Information Governance: Roles, Responsibilities, and Key Processes

Information governance is a program that establishes decision rights and support mechanisms to ensure enterprise information is accurate, complete, consistent, accessible, and secure. Maintaining it requires defining and establishing several roles within the business (not just IT); these roles may be separate or combined, and in small organizations they can be handled by one or two people. Embedding these roles into daily business operations is essential for adopting enterprise information management.

Three Key Roles

Data Governance Council

Data Administrator

Data Maintenance

At the highest level, the council creates policies, managers enforce policies/rules, and maintenance covers all execution activities that cause data changes in company systems.

Information governance must include an organizational component that focuses on overall data‑quality assessment and improvement, assigning individual responsibility for data‑quality assurance. It also addresses data retention/disposition, security, privacy, and standards. An organization’s information‑governance program may cover all these aspects or a subset; many start with data quality.

The governance council typically defines the scope—what aspects of information governance and which data assets will be addressed. The council consists of business‑side stakeholders from across the organization, each sharing decision rights on policy and scope. The IT organization often facilitates the council’s work and provides input on technical opportunities and impacts. The council agrees on a charter and specific information‑management policies, which become the responsibility of data administrators.

Organizations may focus on data quality, master‑data consistency, or “dynamic” data. The location of data (on‑premise or cloud) is irrelevant; the principles of data governance and management remain consistent.

Data Administrator’s Main Responsibilities

Assess the current state of data fidelity, security, privacy, and retention within their scope.

Execute activities to achieve data‑fidelity improvement goals and comply with all other governance policies.

Identify the best approaches to resolve data‑quality or consistency issues to meet objectives.

Work inside and outside their direct domain to implement changes that support the adoption of data‑governance policies.

Monitor and track ongoing data‑fidelity metrics (e.g., quality and consistency) to evaluate compliance with governance strategies.

Report to the Data Governance Council when cross‑domain or cross‑functional data administrators are needed, acting individually or as a team.

Key Programs and Processes in Information Governance

Define data‑governance metrics and conduct audits to benchmark data quality, retention, security, etc., and their impact on business outcomes.

Regularly publish governance metrics through standard reporting mechanisms (e.g., data‑quality scorecards or dashboards).

Collaborate with business leaders to quantify and articulate the business impact of policy violations.

Report on agreed‑upon policies authorized by the Data Governance Council and support them through enforcement.

Follow prescribed data‑fidelity methods to execute data‑quality improvement projects.

Actively participate in the design and deployment of applications and data‑integration processes to ensure standards and controls are applied.

Promote successes, preferably in quantifiable business‑benefit terms, to further engage participants at all organizational levels.

Relationship Between Information Governance, Corporate Governance, and IT Governance

Good governance aims to increase the speed and effectiveness of decisions and processes, maximize the value created from information, and reduce cost and risk. Information governance is a subset of corporate governance and should not be viewed merely as “IT governance,” because that reinforces the mistaken notion that information is solely an IT responsibility. While some information resides with IT, much does not, and direct business involvement in information governance is necessary to achieve the intended goals.

The diagram below illustrates the relationship among corporate governance, information governance, and business planning.

Governance Decisions

Effective governance narrows focus to aspects of the business that matter most in terms of risk, efficiency, or value. A successful Enterprise Information Management (EIM) project can identify the most valuable information and concentrate on it, rather than attempting to control everything.

The second diagram describes information‑governance components from a business‑decision perspective.

All organizations, regardless of size, have a vast potential information space to manage. Focusing is essential for progress; selecting focus areas helps narrow the project scope to a manageable size. The chosen focus determines subsequent issues. Organizations typically consider one or more of the following areas:

Business strategy and alignment – ensuring overall consistency of business and information goals, prioritization, and conflict resolution.

IT architecture, standards, and integration – covering information, metadata, storage, transmission, and system standards.

Data or information quality – standards, measurement, and maintenance of quality.

Data or information access – sources, access rights, permissions, and usage.

Reporting – regular assessment of the availability and quality of information sources for business decisions.

Security and privacy – planning, controls, and response to security and privacy requirements.

Legal and regulatory compliance – planning, controls, and response to information‑risk factors, and legal/regulatory requirements for retention and disposition.

Some focus areas are best addressed by the business line (e.g., quality, privacy). Treating them solely as IT concerns reduces business participation and hampers governance success. In many cases, a combination of business and IT expertise is required; security is a prime example where business identifies risks and IT implements controls.