Principles for assessing an IG Program.

• Author: Gable, Julie
• Position: THE PRINCIPLES - Information governance

Assessing an information governance program is an exercise in gathering information, interpreting it, and using it to strategize the best course for improvement. It requires thoughtful planning and decision making to determine the correct scope, participants, and methodology, and it is best done as a team effort.

It shouldn't be overwhelming to determine how well an information governance (IG) program is doing. Yet, gathering the information needed to get an accurate picture of an IG program can be a time-consuming and perplexing proposition. With the right preparation and tools, it needn't be.

Purpose of Assessment

The point of any program assessment is to determine what guidance is in place, whether it is adequate for its intended purpose, and whether or not it's actually working.

Some industry sectors, such as financial services, must self-assess to demonstrate that they are doing everything necessary to have a mature governance program. Others must self-assess for particular aspects of IG. For example, healthcare providers in the United Kingdom must self-assess the privacy and protection they provide for collecting, storing, and sharing personally identifiable information (PII).

Types of Assessment

Assessments can take several forms. Peer comparison by benchmarking with other organizations in your industry can be as informal as a conversation with colleagues at a professional meeting, or it can be as structured as participating in an exercise with a consortium or a fee-based service that collects, anonymizes, and shares information practices in your industry. The problem with benchmarking is that it isn't necessarily standards-based, and a comparison between two firms may be like comparing steak and ice cream.

At the other end of the spectrum, audits are usually formal assessments against a stringent set of expected norms such as internal company rules or external regulations. The downside is that audits usually draw conclusions based on examining past practices, and their objective is to identify deficiencies rather than to develop strategies for improvement.

IG Assessment

Fortunately for information professionals, the Generally Accepted Recordkeeping Principles[R] (Principles) and the Information Governance Maturity Model (IGMM) have taken much of the ambiguity out of the assessment exercise. Used in tandem, they provide a standard for IG program components and a yardstick for measuring how well organizations are implementing them.

But they are not magic. Even with these as guidance, assessing an IG program requires analysis to determine what information to gather, from whom, and in what way; how it will be aggregated; and what to do with the results.

Preparing for the Assessment

These are some typical pre-assessment considerations:

Identifying the assessment's scope. If your organization is new to IG, the assessment's desired result may be a baseline reading of maturity in all Principles: Accountability, Compliance, Transparency, Integrity, Availability, Protection, Retention, and Disposition. In contrast, those with an IG program already in place may want to assess the status for a problem or high-risk area, such as Protection.

Identifying the right participants. Assessment quality greatly depends on the people who participate in it. Adequately assessing IG will likely require the involvement of people beyond the records and information management (RIM) staff. Typically, it requires a team composed of RIM, legal, information technology (IT)...