In this article, we'll explore principles and strategies for improving information governance through frameworks like the Information Governance Reference Model (IGRM).
Because of the vast amounts of data modern enterprises generate every day, good information governance is becoming more complex, and more important. From emails and SMS messages to database records and interactions on collaboration platforms, keeping data generated from these platforms accessible, secure, and compliant is no easy task—especially as data sources continue to grow and change.
What Is Information Governance?
Information governance is a framework that organizations use to manage data responsibly throughout its lifecycle. According to Gartner, it is an “accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.”
As you can imagine, information governance used to be a lot simpler.
In the past, information governance usually only concerned physical files. Keeping track of physical files came with its own challenges, but ensuring compliance and mitigating associated risks was a lot more straightforward.
Today, a good information governance program must address electronically stored information (ESI), which comes with its own unique challenges—and opportunities. Modern information governance includes processes like classifying data, setting retention policies, monitoring access, and securely disposing of data in order to maintain data integrity and usability.
With the sheer volume and complexity of ESI in the modern organization, having a good information governance program offers the opportunity to uncover a treasure trove of insights.
That is to say, the purpose of a strong information governance program goes beyond simply managing data. By ensuring data is transparent, accessible, and secure, organizations can turn it from a liability into a valuable asset. Organizations that adopt strong information governance programs are not just trying to avoid penalties and lawsuits—they are harnessing their data to build trust, create more efficient processes, and improve their decision-making.
The Current State of Information Governance
It turns out that most organizations don’t have mature data retention and preservation policies.
In the last five years, organizations have gained many new data sources. These include company-owned social media accounts, mobile messaging apps, websites, team collaboration tools like Slack and Microsoft Teams, and video conferencing platforms like Zoom and Google Meet. These tools create large amounts of messy, unstructured data.
The Problem of Unstructured Data
Structured data is information organized in a clear format, with defined rows and columns and pre-fixed fields, like a spreadsheet or database.
Unstructured data is information stored in its original or native format and, in turn, doesn’t follow a set format or structure. This makes unstructured data hard to find, export, produce, organize, maintain, analyze, and dispose of. Emails, videos, pictures, social media posts, websites, and nearly all communication channels generate unstructured data.
Unstructured data must be managed and protected just like structured data, but many organizations struggle to build strong information governance strategies that cover unstructured data sources.
Here’s What the Research Says:
Our ESI Risk Management & Litigation Readiness Report, which surveyed over 200 in-house legal professionals to understand how they manage these challenges, showed that many companies still lack mature information governance programs.
Fewer than half of respondents said their organization has a mature (i.e., enterprise-wide and consistently enforced) data retention policy for any data source. Depending on the type of data, only 30–45% have such policies in place.
Data retention abilities by data source from the 2024 ESI Risk Management & Litigation Readiness Report
Instead, organizations frequently face issues such as undefined policies (53%), lack of departmental cooperation (52%), and insufficient technology (36%). 
Data retention abilities by data source from the 2024 ESI Risk Management & Litigation Readiness Report
Example: The Information Governance Disconnect of Microsoft Teams
One of the most striking insights from the report is the disconnect between governance strategies and modern data sources.
Many legal and compliance teams may not even be aware of what data sources exist in their organization, what information is being collected, and where it is being stored. And even when they do manage to track down a data source, they find that accessing, searching, exporting, and producing this data is rarely straightforward.
Microsoft Teams is a great example of this disconnect.
MS Teams messages are scattered across public channels, private channels, and direct messages. Locating, collecting, and producing data from this platform requires extensive IT resources and has been known to crash computers.
If you do eventually find the data you’re looking for in the millions of messages on the platform, you then have to export them as individual email files in Outlook, and reconstruct them by hand, piece-by-piece.
This is just one example of how the usual tools and strategies for information governance — the ones that work for things like PDFs and emails — don’t work for modern data sources like Microsoft Teams, WhatsApp, or Zoom.
👉 Struggling with Microsoft Teams Information Governance? Check out our Microsoft Teams Recordkeeping Guide here.
Why Is Information Governance Important?
As we’ve established, modern organizations create a lot of data, daily. Without clear rules, managing this data is time-consuming and creates risks for the organization.
Information governance is important because it lays out the rules for effectively managing data across the organization.
Information governance principles include:
- Comprehensive data management: Information governance should set clear rules for storing, accessing, and deleting data to help reduce clutter, cut storage costs, and make data easier to find.
- Compliance: Laws like GDPR and HIPAA require businesses to handle private data carefully. Good governance helps meet these rules, avoiding fines and protecting the company’s reputation.
- Risk management: Strong governance protects data and sensitive information from hackers and unauthorized users.
- Data quality: Reliable data leads to better choices. Information governance ensures data is accurate, organized, and easy to understand.
Information Governance vs. Data Governance
Information governance and data governance have distinct roles in managing organizational information. Both are essential for an effective data strategy, but they differ in the following ways:
|
Information Governance |
Data Governance |
|
|
Scope |
Manages all organizational information (structured, unstructured, and physical records), focusing on its lifecycle and compliance |
Deals specifically with structured data, emphasizing accuracy, consistency, and quality within databases |
|
Goals |
Aligns data practices with organizational objectives, focusing on accessibility, security, and compliance |
Establishes policies to ensure data integrity, standardization, and usability for analytics |
|
Impact |
Influences compliance, legal readiness, and operational efficiency |
Ensures reliable inputs for analytics and decision-making |
The 5 Biggest Challenges of Implementing an Information Governance Program
Organizations trying to manage their data through information governance will inevitably face challenges. These challenges usually come from issues with structure, technology, or operations:
1. Data silos
When data is stored in separate systems that don’t connect, it causes inefficiencies, repeated work, and missed opportunities to harness the data for insights and decision-making.
2. Outdated systems
Older systems make moving and managing data harder and often lack features like automated retention or tracking for compliance. This can lead to increased costs for data storage, maintenance, and security.
3. Cross-departmental collaboration
IT, legal, and compliance teams often have different priorities that can weaken overall information governance efforts. This combined with data silos not just between data sources but between departments, makes it difficult to understand the broader picture of how an organization is managing its data, leaving the organization open to more risks, including noncompliance and compromised data security.
4. Rapid data growth
Organizations are generating more data from more places than ever before. Managing this requires flexible rules and systems that can grow with the organization.
5. Privacy vs. access
Companies must keep sensitive data safe by following rules like GDPR or HIPAA while also making sure the data is available for authorized employees to use.
To overcome these challenges, organizations need better tools, clear communication, and flexible strategies.
Thankfully, there are standard information governance frameworks and models that can help.
What Is the Information Governance Reference Model (IGRM)?
The Information Governance Reference Model (IGRM), created by the Electronic Discovery Reference Model (EDRM) community, is “a tool for communicating with and to organization stakeholders on responsibilities, processes and practices for information governance.”
The Information Governance Reference Model (IGRM). Source: EDRM.net.
The IGRM is not a technical tool and does not offer any prescriptive methods, actions, or technologies. Its purpose is to help foster cross-departmental alignment in order to build integrated governance processes that help organizations address issues like escalating data volumes and legal risks.
The IGRM framework highlights the interconnected responsibilities of various teams, and underscores the importance of aligning information value, legal obligations, and efficient management.
For more details, visit EDRM.net
ARMA International’s Information Governance Principles
ARMA International’s “The Principles®” or “Generally Accepted Recordkeeping Principles®” is a global standard for managing business records effectively and responsibly. It provides eight principles that, “are meant to provide organizations with a standard of conduct for governing information and guidelines by which to judge that conduct.”
The principles are:
- Accountability: Oversee the information management to appropriate individuals to ensure accountability.
- Transparency: Manage information in a way that is open and transparent.
- Integrity: Reasonably guarantee the authenticity and reliability of information.
- Protection: Provide the appropriate level of protection to information that should not be accessible by all (i.e., information that is private, confidential, privileged, classified, etc.).
- Compliance: Comply with all applicable laws, other binding authorities, and the organization’s policies.
- Availability: Maintain the availability of information in a way that ensures their timely, efficient, and accurate retrieval.
- Retention: Retain information for regulatory, legal, operational, and historical requirements.
- Disposition: Provide secure and appropriate disposal in compliance with applicable laws and the organization’s policies of information that is no longer required.
ARMA’s information governance principles offer guidance to organizations that are trying to implement a system that meets business goals while avoiding risks like data breaches, inefficiency, or non-compliance.
For more details, check out ARMA International’s manual, Implementing the Generally Accepted Recordkeeping Principles.
ARMA's Information Governance Maturity Model
ARMA International also created The Principles® Maturity Model to help companies improve how they manage information.
Businesses can use the ARMA’s maturity model to check how well they manage information in a specific department, location, or entire organization. By comparing organizational practices to the characteristics of effective governance in the model, organizations can assess their current level. Based on their goals and risk tolerance, they can then decide which areas or levels to improve.
The Maturity Model divides organizations into five levels:
- Substandard: The organization doesn’t have basic information governance systems or processes in place, or they are minimal or applied sporadically. At this level, organizations do not meet legal or regulatory requirements.
- In Development: The organization understands that information governance is important and is working to create a program but still faces big risks due to missing or incomplete systems and processes.
- Essential: The organization meets the minimum legal and regulatory requirements of information governance in their industry, but may be missing opportunities for efficiency and cost reduction.
- Proactive: The organization goes beyond the basics, actively improving its governance practices and aiming for continuous growth.
- Transformational: For this organization, information governance isn’t just about following rules or meeting compliance responsibilities. It gives the organization a competitive edge and even improves customer service.
Moving through these levels requires a clear strategy. The Maturity Model acts as a guide, helping organizations set goals, track progress, and connect governance practices to their overall business strategies.
For more details, visit Arma’s Principles® Maturity Model.
How to Build an Effective Information Governance Framework
The following steps outline how to build an information governance framework that addresses both operational needs and regulatory requirements.
1. Assess your current data
Start by looking at the data your organization collects. Identify all sources of data, where it is stored, and how it is used. Map out your data to find gaps, repeated information, or risks like unstructured data or hidden systems (shadow IT) that can make managing data harder.
2. Create clear policies and rules
Set policies that explain how data should be handled at every stage, from storage to deletion. These should cover things like retention, access, security, and disposal. Make sure the rules follow industry regulations and match your organization’s goals. Clear standards ensure consistency across departments.
3. Assign roles and responsibilities
Make sure everyone knows their role in managing data. Assign data owners in each department, involve IT for technical support, and include legal and compliance teams for their expertise. When responsibilities are clear, everyone can help keep data accurate and secure.
4. Use the right tools
Choose technology that supports your governance plan. Tools for mapping data, automating retention schedules, managing access, and monitoring security can make the process easier. Pick tools that work well with your current systems and help solve issues like unstructured data or fast data growth.
5. Monitor and improve
Information governance isn’t a one-time task. Keep checking how well your system works by tracking performance, monitoring compliance, and auditing processes. Regularly update your framework to stay in line with changes in technology and regulations.
By following these steps, organizations can build a governance framework that protects and organizes data while also making it a valuable tool for efficiency and long-term success.
How to Improve Your Information Governance Strategy and Best Practices
Improving your information governance strategy requires a proactive, structured approach to address key gaps in managing and preserving data. In addition to actionable steps, respondents from our 2024 ESI Risk Management & Litigation Readiness Report shared valuable advice on tackling these challenges.
Here’s a concise roadmap of best practices, enriched by their insights:
1. Be proactive
Don’t wait for a crisis to address governance issues. Establish clear retention policies, train staff, and incorporate governance into new technologies early.
Here’s some advice from our study respondents:
“Do it before you MUST do it.”
“Don’t wait until a disaster happens to organize data. It is very resource intensive to have to extract all relevant data from all sources in the organization when the time comes.”
“Start early before you have a lot of data, and build consideration of searching and data retention into every new technological tool that is brought into the company.”
2. Create and maintain a data map
Build a comprehensive data map (sometimes also called a data inventory) to track data sources, collection methods, and storage locations. Regular updates prevent shadow IT and data sprawl.
Here’s some advice from Steve Boston, Director of Information Technology Services at consulting firm GBQ:
"At a minimum, data inventory is important because knowing what data your business collects leads to improved efficiency and increased accountability for everyone in the organization. The results from data inventory can also lead to better overall reporting, decision-making and operational performance optimization. Without an accurate inventory, it is far more challenging to assess any underlying risk, which can further make it difficult to identify the controls that your organization needs to protect your valuable information assets.”
3. Simplify and standardize policies
Practical, enforceable policies are more effective than overly complex ones. Standardization across departments ensures broader adoption.
Here’s what our respondents said:
“Don‘t make policies so complicated that they cannot be followed.”“
Don’t let multiple locations choose different platforms.”
“Automate as much as possible.”
4. Reduce reliance on IT
Empower legal and compliance teams with tools to access data independently, reducing IT workload. For example, instead of relying on IT to produce Microsoft Teams data relevant to a legal matter, organizations can make use of a solution like Pagefreezer for MS Teams, which empowers users to easily access data on their own through an intuitive dashboard.
5. Engage key stakeholders
Collaboration between IT, legal, compliance, and business teams ensures alignment. Educating stakeholders on the value of governance fosters better adherence.
Here’s what our respondents said:
“Find a trusted IT representative who is willing and able to spend the time to educate the legal team.”
“Develop a close relationship with IT and ensure that they understand eDiscovery needs.”
“Understand and be involved with IT regarding your data systems architecture.”
6. Secure executive buy-in
Gain C-suite support by presenting tangible examples, like costly litigation risks, to highlight the value of governance investments.
Here’s what our respondents said:
“This needs executive sponsorship to truly gain traction.”
The Value of Investing in Information Governance
The value of investing in information governance is clearer than ever. In an era of increased litigation and a greater focus on data privacy, the compliance risks and eDiscovery costs of ineffective information governance are simply too great to ignore. And as research shows, in the majority of organizations there are plenty of opportunities to reduce cost and improve inefficiencies—especially when it comes to new data sources.
By implementing the frameworks, best practices, and guidance provided in this article, we hope to provide organizations with the tools and insight to strengthen their information governance practices, minimize risks, and maximize the value of their data assets.
