Information Governance: Risk & Value
In Information Governance there is inherently a balance of risk versus value related to information. As what Robert Smallwood has called a “super-discipline1” and Dean Gonsowski has called an “umbrella concept2”, Information Governance spans many disciplines and provides guidance and strategy for all organizational information.
What Information Governance must do is inform disciplines in two arenas of information: disciplines that protect the organization from the potential damage that information can wreak, and disciplines that enhance the organization by extracting value from information.
To do this, one must understand the value of information and the risk that information presents.
Information has value to an organization, it helps us innovate, meet client/customer needs, share, sell, identify opportunities, and more. Information is the lifeblood of any organization doing business today. Information is contracts, conversation, obligations, benefits, and more.
The value of information comes from one of two ways: 1) the findability of specific pieces of information or 2) the identification of trends based on large quantities of information.
Information findability is based on how easily a particular piece of information, any piece of information, can be found. Finding information can rely on search or browsing. Search relies on a search engine to pull together various pieces of responsive information and providing results to a user. Browsing relies on the user to click through (typically) a folder structure until they encounter the information that they were looking for.
Findability can be improved in two ways, improving the ability of appropriate information to respond to searches for that information OR by improving the folder structure (or better yet, the Information Architecture) that houses information to be more logical to users (making it easier for them to browse to the information they seek).
Trend identification comes on many scales based on the size of the repository containing the information that is to be analyzed. Business intelligence refers to the practices of leveraging smaller pools of information to analyze and provide intelligence whereas Big Data refers to the practice of leveraging massive pools of information to analyze and provide intelligence. Big Data’s vast pools of information require a different toolset and domain of knowledge than Business Intelligence.
Information risk is all about protecting the organization from the liability and risk related to information. Information is risk to an organization. It is the ‘smoking gun’, the data breach, the exploited loophole, the missed obligation, the compliance requirement, and more.
The risk of information has been categorized into 5 primary categories and defined by Victoria L. Lemieux3:
- Legal risk includes loss, damage, or unrecoverability of records and information that could result in litigation or noncompliance with laws or regulations.
- Financial risk includes loss, damage, or unrecoverability of records and information that could result in financial losses or threaten the organization’s financial position.
- Reputational risk includes loss, damage, or unrecoverability of records and information that could result in damage to the organization’s public image, confidence, or reputation.
- Operational risk includes loss, damage, or unrecoverability of records and information needed for completing the organization’s business transactions effectively.
- Environmental risk includes loss, damage, or unrecoverability of records and information documenting the organization’s environmentally safe practices.
Each of these risks should be mitigated according to the organization’s risk tolerance, or their willingness to accept a particular level of risk.
Balancing Value & Risk
On the surface, value and risk are competing. They compete for resources, attention, and staffing. Each organization has a differing balance between value and risk. Highly regulated organizations tend to have a much lower risk tolerance (meaning they accept little risk) than minimally regulated organizations.
Unfortunately many organizations are running with competing risk profiles within themselves because of a lack of cohesive strategy. That is where Information Governance arbitrates and finds a common understanding of risk versus value; a specific balance is achieved.
Image credit: http://www.freeimages.com/photo/tightrope-walkers-2-1458110