Best Practices for Highly Effective Corporate Information Governance Programs

An information governance (IG) program framework is a glorified checklist that’s designed to make sure you address the individually necessary and jointly sufficient conditions for the success of your IG program. There are many activities that have to be planned and managed, and you really need a master plan to ensure that everything gets taken care of.

In a recent post, I outlined the IG Program Framework that Doculabs recommends. This time around, I’m going to list out some best practices for information governance programs.

For those of you who came in late, here’s a quick recap of the eight interrelated program categories and components:


So what are the characteristics of organizations with highly effective IG and compliance programs?

In general, best practices for each of the eight program framework categories have this in common: The organization has designed and implemented an adequate approach to the capabilities in that category. Laggards have neither designed nor implemented an adequate approach to the capabilities in that category. Most organizations are somewhere in between, i.e. they are making some progress toward designing and implementing an adequate approach.

The Program Framework is designed to yield criteria for evaluating organizations with respect to their maturity and performance, and to suggest and prioritize projects for the roadmap toward effective program implementation.

Here are the best practices for each of the program framework categories:

#1: Best Practices for Overall Program and Framework Strategy

  • Developed and implemented comprehensive organizational compliance strategy and roadmap which together address and align all relevant areas of compliance and risk
  • Strategy and roadmap fully align with other and overall objectives of the organization
  • Compliance program is designed and implemented for continuous improvement
  • Strategy and roadmap fully aligned with resources (including time, people, and money) and failure risk tolerance

#2: Best Practices for Policies and Procedures

  • Has established appropriate policy oversight, policies, and efforts to set required standards, guidance, and enforcement to meet compliance and risk requirements
  • Has established Code of Conduct and relevant policies and procedures
  • Has established policies and procedures relevant to information lifecycle management, including Information Security, Information Privacy, Records Management, Email, Social Media

#3: Best Practices for Processes and Operations

  • Fully developed and implemented processes relevant to compliance and information lifecycle management, from creation and ingestion of information through disposition
  • Fully established clear and open lines of communication; procedure for raising concerns
  • Fully established incident management, the response and resolution of compliance incidents

#4: Best Practices for Information Technology and Management

  • Fully established architecture strategy, standards, and portfolio for: IG tools and capabilities; social, mobile, and cloud capabilities; RM tools and capabilities; and e-discovery tools and capabilities
  • Fully established information architecture which contains a content taxonomy or organizational hierarchy, a records plan and retention schedule, and an inventory of the organization’s electronically stored information (ESI) and content repositories
  • Fully established technical security and access control, to restrict access in compliance with information security policies and operating principles

#5: Best Practices for Physical Assets and Environment

  • Fully established physical and environmental for physical protections of the data center, other secure processing areas, physical assets, and data from theft, damage, or loss
  • Fully established asset identification and classification for the inventory, accountability, responsibility, classification, and implementation of associated controls

#6: Best Practices for Roles and Responsibilities

  • Fully established roles and responsibilities for the various IG sub-domains (information security, privacy, risk, records management, etc.), with clear separation of duty and authority
  • Fully established roles and responsibilities for the individual units or departments needed to fulfill IG requirements

#7: Best Practices for Metrics, Measurement, and Monitoring

  • Fully established key objectives and measures of program success, and comprehensive tracking of defined metrics within the program
  • Fully established internal compliance and security audits to provide assurance that controls are adequately designed and operating
  • Program comprehensively defines what is logged, monitored, analyzed, and reported, and with defined alert levels to trigger for incident response

#8: Best Practices for Communications and Training

  • Fully developed and implemented plan and program for communication and training
  • Comprehensively addresses the planning, procedures, documentation, and implementation of compliance and security awareness and related training for the workforce, partners, and contractors

So that’s the gold standard for information governance programs. If you’re in the process of  implementing an IG program at your organization, or if you’d like an objective assessment of an existing IG program, these best practices are a good starting point and can help ensure the future success of your IG program.


Rich Medina
Rich Medina
I’m a Principal Consultant and co-founder of Doculabs, and the resident expert in using ECM for information lifecycle management.