5 Reasons You Need an Information Governance Program

Ask anyone involved in records management, information management, IT, InfoSec, Privacy, Legal, or Compliance whether their organization needs an Information Governance (IG) program, and they’ll immediately answer ‘yes.’ But if you follow up and ask why, you’ll likely be met with either bemused silence or something along the lines of ‘because we need to govern how our information is used.’ Even if you push a little, you rarely get beyond some version of ‘information is a critical business asset and we need to govern how it’s used because there are laws and regulations that say so’—basically, ‘because we have to.’

While this is true, it’s not very compelling. Although you can get folks to support IG because they have to, no one is happy about paying their taxes, and, absent some better reasons, no one is going to be happy about the time, effort, and cost of doing IG well. But this doesn’t have to be the case, because there are lots of good reasons to support IG that go beyond ‘because you have to.’ Here are five:

1. The risks of not doing information governance typically outweigh the efforts of doing information governance

Just about every industry is subject not only to laws and regulations, but also to generally accepted practices around how corporate information is used — from creation, through sharing and management, to its eventual disposal. All of these obligations carry risks for non-compliance, like monetary fines or sanctions, or the bad publicity that comes from high-profile instances of wrongdoing — not to mention the potentially impaired ability to operate in certain markets or for certain customer segments, which leads to eroded market share, lower sales, or both.

In most cases, the impact of these risks can be quantified in dollars, sometimes more sharply (e.g., HIPAA violations), sometimes less so (e.g., reputational damage from a data breach). But in both cases, quantifying the impact of IG risks will demonstrate more often than not that IG efforts are worth it relative to the risks related to not doing IG (or doing IG poorly). What will be a discussion point is the level of IG effort needed to mitigate the risks, and therefore help avoid or minimize the impacts to a degree acceptable to the organization. While every organization is different, in most cases the answer will be somewhere between doing as much as possible and doing as little as possible — finding the sweet spot between the two is the hard work of IG.

2. You can do information governance less than perfectly and still get huge benefits

IG will typically be worth the effort relative to the risks of not doing IG if you can find the sweet spot between over- and underachieving. The idea here is to not go beyond the point of diminishing returns, which is a nearly ubiquitous business maxim. But in compliance, we often ignore it and focus instead on getting as compliant as possible — simply because we have to do compliance.

We also have to do sales, and marketing, and product development, but we don’t just approach those as all-or-nothing endeavors. We spend a lot of time calculating risks, costs, and benefits to arrive at a just enough approach that gets us the most bang for our buck. A similar approach is not only needed in IG, but will be more successful than an all-or-nothing approach. For example, rather than taking 6, 12, or 18 months (or more) to design a perfect, best practices, industry leading IG program and then using it to drive tactical projects to address IG risk, take 3 months to design an IG program 0.1 and begin executing projects that will promote better information management months 4 through 6 and see where you get. Spend month 7 doing a lessons learned and evolve to IG program 0.2 and execute some more, do some lessons learned, evolve to IG program 0.3 — lather, rinse, repeat.

This approach will never get you a perfect IG program, but it will get you something that the vast majority of efforts to create the perfect IG program do not: results.

3. Good information governance saves you money

So far, we’ve focused on more defensive reasons to do good IG: done right, it can reduce information risk and lessen the impact of those risks when they come to pass. But there are also offensive reasons to do good IG, such as lower costs, increased sales, and higher margins. The most straightforward of these to demonstrate is lower costs, whether direct (e.g., fewer employees needed to process loan documents because we can read data off forms with software) or indirect (e.g., more bandwidth per underwriter because the movement of loan documents through the application process has been automated with workflow).

And the more you think about how good IG can impact costs, the scenarios multiply. After all, good IG requires that you know what data you have, where, owned by whom, and that it’s accurate — all of which allow you to execute business processes more efficiently, effectively, and with higher quality. Just follow the lifecycle of a business document, for example, to get a good starting point for what scenarios in your business could be made less costly through good IG:

  • Creation/ingestion: the right template, populated with accurate data, and made available to downstream processes that require it
  • Sharing/collaboration: the latest and greatest document version, with previous versions saved just in case, and secure methods for working with others (inside and outside the organization) on the document
  • Archiving: the latest version, stored in the right location (with appropriate security and organization), easily discoverable for those who have access to it
  • Disposal: can be easily, permanently, and defensibly purged once it’s past its legal and operational life

4. You can sell more to more customers at higher margins with good information governance

One of the scenarios that good IG can impact is sales — in terms of how much you sell, to how many customers, and at what margin. Ask anybody involved in corporate sales, whether inside sales, outside sales, channel partner, or manager and they’ll tell you: having the latest and greatest information about customers, prospects, opportunities, historical sales activity, or their own products and services is a huge challenge. Spreadsheets, emails, Word docs, OneNote files, CRM system(s), handwritten notes, Access databases, file shares, SharePoint — the sheer number of document formats, repositories, and platforms makes the job of knowing your customer and your products much more difficult than it should or could be.

Yet, good IG enables not only knowing what information you have, where it is, and who owns it, but also being able to share it and collaborate on the latest and greatest versions of it inside and outside your organization — which, even if you only succeed partially at doing, will alleviate your sales challenges accordingly and drive more sales to more customers at a lower cost (and therefore higher margins).

5. You can’t serve your customers as well without good information governance

Ultimately, doing IG poorly leads not only to non-compliance with a whole host of laws, regulations, and generally accepted practices, but also to more expensive, less efficient, and less effective operations — all of which make it difficult to serve your customers as well as you could with good IG. This is true both defensively and offensively. Defensively, consumers are increasingly concerned about how companies they do business with handle their private data and are demanding that firms do better at handling it in more transparent ways (and giving them a larger say in how it’s handled). Offensively, customers have come to expect an almost unrealistic pace of innovation from the firms they do business with and are more than willing to jump ship and give their business to your competitors if they offer an improved customer experience — even for services like banking, utilities, telecom, and insurance that have traditionally enjoyed low turnover because of high switching costs.

Those firms that are able to leverage good IG to become more compliant reap not only the benefits of reduced risks related to information, but can enjoy the strategic differentiation IG compliance offers. These firms will be able to leverage good IG to lower costs, increase sales, and increase margins — all of which position them to have the time and resources to foster innovation, rather than simply struggling to keep the lights on and play catch up to their more agile competitors.

OK, so those are the top five reasons why you need an IG program. There are more, but why go any further than reducing compliance risk, lowering costs, increasing sales and margins, and serving customers better? Anything else would be icing on the cake.

New call-to-action

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.