So, your organization has committed to Information Governance, and you’ve been tasked with making it a reality. Now what?
You’ll need a framework on which to build your program, a platform that will help you bridge across siloed functions (IT, InfoSec, Legal/Compliance, Records Management, Internal Audit, Operations…) and siloed perspectives (privacy, data security, records & information management, litigation discovery…). You’ll also need to come to grips with three persistent barriers to operationalizing Information Governance:
Loss of Leadership Commitment – sustained support is vital for success, but competition for executive focus is fierce.
Lack of Resiliency – even if well-designed when implemented, static programs applied to a highly dynamic information environment are doomed to fail.
Leaving Behavior Out of the Equation – technology adds complexity, but it’s not the fundamental problem… we are.
These three challenges will remain as stubborn barriers even if an organization adopts a holistic perspective on information compliance, risk, and value. What’s needed is an implementation framework, a vehicle sturdy enough to support the Information Governance endeavor and also strong enough to break through the barriers above. Such a framework must foster sustained commitment by the organization’s senior leadership, must be resilient in an evolving information environment, and must engage people in their necessary roles. Fortunately, such a framework is already familiar to many organizations, and it is readily available to all – the framework of Internal Control.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its original Internal Control – Integrated Framework in 1992. The COSO Framework soon became the authoritative resource for designing, implementing, and monitoring internal control in organizations. In May 2013, COSO released the updated version of its Internal Control-Integrated Framework, broadening the scope of internal controls beyond financial matters.
COSO defines “Internal Control” as “a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
An organization’s Internal Control system is the combination of five components that work together:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
COSO’s Internal Control-Integrated Framework provides detailed guidance for implementation of the Framework within organizations, tied to the above Internal Control components and their supporting principles. The components operate together in an integrated way, and when each is present and functioning in the organization, the Internal Control system provides reasonable assurance to senior management and the board of directors that, within the Internal Control system’s scope, the organization is complying with applicable legal requirements and is effectively operating to meet the identified objectives.
The Internal Control-Integrated Framework is fully compatible with substantive standards for Information Governance. The Framework is a sturdy vehicle for integrating information-related functions that have formerly been siloed in the disciplines of records & information management, privacy & data security, and legal hold processes for litigation. It also provides a level playing field for collaboration between stakeholder functions, such as IT, InfoSec, Legal/Compliance, Records Management, Internal Audit, and Operations.
Most promisingly, the Internal Control Framework is well-designed for breaking through persistent barriers to effective Information Governance:
Senior Management Engagement
In the Internal Control approach, strategic objectives for information Governance are established that link upward to board-level governance responsibilities and executive strategies, and also link downward into tactical objectives for the organization’s IG program, framed in a way that the objectives and outcomes are measurable. Senior management and the board provide “tone at the top” and also establish roles, responsibilities, and a culture of accountability. The reward for the board and senior management is reasonable assurance of legal compliance and attainment of Information Governance objectives, communicated to them in a form with which they are already familiar: Internal Control reporting.
The Internal Control Framework is designed for resiliency. Clear communication of expectations, roles, and responsibilities will survive personnel and technology changes over time. And risk assessment and monitoring are iterative and ongoing, so that Control Activities can evolve and remain effective as information use and technology systems change.
Focus on People, Not Merely Technology
Internal Control systems are ideal for governing organizational functions in which human behavior is central, such as handling of the organization’s information. Technology tools still play an important role, and indeed, will be selected and applied in a more focused manner, guided by the organization’s objectives and the resulting Internal Control system requirements. But the Internal Control approach does not absolve individuals from responsibility for reaching the organizations’ Information Governance objectives. Instead, it harnesses the power of individual behavior across the organization by establishing clear expectations for such behavior within a control environment of accountability.