An information governance (IG) program framework is a glorified checklist that’s designed to make sure you address the individually necessary and jointly sufficient conditions for the success of your IG program. There are many activities that have to be planned and managed, and you really need a master plan to ensure that everything gets taken care of.
The IG Program Framework
This figure shows the eight interrelated program categories and components:
Following are descriptions of each of the eight program categories and components.
Overall Program and Framework Strategy: The overall vision and strategy for managing compliance and risk at an organization. This strategy should individually address and collectively prioritize and align the various initiatives and rules addressing governance, risk management, and compliance (GRC). It should address any gaps that may exist and establish general principles for the level of resources the organization will apply to the program at a high level.
Policies and Procedures: The organization’s “rules” for how organizational compliance should be managed and governed. These include the policies that the organization and its employees must follow (the “what”) and the accompanying procedures for complying with the policy (the “how”).
Processes and Operations: The overall processes and operations used to support organizational compliance. These include processes to evaluate the maturity of the various compliance domains and to remediate any control gaps, as well as more specialized processes such as discovery.
Information Technology and Management: The tools and technologies that are used or leveraged for managing information and enabling its retention, accessibility, security, protection, and disposition. This can include technologies and capabilities for enterprise content management (ECM), enterprise data management (EDM), GRC, records management (RM), data archiving, information security, e-discovery, and others.
Physical Assets and Environment: The controls for physical and environmental security, and asset identification and classification.
Roles and Responsibilities: The organizational structure and roles for the compliance program and the various compliance domains, and the roles and responsibilities for the individual business units as they pertain to the compliance disciplines.
Metrics, Measurement, and Monitoring: The auditing, monitoring, measurement, and reporting of the organizational compliance program.
Communications and Training: The mechanisms and methods used to educate the user community and improve compliance and adoption of the procedures and solutions that support the organizational compliance program.
So that’s the framework. In an upcoming post, I’ll be outlining a set of best practices—i.e. the characteristics of organizations with highly effective IG and compliance programs, that you can use as a starting point if you’re in the process of implementing an IG program at your organization, or if you’d like to assess the effectiveness of an existing IG program.