support is a key element of a governance framework. It is insufficient to build a governance framework with formal controls of strategy, policies, processes and systems and expect it to be used. A governance framework should ensure that not only are the elements of formal control in place but that the people related informal controls that drive high adoption rates are in place as well.

Support components include but not limited to:

  • training content and delivery;
  • communications plan and content;
  • change management approach;
  • Help Desk resourcing;
  • Super Users; and
  • procedures and processes for accessing support.

These components and others like them should be formalised as part of the governance framework.

When these components are left to chance, the spectre of low adoption levels so prevalent in the management of information assets becomes a reality, and the strength of the governance framework when observed through the lens of what people actually do, looks incredibly weak.

Quality assurance

It is insufficient for an information governance framework to limit its view of quality assurance to the capture of records and their correct titling, or to the quality of structured data.

Quality assurance should capture these elements, but needs to go much further and set up processes to capture how well information assets are being managed. It also needs to report on how well that management is delivering in terms of better services, higher productivity, and reduced risk. Where it is not delivering, quality assurance should then set in train processes for improvement to reach the goals and objectives of the organisation strategy and information strategy.

When quality assurance only measures the quality of the information assets, and not the quality of their management and the outcomes of that management, the return on investment of managing assets is insecure. Can you imagine a quality assurance system measuring the adherence to specification of a new piece of plant on a factory floor and not measuring the results achieved from using the machine?

If we do not measure the outcomes of managing our information assets we also place ourselves in a position of finding it difficult to justify further investment.

Continuous improvement

Strategy should be reviewed each year and revised every three years – or more often in fast-changing environments. Hence, the final link in an information asset management governance framework is continuous improvement. Without this link from a formal quality assurance system and formal evaluation of external opportunities and threats, strategy stagnates.

The consequences are missed opportunities of adapting existing information asset management practices to new realities or adopting whole new approaches which unlock previously unforeseen value in information assets.

Overall business impact

When information asset management is immature, both public sector and commercial ‘businesses’ suffer from losses in:

  • Risk management. For example:
    • Inability to access full credit history leading to continuing incorrect risk assessment
    • Regulatory compliance violations
    • Privacy violations
    • Inability to access latest engineering drawings leading to unsafe acts causing injury or death
    • Loss of ability to self-insure for workers compensation because of missing data and records
  • Service provision. For example:
    • Reduced ease of interaction for customers
    • Reduced ease of interaction for employees
    • Inability to segment customers and match services to segments
    • Inability to measure impact of policy and process change
  • Productivity. For example:
    • Inability to complete spend analysis by supplier
    • Reduced ability to automate processes reliant on data
    • Reduced ability to analyse maintenance schedules and plan maintenance
    • Inability to review plant production and supply chain interaction to reduce lead times and reduce stock levels

Whilst Big Data is the latest flavour in town causing CEOs to belatedly look at information asset management, at least in a narrow field, the need to manage information assets properly has been evident for a long time. It is fair to say that until information is regarded as an asset and appropriate governance structures are put in place, all organisations will continue to operate at a sub-optimal level: a sub-optimal level that is known to cause death and injury, financial loss, reputational loss and environmental loss.

Works Cited

Forbes. (2014, September). Managing Information in the Enterprise: Perspectives for Business Leaders. Retrieved from Forbes:



Comments are closed.