Corporate Governance, IT Governance and Information Governance
In this week’s blog, we are going to look at governance. We are regularly asked, ‘what do you mean by governance?’ or, ‘is information governance the same as IT governance?’ There seems to be a lot of confusion and mispositioning of governance, its role and the different forms. In this blog, we will provide some clarity.
Traditionally, the response from board-level executives in relation to information security issues was to defer all decisions to the company’s CIO. In small to medium size businesses, where executive directors and senior management cover multiple roles, a CIO may not exist. The information governance responsibility often then falls to the IT department, on the premise that information = data = IT’s problem. As obligations for demonstrating good corporate governance intensify, driven by multi-faceted and ever-changing compliance initiatives, the IT Manager is likely to be overwhelmed with this perceived ownership and facing many challenges. Not least of which is the need to keep up to date with relevant legislation, codes of best practice and industry sector regulations, let alone understanding the impact these will have on the organisation’s information processing and already stretched IT resources. This leaves little time for the IT Manager to devote time and effort to what is typically their real passion – delivering excellent technology performance and efficiency.
URM’s consultants are often called upon to assist with unravelling the growing demands compliance places upon the IT department and frequently asked how effective security risk management underpins corporate governance requirements.
So, what is corporate governance? At a high level, corporate governance is the whole management system of internal controls, i.e. processes, customs, policies, laws and regulations, which affect the way a company is directed, administered or controlled. It also includes the goals which drive the company and its relationships with stakeholders, e.g. shareholders, the board of directors, employees, customers, creditors and the public. The board and officers of the company must diligently perform their duties in the best interests of their stakeholders and in the manner that ‘an ordinary prudent person would do’. Failure to do so could result in the executive being held liable, both personally and as officers of the company.
In a nutshell, IT governance is a subset of this management system that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals. Essentially, IT governance provides a structure for aligning IT strategy with business strategy. By following a formal framework, organisations can produce measurable results toward achieving their strategies and goals. Like corporate governance, a formal program also takes stakeholders’ interests into account, as well as the needs of staff and the processes they follow. In the big picture, IT governance is an integral part of overall corporate governance. in which all stakeholders must have the necessary input into the IT decision making process. URM often finds this alignment between IT and corporate governance is missing or challenged, and this is particularly prevalent in relation to unauthorised and uninformed acceptance of security risks without understanding the true potential impact.
So, what is information governance and where does it fit? Information governance is the wider set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information in all its forms (electronic, paper etc) in such a way that it supports the organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements. This requires a much deeper understanding, competence and regular review, and can only be achieved with the involvement of multiple internal departments/roles e.g. IT, HR, the Data Protection Officer, Legal, Facilities, Internal Audit etc. Ignorance is no defence in this area. For example, directors and management can still be held personally liable under data protection laws if they ‘knew, or ought to have known’ that a breach was likely and failed to prevent it.
Therefore, effectively, IT and information governance should be a subset of corporate governance. Appropriate stakeholder involvement, risk management and clear roles and responsibilities are vital.