In my last post, I talked about underlying principles of Information Governance. In this post, I will present two popular Information Governance models.
The Information Governance Reference Model (IGRM) The IGRM was developed by EDRM, now a part of the Duke Law Center for Judicial Studies, which creates practical resources to improve e-discovery and information governance. EDRM developed this model to create a framework by which to bring together the key players in information governance:
- Business users who need information to operate the organization,
- IT departments who must implement the mechanics of information management, and
- Legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value.
IGRM represents the functional areas that are directly responsible for the governance of information across an enterprise:
- Legal: Responsible for determining the risk profile of an organization based on litigation exposures, international privacy requirements, intellectual property protection, working environment, and more.
- Discovery: Responsible for the communication, instruction, and coordination with business units or individuals related to information that must be located, preserved, and produced to satisfy litigation requirements.
- Risk: Responsible for the protection of the organization’s brand, finances, and operations by managing and mitigating risk exposures. This requires a full understanding of the organization’s risk profile (litigation, investigations, regulatory requirements, protection of private information, and protection of intellectual property).
- Compliance: Responsible for ensuring that the organization is aware of, and meets the requirements of rules and regulations imposed by a variety of authorities (federal, state/provincial, and local governments; regulatory agencies; data privacy authorities, and industry groups).
- RIM: Responsible for the development and publication of the RIM Program policy for paper and electronic records.
- IT: Responsible for the management of the high volume of data being created and received, and the reduction of costs, particularly around redundant technologies and storage.
- Privacy: Responsible for managing the risks and business impacts of privacy laws and policies, and the use of personally identifiable information.
- Security: Responsible for the development, implementation, and management of the organization’s security vision, strategy, policy, and programs.
- Information Architecture: Responsible for the organization of information and database development to support the business needs.
- Business: Responsible for compliance with the Information Governance policies.
The Generally Accepted Recordkeeping Principles (The Principles), were created by ARMA International as a common set of principles that describe the conditions under which business records and related information should be maintained. The Principles were designed to guide:
- CEOs in determining how to protect their organizations in the use of information assets;
- Legislators in crafting legislation meant to hold organizations accountable; and
- Records management professionals in designing comprehensive and effective records management programs.
- Accountability: A senior executive oversees the information governance program. The organization adopts policies and procedures to guide personnel and ensure that the program can be audited.
- Transparency: An organization’s business processes and activities are documented in an open and verifiable manner, and available to all personnel and appropriate interested parties.
- Integrity: Information generated by, or managed for, the organization has a reasonable and suitable guarantee of authenticity and reliability.
- Protection: Protection of records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.
- Compliance: Compliance with applicable laws and other binding authorities, as well as with the organization’s policies.
- Availability: Maintenance of records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.
- Retention: Records and information are kept for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
- Disposition: Appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.
Dr. Louise Spiteri
Master of Information Management at Dalhousie University