May 9, 2017

An Information Governance Program is the Best Way to Mitigate Risk

7 minute read

Risk is a scary word for any organization and many will go to great lengths to avoid it. Especially when we are discussing information risk, which is chock full of serious consequences. The best way to mitigate information risk, however, is a solid information governance program.

Planning and Considerations

A successful information governance program requires foresight and planning. The program needs to have the vision of not only the entire organization, but the future of the way information will be handled. It is important to consider the workflows and processes different types of information go through.

Reduce volume

As we all know, data is being created at exponentially increasing rates and that new data is being added to the existing ROT data clogging up a company's storage. This means an organization needs to establish and overarching and complete information governance plan that involves every business unit. Automation is a requirement given the amount of data which needs to be governed. This ensures less reliance on employees to not only take the time to classify records, but to do so correctly.

Additionally, integrating this program into existing workflows will drastically increase adherence and compliance. By not forcing your users to greatly alter their daily activity, they are more likely to participate fully. Clear and simple direction on the process and expected outcomes of your information governance program will also keep everyone on the same page.

Locate your information

The business must understand where their data, especially those classified as records, is located and what the stages of those records' lifecycle look like. It is also important to know who is generating this data, who has access to it and how it is being transferred. There must be a complete picture of what a record looks like throughout it's useful life and what is done with it after its usefulness has expired.

As a basic example, keeping personally identifiable information (PII) separate and locked down to only certain departments or employees is a simple step that must be taken for not only the potential harm to an individual, but the liability the organization could face in the case of a breach.

Structuring data

Most data is unstructured within a typical organization. This is the root of the problems faced when attempting to retrieve the proper information. The first step is working with the department directors to establish which types of documents are critical and declared as records.

Once that has been established, these content types will need to be included in the overall file plan and the proper metadata must be included when these records are being declared. This not only eliminates confusion, it is the engine that allows automated information governance software to correctly apply policies to records.

Legacy data

As for the legacy data your company currently has, the decision on how that should be handled is best done case-by-case. Sometimes, an entire obsolete repository or library can be disposed of without fear of lost business critical information but unfortunately, it is rarely that simple.

Understanding these challenges, many organizations are choosing not to migrate to a central repository, thus eliminating the need to make wholesale changes to the current storage structure. Addressing existing records is an area that is crucial to the overall go-forward information governance strategy.

Potential Issues


Anyone who has been part of the corporate world unfortunately understands the issue of silos. It's no exception when it comes to information governance. Without an overarching strategy throughout the enterprise, any IG program is bound to fail. Being truly compliant requires buy-in from every business unit and the entire executive team.

Another issue with these silos is a misunderstanding about the ownership of the information.

Does IT own it since it's in a digital format and sits on the servers (or cloud) that they control? Is it the legal department's responsibility as they are in charge of compliance? What about the records department? Do they have the authority to control this information that is used by nearly every business unit?

Unfortunately, the questions above are easier asked than answered. That being said, simply asking these questions is a good first step. The next big hurdle is actually creating an information governance team or task force to initiate, implement and manage the company's IG program.


Redundant, obsolete and trivial (ROT) data is ubiquitous within every organization. In addition to being a thorn in the side of the records management team, it significantly hampers the ability of everyday users to be efficient and the effective execution of an IG program. The chart below explains the potential risk of ROT data as well. As time passes, this data loses its value while costing the organization both financially and from a compliance perspective.

As mentioned above, risk associated with ungoverned data is a major concern. Even though storage is relatively cheap, finding that data later in the instance of pending litigation can be extremely costly. In fact, although it only costs 20 cents a day for a gigabyte of storage, it costs around $3,500 for eDiscovery review of that same gigabyte of storage.

Finally, ROT data is susceptible to a data breach, whether that is from a hacker or an accidental internal leak. 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.1


Speaking of employees, they don't make information governance any easier. Everyday users of information are generally never educated on proper governance procedures or policies. As it is not part of their core competency, IG unsurprisingly receives a lower priority during their day.

To be fair to these employees, they were not hired by the company because of their proficiency in information governance.

The VP of Sales wants his salespeople driving revenue, not meticulously reviewing old data to assess its value or compliance risk. Again, this is where oversight from an IG task force is required. Simply setting clear policies for every type of document or record will inform a master file plan for the organization. Here's a file plan template example for reference.

On top of that, users' lost productivity from being unable to find the right documents can cost companies an incredible sum. Assuming an average workweek of 41.8 hours with an annual salary of $80,000, the cost of time wasted searching and not finding data is $5,700 per worker per year. That means for an organization with 1,000 knowledge workers, $5.7 million is wasted annually.2

A Balancing Act

Managing risk and running a successful information governance program is a lot easier said than done. There will be sacrifices and compromises that must be made. Pushing forward your IG goals may not always make you the most popular person in the office.

As mentioned above, keep in mind that the information governance program will not be a priority to most of your organization's employees. In fact, it may be a completely new concept to many of them. Patience, as well as understanding their point of view, will be critical.

Finally, be able to step back and be objective. Ruthlessly eliminate any process in the IG program that causes more inefficiency compared to the risk being mitigated. A complete information governance program will take time to implement, but the end result will prove invaluable.

Receive News Updates As Soon As They Happen