Data and other information assets are the lifeblood of any organization; yet, rarely are they comprehensively managed as critical assets. These assets are balkanized within lines of business and in functional areas across organizations. They reside in data centers; in devices such as cell phones, laptops and thumb drives; in the cloud; on paper; and elsewhere. Unless organizations understand these assets, they cannot fully protect and monetize them. One, C-level executive should be empowered to sustain a comprehensive information governance program, and there has been neither a more important time, nor a bigger opportunity, to do so.
Data breaches are on the rise, and they are indicative of weak controls that can ignite regulatory responses and
Photo courtesy of Steve Mitchell-USA TODAY Sports
cost organizations dearly. For the Chief Executive Officer and Chief Financial Officer, breaches can mean much more than just diminished brand value or reputational damage.
First, the recently updated internal control framework that is a foundation of Sarbanes-Oxley makes breaches a cause for possible criminal liability. Second, the Federal Trade Commission (FTC) has brought over 50 cases against companies that have exercised poor housekeeping of consumers’ personal information, leading to expensive settlements. Third, the U.S. Securities and Exchange Commission’s (SEC’s) cybersecurity enforcement actions thus far have been focused on financial institutions, but growing congressional pressure may lead to broader activity. There is an alphabet soup of other regulations that obligate organizations to maintain data more securely. However, regulators are not the bad guys here; it’s the hackers and other bad actors that compromise data security and trigger costs beyond the regulatory pain. Regardless of the motivation, organizations must adjust to a new style of Information Technology by getting visibility and control over their data and information assets.
The opportunities to create value from information governance are tremendous. Organizations are rapidly outgrowing IT architectures built around relational databases and structured data. New platforms and tools can help people collect, prepare, analyze and visualize huge amounts of data, including unstructured data developed from social media, Internet of Things sensors, and other touch points that yield valuable new insights on consumer behavior. These platforms and tools are collaborative and intuitive to operate, so executives and analysts in the lines of business can more quickly make smarter decisions without having to rely on Finance or IT to get them information. Now that organizations can close the books on time, they should more quickly derive richer insights about the future, not just the past.
Information governance technology, people and processes reduce cybersecurity, litigation, compliance and other risks and create value through the use of emerging data analytic tools and practices. A successful information governance program leader would command the respect of the organization’s C-level of executives, and align everyone with interests in data across the lines of business and functional support areas. The Finance, IT and Legal areas produce the most likely candidates for a role in information governance, and the ideal candidate would have familiarity with all three, and perhaps others.
Chief Financial Officers are recognized as the stewards of company assets. They are first in line when it comes to understanding and accommodating the demands of Sarbanes-Oxley, the SEC, the FTC and other regulators. CFOs are familiar to the Board’s Audit Committee, and they must confront the growing evidence of weak controls that data breaches represent. CFOs are the architects of the chart of accounts and key data repositories of data like enterprise resource planning systems. With their Controller, they make sure the books get closed on time each month, and their Internal Audit staff ensures compliance with control procedures. They are naturally data-driven as they not only marshal budgets but also design and review key performance indicators. They develop insights from data in business intelligence and predictive analytics exercises. The CFO’s team also includes enterprise risk managers, who have a vested interest in maintaining secure data and the means by which residual risk can be transferred with insurance.
Chief Information Officers are closely associated with data, especially with regard to the infrastructure and operating systems that carry the data and store it when it’s at rest. Security is a natural and all-consuming function and, at larger organizations, Chief Information Security Officers also get involved. They apply technology management standards and frameworks from NIST, SANS, COBIT (ISACA), ISO and ITIL, among others. CIOs assess and deploy data analytics tools that lead to value creation. They are responsible for managing the licensed software and hardware assets, as well as software as a service applications (SaaS apps) and cloud hosts. Data is really just another asset they need to manage.
General Counsels bring a pronounced sensitivity to privacy and compliance issues that make them comfortable with information governance responsibilities. Records and information management, including retention policies, often originate from this group. Operating with a ‘lean data’ mentality, they drive lower storage costs, as well as greater efficiency and accuracy in accessing content. Their central role in litigation and due diligence make them no strangers to evolving eDiscovery, archiving and other technologies to manage data and information assets. Armed with knowledge of the law, they carry weight in any organization, and can drive policy enforcement in ways that other groups respect. They shepherd the innovation process when they work with developers of intellectual property.
The person running information governance will confront conflicts when balancing the interests of risk mitigation and value creation. For example, the legal side of the house generally advocates ‘less is more.’ They are more likely to champion records retention policies that eliminate the potentially embarrassing email that they would prefer not be discovered one day. Business analysts, on the other hand, are never quite sure what data they might need one day, so they would just as soon keep it all, especially as storage costs continue to decline rapidly and analytical tools become more powerful and user friendly.
Chief Information Governance Officers are starting to emerge at large organizations today, and their role in risk mitigation and value creation can be tremendous. More prevalent, but narrower, roles include Chief Digital Officers, who tend to come from Marketing backgrounds, and Chief Data Officers, who tend to concentrate on structured data and analytics. Many organizations feel they cannot afford yet another C-level position but, at the very least, one C-level executive should carry the responsibility for comprehensive information governance. Who should “own” data and the information governance process at your organization?