In this article, we'll explore principles and strategies for improving information governance through frameworks like the Information Governance Reference Model (IGRM).
Because of the vast amounts of data modern enterprises generate every day, good information governance is becoming more complex, and more important. From emails and SMS messages to database records and interactions on collaboration platforms, keeping data generated from these platforms accessible, secure, and compliant is no easy task—especially as data sources continue to grow and change.
Information governance is a framework that organizations use to manage data responsibly throughout its lifecycle. According to Gartner, it is an “accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.”
As you can imagine, information governance used to be a lot simpler.
In the past, information governance usually only concerned physical files. Keeping track of physical files came with its own challenges, but ensuring compliance and mitigating associated risks was a lot more straightforward.
Today, a good information governance program must address electronically stored information (ESI), which comes with its own unique challenges—and opportunities. Modern information governance includes processes like classifying data, setting retention policies, monitoring access, and securely disposing of data in order to maintain data integrity and usability.
With the sheer volume and complexity of ESI in the modern organization, having a good information governance program offers the opportunity to uncover a treasure trove of insights.
That is to say, the purpose of a strong information governance program goes beyond simply managing data. By ensuring data is transparent, accessible, and secure, organizations can turn it from a liability into a valuable asset. Organizations that adopt strong information governance programs are not just trying to avoid penalties and lawsuits—they are harnessing their data to build trust, create more efficient processes, and improve their decision-making.
It turns out that most organizations don’t have mature data retention and preservation policies.
In the last five years, organizations have gained many new data sources. These include company-owned social media accounts, mobile messaging apps, websites, team collaboration tools like Slack and Microsoft Teams, and video conferencing platforms like Zoom and Google Meet. These tools create large amounts of messy, unstructured data.
Structured data is information organized in a clear format, with defined rows and columns and pre-fixed fields, like a spreadsheet or database.
Unstructured data is information stored in its original or native format and, in turn, doesn’t follow a set format or structure. This makes unstructured data hard to find, export, produce, organize, maintain, analyze, and dispose of. Emails, videos, pictures, social media posts, websites, and nearly all communication channels generate unstructured data.
Unstructured data must be managed and protected just like structured data, but many organizations struggle to build strong information governance strategies that cover unstructured data sources.
Our ESI Risk Management & Litigation Readiness Report, which surveyed over 200 in-house legal professionals to understand how they manage these challenges, showed that many companies still lack mature information governance programs.
Fewer than half of respondents said their organization has a mature (i.e., enterprise-wide and consistently enforced) data retention policy for any data source. Depending on the type of data, only 30–45% have such policies in place.
Data retention abilities by data source from the 2024 ESI Risk Management & Litigation Readiness Report
Instead, organizations frequently face issues such as undefined policies (53%), lack of departmental cooperation (52%), and insufficient technology (36%).
Data retention abilities by data source from the 2024 ESI Risk Management & Litigation Readiness Report
One of the most striking insights from the report is the disconnect between governance strategies and modern data sources.
Many legal and compliance teams may not even be aware of what data sources exist in their organization, what information is being collected, and where it is being stored. And even when they do manage to track down a data source, they find that accessing, searching, exporting, and producing this data is rarely straightforward.
Microsoft Teams is a great example of this disconnect.
MS Teams messages are scattered across public channels, private channels, and direct messages. Locating, collecting, and producing data from this platform requires extensive IT resources and has been known to crash computers.
If you do eventually find the data you’re looking for in the millions of messages on the platform, you then have to export them as individual email files in Outlook, and reconstruct them by hand, piece-by-piece.
This is just one example of how the usual tools and strategies for information governance — the ones that work for things like PDFs and emails — don’t work for modern data sources like Microsoft Teams, WhatsApp, or Zoom.
👉 Struggling with Microsoft Teams Information Governance? Check out our Microsoft Teams Recordkeeping Guide here.
As we’ve established, modern organizations create a lot of data, daily. Without clear rules, managing this data is time-consuming and creates risks for the organization.
Information governance is important because it lays out the rules for effectively managing data across the organization.
Information governance principles include:
Information governance and data governance have distinct roles in managing organizational information. Both are essential for an effective data strategy, but they differ in the following ways:
|
Information Governance |
Data Governance |
|
|
Scope |
Manages all organizational information (structured, unstructured, and physical records), focusing on its lifecycle and compliance |
Deals specifically with structured data, emphasizing accuracy, consistency, and quality within databases |
|
Goals |
Aligns data practices with organizational objectives, focusing on accessibility, security, and compliance |
Establishes policies to ensure data integrity, standardization, and usability for analytics |
|
Impact |
Influences compliance, legal readiness, and operational efficiency |
Ensures reliable inputs for analytics and decision-making |
Organizations trying to manage their data through information governance will inevitably face challenges. These challenges usually come from issues with structure, technology, or operations:
When data is stored in separate systems that don’t connect, it causes inefficiencies, repeated work, and missed opportunities to harness the data for insights and decision-making.
Older systems make moving and managing data harder and often lack features like automated retention or tracking for compliance. This can lead to increased costs for data storage, maintenance, and security.
IT, legal, and compliance teams often have different priorities that can weaken overall information governance efforts. This combined with data silos not just between data sources but between departments, makes it difficult to understand the broader picture of how an organization is managing its data, leaving the organization open to more risks, including noncompliance and compromised data security.
Organizations are generating more data from more places than ever before. Managing this requires flexible rules and systems that can grow with the organization.
Companies must keep sensitive data safe by following rules like GDPR or HIPAA while also making sure the data is available for authorized employees to use.
To overcome these challenges, organizations need better tools, clear communication, and flexible strategies.
Thankfully, there are standard information governance frameworks and models that can help.
The Information Governance Reference Model (IGRM), created by the Electronic Discovery Reference Model (EDRM) community, is “a tool for communicating with and to organization stakeholders on responsibilities, processes and practices for information governance.”
The Information Governance Reference Model (IGRM). Source: EDRM.net.
The IGRM is not a technical tool and does not offer any prescriptive methods, actions, or technologies. Its purpose is to help foster cross-departmental alignment in order to build integrated governance processes that help organizations address issues like escalating data volumes and legal risks.
The IGRM framework highlights the interconnected responsibilities of various teams, and underscores the importance of aligning information value, legal obligations, and efficient management.
For more details, visit EDRM.net
ARMA International’s “The Principles®” or “Generally Accepted Recordkeeping Principles®” is a global standard for managing business records effectively and responsibly. It provides eight principles that, “are meant to provide organizations with a standard of conduct for governing information and guidelines by which to judge that conduct.”
The principles are:
ARMA’s information governance principles offer guidance to organizations that are trying to implement a system that meets business goals while avoiding risks like data breaches, inefficiency, or non-compliance.
For more details, check out ARMA International’s manual, Implementing the Generally Accepted Recordkeeping Principles.
ARMA International also created The Principles® Maturity Model to help companies improve how they manage information.
Businesses can use the ARMA’s maturity model to check how well they manage information in a specific department, location, or entire organization. By comparing organizational practices to the characteristics of effective governance in the model, organizations can assess their current level. Based on their goals and risk tolerance, they can then decide which areas or levels to improve.
The Maturity Model divides organizations into five levels:
Moving through these levels requires a clear strategy. The Maturity Model acts as a guide, helping organizations set goals, track progress, and connect governance practices to their overall business strategies.
For more details, visit Arma’s Principles® Maturity Model.
The following steps outline how to build an information governance framework that addresses both operational needs and regulatory requirements.
Start by looking at the data your organization collects. Identify all sources of data, where it is stored, and how it is used. Map out your data to find gaps, repeated information, or risks like unstructured data or hidden systems (shadow IT) that can make managing data harder.
Set policies that explain how data should be handled at every stage, from storage to deletion. These should cover things like retention, access, security, and disposal. Make sure the rules follow industry regulations and match your organization’s goals. Clear standards ensure consistency across departments.
Make sure everyone knows their role in managing data. Assign data owners in each department, involve IT for technical support, and include legal and compliance teams for their expertise. When responsibilities are clear, everyone can help keep data accurate and secure.
Choose technology that supports your governance plan. Tools for mapping data, automating retention schedules, managing access, and monitoring security can make the process easier. Pick tools that work well with your current systems and help solve issues like unstructured data or fast data growth.
Information governance isn’t a one-time task. Keep checking how well your system works by tracking performance, monitoring compliance, and auditing processes. Regularly update your framework to stay in line with changes in technology and regulations.
By following these steps, organizations can build a governance framework that protects and organizes data while also making it a valuable tool for efficiency and long-term success.
Improving your information governance strategy requires a proactive, structured approach to address key gaps in managing and preserving data. In addition to actionable steps, respondents from our 2024 ESI Risk Management & Litigation Readiness Report shared valuable advice on tackling these challenges.
Here’s a concise roadmap of best practices, enriched by their insights:
Don’t wait for a crisis to address governance issues. Establish clear retention policies, train staff, and incorporate governance into new technologies early.
Here’s some advice from our study respondents:
“Do it before you MUST do it.”
“Don’t wait until a disaster happens to organize data. It is very resource intensive to have to extract all relevant data from all sources in the organization when the time comes.”
“Start early before you have a lot of data, and build consideration of searching and data retention into every new technological tool that is brought into the company.”
Build a comprehensive data map (sometimes also called a data inventory) to track data sources, collection methods, and storage locations. Regular updates prevent shadow IT and data sprawl.
Here’s some advice from Steve Boston, Director of Information Technology Services at consulting firm GBQ:
"At a minimum, data inventory is important because knowing what data your business collects leads to improved efficiency and increased accountability for everyone in the organization. The results from data inventory can also lead to better overall reporting, decision-making and operational performance optimization. Without an accurate inventory, it is far more challenging to assess any underlying risk, which can further make it difficult to identify the controls that your organization needs to protect your valuable information assets.”
Practical, enforceable policies are more effective than overly complex ones. Standardization across departments ensures broader adoption.
Here’s what our respondents said:
“Don‘t make policies so complicated that they cannot be followed.”“
Don’t let multiple locations choose different platforms.”
“Automate as much as possible.”
Empower legal and compliance teams with tools to access data independently, reducing IT workload. For example, instead of relying on IT to produce Microsoft Teams data relevant to a legal matter, organizations can make use of a solution like Pagefreezer for MS Teams, which empowers users to easily access data on their own through an intuitive dashboard.
Collaboration between IT, legal, compliance, and business teams ensures alignment. Educating stakeholders on the value of governance fosters better adherence.
Here’s what our respondents said:
“Find a trusted IT representative who is willing and able to spend the time to educate the legal team.”
“Develop a close relationship with IT and ensure that they understand eDiscovery needs.”
“Understand and be involved with IT regarding your data systems architecture.”
Gain C-suite support by presenting tangible examples, like costly litigation risks, to highlight the value of governance investments.
Here’s what our respondents said:
“This needs executive sponsorship to truly gain traction.”
The value of investing in information governance is clearer than ever. In an era of increased litigation and a greater focus on data privacy, the compliance risks and eDiscovery costs of ineffective information governance are simply too great to ignore. And as research shows, in the majority of organizations there are plenty of opportunities to reduce cost and improve inefficiencies—especially when it comes to new data sources.
By implementing the frameworks, best practices, and guidance provided in this article, we hope to provide organizations with the tools and insight to strengthen their information governance practices, minimize risks, and maximize the value of their data assets.