Information governance for the real world

Information governance for the real world
Information governance
for the real world

Information governance for the real world
Information governance for the real world
“Information governance is the activities and technologies that organizations employ to
 maximize the value of their information while minimizing associated risks and costs.”
“The Information Governance Initiative,” The Information Governance Initiative,, accessed January 30, 2015.

Real-world information risks span information disciplines
Recent headlines describing cyber attacks and
leaked private communications make most                                Information governance is a business
organizations worry, “Can this happen to us?”                          issue. Organizations should have an
Yet, information security breaches are just                            effective information governance
one of many information risks that companies                           strategy that aligns with their overall risk
are struggling to come to grips with.                                  management strategy, and that can be
                                                                       effectively operationalized to leverage
Faced with this latest threat, will companies
                                                                       and protect information assets and
respond by throwing resources only at this
                                                                       accomplish broader business goals.
latest challenge, or will they respond with a
broader strategy that links information risks
across the enterprise? Companies should ask
themselves if it’s time to abandon the rigid                       and functions typically in IT continue to be
division of information risks into information                     isolated from what is, in any event, an informal
disciplines — information security, privacy,                       arrangement between functions. Each function
records and information management,                                tackles its own information risks in its own way,
eDiscovery and so forth — and instead enable                       often missing opportunities to leverage relevant
these disciplines to work together to address                      expertise, previously completed work, and the
risks that, in the real world, span across them.                   resources and technology available in other
                                                                   information risk functions.
Some organizations have already recognized
the need to draw together information                              Without the benefit of a broader understanding
management disciplines to better manage                            of the complex dependencies between risks
risks that cut across traditional organizational                   and planned or in-flight information risk
boundaries. Improved governance has                                management initiatives, individual risk functions
commonly come in the form of increased                             may not realize all of the available opportunities
cooperation between records management,                            to manage information risk.
legal, compliance, privacy and information
technology (IT) and is spurred by, and generally
related to, the mitigation of discovery risks.
This is admirable, but it does not go far
enough. Information disciplines responsible
for structured data, data security, information
access management, master data management

Information governance for the real world
Six key considerations of a robust                    outlining what information organizations
information governance program                        need to retain, how to retain the information
                                                      (addressing both access and security) and
The need for a strong information governance          what information can be transported
program is driven by the goals of the individual      across borders.
information disciplines, such as compliance
with laws and regulations, protection of data,     • The discovery process. Traditionally,
enhanced response to eDiscovery demands and          outside counsel and third-party vendors
achieving business imperatives. An information       have held a firm grip on the operations
governance program is the glue between               components of the discovery process.
functions — enabling enterprise information          Additionally, the preservation and collection
risk management and improved coordination            of electronic information was generally
and cooperation between disciplines without          supported by corporate IT groups, which
requiring changes to the reporting structures.       may have used a black box approach to
An information governance program, by                preservation and collection of data.
improving risk management and coordination           In recent years, judges are penalizing
across information disciplines, helps companies      organizations for not taking more
better manage challenges, such as the                responsibility for their discovery process.
following:                                           Because of this, discovery support is shifting
                                                     to its own distinct, in-house program that is
• Responding to regulatory requirements.             in need of improved policies, procedures
  Rigorous compliance requirements may               and controls.
  include international standards, such as
  those contained in Basel III; European Union     • Proliferation of systems. Information is
  laws such as the Markets in Financial              collected, processed and exchanged
  Instruments Directive; and US regulations          between many different internal systems, as
  issued by agencies such as the Financial           well as external organizations (including
  Industry Regulatory Authority, Securities          government agencies), making
  and Exchange Commission and the Food               understanding data flows and monitoring
  and Drug Administration. There are also a          regulatory compliance increasingly difficult.
  wide range of safety-related record                Many organizations adopt BYOD policies and
  requirements that may impact chemical,             issue tablets and other portable devices,
  utility, oil and gas, automotive and other         further compounding these challenges.
  manufacturing companies. Among other             • An increasing volume of information.
  objectives, these regulations look to protect      As the volume of information increases,
  consumers and maintain privacy rights by           so does the number of information systems

Information governance for the real world
How can your information governance be improved?
    •       Does your organization have an information governance strategy? Are information
            governance objectives defined and communicated, and are resources allocated?

    •       Are information governance policies and procedures well defined and socialized
            throughout the organization?

        •   Does your company effectively meet legal and regulatory requirements?

        •   Are information governance risks considered when business decisions are made?
            For example, when an organization rolls out a bring-your-own-device (BYOD)
            technology model, are risks related to eDiscovery, records management,
            information security, etc., considered holistically?

    and servers. As volume increases and new              and multinational organizations. Without
    information systems are procured,                     knowledge of an organization’s critical
    information may shift around the country or           assets, too many resources are spent on
    globe. As this happens, organizations tend            protecting everything. While there are many
    to lose their understanding and control of            ways to gain access to an organization’s
    what information is stored where. This                environment, whether through third-party
    presents risks when an organization must              vendors with too much access or social
    apply records retention policies, respond to          engineering of the front line, the goal is
    discovery or regulatory requests, determine           to build up defenses around those critical
    compliance with privacy requirements, etc.            assets.
    If companies cannot identify data and
                                                      •   Outsourcing. Outsourcing IT services,
    dispose of it in accordance with retention
                                                          including to offshore locations, increases
    policies, then that data may be discoverable
                                                          both security and compliance risks. Third-
    and increase eDiscovery risks and costs.
                                                          party service and infrastructure providers
•   Increased risk of cyber attacks.                      outside of the organization that have
    Publicized cyber events amplify the risks             custody of the organization’s information
    to all organizations trying to protect their          may not have appropriate protections or
    critical information. The resulting loss of           information governance capabilities in
    trust and reputational damage has led to              place.
    economic and revenue hits for both small

Information governance for the real world
True information governance is a program
    Information governance is not a project    The emphasis in information governance
    or an information management               is squarely on “governance.”
    discipline — it enables information
                                               The information governance program
    management disciplines to be managed
                                               does not replace existing information
    holistically. Through its information
                                               disciplines or reporting structures for
    governance program, the organization
                                               those disciplines, but establishes shared
    can better understand and address
                                               governance and a culture of coordination
    enterprise information risks.
                                               and integration between disciplines.

                               Information governance

     Information                                                             Records and
                                     Data      Master data   Discovery and
        access       Privacy                                                 information
                                  protection   management     legal holds
     management                                                              management

How we can help
Ernst & Young LLP works with organizations to
find opportunities to mitigate overlapping risks
by bringing these siloed functions together.
When organizations implement a well-balanced
information governance program, they
can better identify effective approaches to
managing and mitigating enterprise information

• Information governance program
  assessment and strategy development
  diagnostic. Ernst & Young LLP employs a
  diagnostic that is based on the four
  foundational components of our information
  governance framework: strategy,
  governance, operations and performance
  measurement (see graphic on page 6). By
  observing and evaluating the organization’s
  current approach to information risk across         may also reflect the organization’s desired
  disciplines, the organization begins to             future state and depict the gaps that must
  understand the current state of its                 be closed to achieve the future state.
  information governance program and can           • Information governance program
  plan for its desired future state. The             development. We work closely with
  diagnostic identifies risks across the             organizations to help them realize their
  spectrum that can be aligned to                    future-state information governance
  recommendations for improvement.                   programs. This work can involve establishing
• Information governance program maturity            a committee that includes executives from
  model. The information governance                  the various information management
  diagnostic described above can also be used        disciplines and other stakeholders; working
  to develop a profile of the organization’s         with stakeholders to develop or streamline
  information governance program and its             corporate strategy, policies, procedures,
  maturity compared with other organizations         standards, reporting and controls to support
  in the same industry. The maturity model           the revised program and its initiatives;

The four components of our shared-          and the ongoing maintenance,
    focus framework provide an effective        administration and safekeeping of the
    design and solid foundation for             information governance program.
    implementing a sustainable information
                                                Operations: This comprises the
    governance program.
                                                infrastructure, systems and processes
    Strategy: This describes how                that make the information governance
    information governance will help            program operational.
    realize the business strategy, facilitate
                                                Performance measurement: This
    compliance with applicable regulations,
                                                consists of assessing how well
    improve operations, manage risk and
                                                information governance is performing
    improve the organization’s economic
                                                against the needs of the business and
                                                expectations of the users.
    Governance: This includes defining the
    information governance organization




developing change management plans to             Our teams work closely with discovery and
   prepare employees for changes to the              legal support teams to develop a “discovery
   information governance program; helping           playbook” to guide preparedness for
   implement training programs to socialize          discovery. This playbook is composed of
   the new model and policies; and more.             standardized procedures and reports, and
                                                     acts as a blueprint for the operational
• Regulatory review. As regulations continue
                                                     elements of discovery. The standard
  to change and emerge, it can be difficult for
                                                     procedures contained in the playbook may
  organizations to understand whether their
                                                     describe how the discovery or legal support
  businesses are compliant with applicable
                                                     team executes and oversees the
  laws. We work with clients to evaluate the
                                                     identification, preservation, collection,
  information governance program’s
                                                     processing, review, analysis, production and
  compliance with regulations promulgated
                                                     presentation of information subject to
  globally. Additionally, once applicable
                                                     discovery requests. The standardized
  regulations are identified and compliance
                                                     reporting templates are used to
  with those regulations has been evaluated,
                                                     memorialize the decisions made and
  organizations may need to refine or
                                                     activities performed when responding to
  enhance their programs to implement
                                                     requests. This discovery playbook allows
  appropriate controls to improve compliance.
                                                     organizations to execute discovery
• Data maps. With the explosion of                   consistently, facilitates the transfer of
  information retained by organizations, it is       knowledge to new resources, increases the
  becoming increasingly burdensome and               level of transparency and quality control
  difficult to locate records and information        when working with third-party vendors, and
  and respond to regulatory or litigation            increases the defensibility of the
  requests efficiently. We work with                 organization’s discovery function.
  organizations to develop data maps that
                                                  • Understanding critical assets.
  align regulated records to their system of
                                                    Organizations create information that can
  records or repositories. These data maps
                                                    become vulnerable whether it is active or
  can also be used to identify where other
                                                    inactive, on-site or in the cloud.
  information that is frequently subject to
                                                    Organizations are struggling with
  discovery is stored, easing preservation and
                                                    information overload, the cloud, remote
                                                    workforces and BYOD. Just understanding
• Develop discovery preparedness plan.              where information is and what should
                                                    be protected is a major challenge.

Ernst & Young LLP works with organizations        and function requirements. We also assist
    to catalog data assets and determine the          with the pilot of their leading candidates.
    necessary steps for managing information
                                                   • Developing a defensible disposition
    security risks. Knowing where the critical
                                                     program. Defensible disposition is the
    information is stored, and how it is stored,
                                                     process of identifying and disposing of
    is fundamental to information security, as
                                                     records, documents and data in a manner
    well as other information management
                                                     consistent with the company’s own
                                                     document retention policies and applicable
• Data protection. We work with clients to           laws and regulations. By implementing an
  design and help implement strategies for           effective defensible disposition program,
  safeguarding data, information and records,        organizations can reduce IT costs, reduce
  as well as improving business processes and        litigation risk and avoid potential discovery
  information security, to reduce the risk of        costs. The goal of an effective defensible
  data breaches and strengthen the detection         disposition program is to classify and then
  of leaks.                                          dispose of data in accordance with retention
                                                     and legal hold policies to reduce corporate
• Designing and implementing training
                                                     risk and control legal and business costs.
  programs. A training program can help
  educate employees about information              Effective information governance helps the
  governance policies and procedures.              organization reduce costs, demonstrate
  Program content may vary according to the        compliance, protect rights, defend against
  level of employee and their degree of            claims and improve operations. The traditional
  involvement in the program. We work with         model of siloed functions that manage vertical
  clients to develop and deliver effective         information governance disciplines is shifting
  training programs.                               to a more integrated, collaborative format
                                                   better suited to managing information risk.
• System selection and implementation
                                                   When these functions understand and approach
  support. Systems that support the
                                                   risks together, the organization is stronger and
  management of information must consider
                                                   better positioned to manage the ever-increasing
  requirements that cross information
                                                   volume of information, reduce costs and
  management disciplines. We help companies
                                                   prepare for the future.
  plan their approach to system selection, the
  development of scoring and weighting
  models, and the identification of business

EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence in
the capital markets and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our stakeholders. In so
doing, we play a critical role in building a better working world for our people,
for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the
member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more information about
ourorganization, please visit

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global
Limited operating in the US.

About EY’s Fraud Investigation & Dispute Services
Dealing with complex issues of fraud, regulatory compliance and business
disputes can detract from efforts to succeed. Better management of fraud risk
and compliance exposure is a critical business priority—no matter the industry
sector. With our more than 3,200 fraud investigation and dispute professionals
around the world, we assemble the right multidisciplinary and culturally
aligned team to work with you and your legal advisors. And we work to give
you the benefit of our broad sector experience, our deep subject-matter
knowledge and the latest insights from our work worldwide.

© 2015 Ernst & Young LLP.
All Rights Reserved.

EYG no. WW0376

ED none
You can also read
Next slide ... Cancel