Technology | Information Governance
Jason R. Baron
Of Counsel at Drinker, Biddle & Reath LLP and Co-chair of the Information Governance Initiative
Information governance oversight: Questions for board members to ask Good IG isn’t just about protecting an organisation from data breach. Information challenges are many and various – and someone needs to own responsibility for them What keeps you up at night? Increasingly, the answer for board members and CEOs is the risk of a cyber breach. A variation on an online meme that has gone viral more than adequately sums up this concern: “There are only two kinds of companies: those that have been hacked and those that will be.” Accordingly, in the governance space we have recently seen emerge a variety of calls for boards of directors to be asking questions of their CEOs, CISOs and CIOs about how companies are preparing for breaches and how they will deal with their aftermath through agreed protocols. But while factoring in cyber risk is an increasingly real part of the corporate world, arguably there is an even more fundamental material weakness across the enterprise that boards of directors should be addressing: the company’s lack of a clear information governance strategy or framework for decision-making. Information governance (IG) has been defined as “the activities and technologies that organisations employ to maximise the value of their information while minimising risks and costs”.1 Of course, a part of the overall risk posed by data is the possibility of cyber breach. But there is much more to information governance than simply addressing one’s security concerns. At bottom, there are the questions of why and 52 Ethical Boardroom | Winter 2017
how data has been left to accumulate in the first place and what policies are in place to manage and control its continued growth. Indeed, there are a host of overlapping issues surrounding not only security and preservation of data but also touching on data sensitivities and privacy, access to data in litigation and investigations, regulatory compliance and, increasingly, performing analytics for the purpose of monetising corporate data assets. Various facets of IG are displayed in the ‘pinwheel’ (see Figure 1, page 54). Board focus on cyber breach issues alone is a start, but, high-level attention should be paid to a much broader range of technical and policy issues touching on all aspects of the overall corporate data environment. Hence, our objective here is: what questions should board members be asking in performing their oversight role to ensure that senior corporate executive incorporate IG best practices?
Who is performing the IG function inside the company?
In its 2016 Annual Report, the Information Governance Initiative (IGI) – a think tank and vendor neutral consortium formed in 2014 – found a serious leadership gap in IG. The survey revealed that a surprisingly low number of organisations (only some 37 per cent) have an IG steering committee or similar cross-functional group in place to deal with information-related issues. However, regardless of whether such a committee exists, 67 per cent of survey responders agreed that information
governance should be delegated to a single senior executive with information governance in his or her title. Consistent with its survey results, the IGI has championed the idea of creating the position of Chief Information Governance Officer (CIGO) within corporations, where that individual is charged with owning and coordinating the solutions to complex and overlapping information challenges. In many cases, no one ‘owns’ specific information problems as they arise – certainly not in the same way as a CISO owns information security. So too, in most organisations a vast amount of data accumulates but is inaccessible or unknown to senior management. The three primary gaps within the corporate space that a CIGO (or similarly titled individual) would fill include: (i) information-focussed leadership; (ii) organisation-wide information coordination; and (iii) being a balancer of information value and risk. In demonstration of an emerging trend towards corporate adoption of the idea of a designated IG individual, in the past two years more than 140 IG executives and leaders (with IG in their business card titles) have participated in CIGO summits held in Chicago, where they contributed to building out what has become a playbook on what it takes to be an IG leader and what constitutes IG success.2 Accordingly, board members should be asking their CEO at the outset of any conversation about corporate IG practice: www.ethicalboardroom.com