Information governance, data protection and security, privacy, cybersecurity and artificial intelligence (AI) have all become critical topics for boards and government bodies to consider. Historically, the issues tended to be dealt with under either ‘IT’ issues or records and information compliance issues. In recent years, the importance of cybersecurity, AI and data analytics together with changing privacy regulations have brought new governance challenges to the forefront of the minds of directors.
Top issues for Directors
There are common themes in the surveys of top issues confronting Boards of Directors, which have been carried out in recent years. These include the opportunities and challenges arising from technology innovation and disruption, the overriding concern of cybersecurity and data breach, which is highlighting the importance of information security, and regulatory compliance including changing privacy regulations.
The Akin Gump Lawyers group in the USA report an annual “Top 10 topics for Directors” each year, which is published in the Harvard Law School Forum on Corporate Governance and Financial Regulation website. The 2020 report, that came out in January 2020, placed cybersecurity at number 7 (the 2019 report had it as the number 8 issue). Similarly the EY Centre for Board Matters ranked “prioritizing cybersecurity and data privacy” as their number 4 key issue for boards.
To add further evidence to the importance of this topic, Diligent, in its 2020 Foresight: year ahead in corporate governance report sets out that, “[t]echnology, processes and insights are the foundation of modern governance, enabling boards to effectively navigate this changing landscape.”
The top law firm, King & Wood Mallesons, in its 2016 Directions report had listed digital disruption at number 3. By the release of its 2019 Directions: navigating a new order report, the issue of managing IT and cybersecurity had moved to the number 2 spot as a priority for boards. Adams wrote “The Top 2018 governance concerns” with the acronym SEMTEX, of which the “T” was for technology and still is valid for all directors in 2020.
In 2019, the Governance Institute of Australia released its own paper, entitled “The Future of the Governance Professional” and had three major themes – technological disruption was the third highest priority for governance changes into the future (2025). Over 75% of the respondents agreed that the issue was vital or very important due to “the use of new technology and its effects on the workforce, and also because the rate of change and implementation of these technologies is accelerating”. The other themes of complexity and regulatory change are top of mind for many directors and governance professionals. However, it is the impact of technological disruption that is having far-reaching consequences. This is seen by the growing use of AI and its earlier incarnation, machine learning, in business to change the role of the governance and compliance professional. There is a role for humans and that is perceived to oversee machines and to make qualitative judgments.
There is acceptance that machines will be better than humans at some tasks, including taking minutes, gathering vast amounts of information and highlighting what is relevant for directors. But there will still be a need for emotional intelligence and creativity, which humans bring to the table (with bias and other unconscious attitudes). As well as AI, the developments in real-time information flows, big data analysis, increased automation and improved regtech with blockchain and voice recognition to all affect the governance role. The 2019 report notes that 39% of respondents thought it would make the governance professional role more interesting and high level, as well as 25% thought it would improve the quality of information that the board receives in its papers.
It is worth hypothesising whether the devastating impact on CBA for the AUSTRAC action for money-laundering in 2018 and the Westpac litigation for money-laundering and facilitating child-exploitation, would have been avoided if the board had better digital disruption skills and knowledge. Hindsight is a wonderful attribute, but boards need to balance the fine detail with enough information to make informed decisions and to ask the right questions of management.
Corporate governance in the digital economy
Previously in 2018, the authors examined the link between corporate governance and the digital economy in Governance Directions. The definition of information governance has generally been accepted as “the activities and technologies that organisations employ to maximise the value of information while minimising associated risks and costs”. This definition has been affirmed by 90% of the Information Governance ANZ (InfoGovANZ) survey report, published in 2019. This survey built on the 2017 edition and reinforced that information governance is an umbrella concept that describes all information management activities.
Over half of all respondents said that their organisations, both private and government, had information governance framework with policies and procedures in place.
Traditional governance processes are lagging behind digital innovations and so no longer meet the expectations of governments, regulators, owners and employees. There is a distinction between governance practices in the digital age and a framework for contemporary governance.
Information governance core to good business management
The 2019 InfoGovANZ survey report had 340 industry participants and highlights the importance of an information governance framework. Implementing such a framework was seen by 46% of industry professionals as the most important issue. The survey derived that the three main drivers for information governance projects were:
- Good business management practices – 75% respondents in 2019, which reflected a 16% increase from the 2017 survey;
- External regulatory, compliance or legal obligations – 75% respondents in 2019, which was 5% lower than the 2017 survey; and
- Internal technology restructuring or transition – 55% respondents in 2019, which was a massive 21% increase from the 2017 survey.
Over half of all respondents said that their organisations, both private and government, had information governance framework with policies and procedures in place. 74% had identified specific information governance projects to be underway or planned for 2020.
Information governance programs in organisations are now maturing, 54% of respondents indicated their programs were intermediate of advanced.
Impact of Privacy Regulations
42% of the respondents stated that recent changes to privacy regulations had been a driver for their current projects in information governance. This could be identified by two significant changes that occurred in 2018. The first was the European Union’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018, imposing a significant change to privacy laws in Europe. Organisation that fail to comply with GDPR requirements (including non-EU country organisations) can face fines of up to 20 million Euros or 4% of global turnover. The other factor in Australia, was the implementation of the Notifiable Data Breaches Scheme (NDB Scheme) that came into force on 22 February 2018. The NDB Scheme requires organisations to notify the Australian Information Commissioner and individuals whose personal information is involved in a data breach that is likely to result in serious harm.
An interesting aspect is that those industry professionals that worked in the private sector (55%) were more driven by these changes to privacy laws than the government employed professionals (36%). This may be due to a greater number of corporates handing personal information of EU data subjects and dealing with cross-border transfers of personal data as a result of the GDPR.
Information Governance Framework
Implementing an information governance framework was identified as the key area of importance by 46% of respondents. Compliance with privacy regulations, data loss prevention and updating of policies and procedures rounded out the top four key areas of importance – 16.2% were driven by compliance with privacy regulations, 10.4% were driven by data loss prevention and 9% for updating policies and procedures.
Most participants believed that a chief information governance officer (CIGO) was essential to the information governance frameworks success within an organisation. The words “information governance” or “data governance” only appeared in about 12% or 11% respectively title for those with the accountability for the organisation. But in 2017 survey report, the term information governance was only in 5% of job titles. More significantly, 41% of respondents who were accountable for information governance were part of the senior executive (C-Suite) team within the organisation.
Information Governance Maturity
Information governance programs in organisations appear to be maturing with 54% indicating their programs were intermediate or advanced.
Responses indicated a fairly even split between proactive and reactive approaches to information governance. This was most in line with the previous survey results, however, participants appeared to have better clarity of their programs, with only 7% indicating they didn’t know compared to 16% in the previous survey.
This data can be compared to the USA, where ARMA International has published survey results in the Information Governance Maturity Index Report – 2020. This survey had over 1,200 responses, which were subject to a gateway question (of qualifications and skills) and checks for duplications and incomplete answers to establish 912 full responses. The scale applied for all the domains were from level 1 (a non-existent framework) to level 5 (transformational). The middle level 3 was stated to be essential (which equates to a basic requirement in information governance to do the job).
Across all domains measured, including infrastructures, supports, processes, capabilities and a steering committee, 66.2% stated that their organisations were essential (level 3) or higher. Within particular domains or attributes, ARMA found that having a Steering Committee, with information governance leadership, and links to information management and business unit applications, scored a maturity index of 62.7%. In the area of Authorities, meaning authoritative frameworks, privacy requirements and best practices, 72.1% scored essential level 3 or higher. Finally for the attribute Supports, including change management and project management, the maturity score was 67.7% for level 3 and above. The ARMA report highlights that a clear majority of respondents reported that their organisations have the essentials in place or better with respect to each of the domains and for their overall information governance programs. All this data indicates the growing maturity of information governance within organisations and allows information governance professionals to assess how their organisation is tracking against the survey results of the InfoGovANZ and ARMA reports.
Alignment key to information governance
The key to good information governance is to align data and information governance with overall strategic objectives. This requires organisations to identify and coordinate different IG areas and activities and activities. The Elements of Information Governance diagram illustrates the various areas, which can be adjusted as necessary, to provide a clearer understanding of how the overarching information governance framework enables alignment of policies, procedures, people and technologies.
The elements link to the icons and the IG centre in a continuous chain. All of the elements must combine and connect to provide an effective information governance system. The elements on the top and middle rows to the left reflect people-focused activities, while those to the right are data-focused activities. The elements on the bottom row are information-focused and reflect foundation services.
The icons surrounding the IG centre represent information governance and the elements to be aligned:
- innovation and technology initiatives (lightbulb);
- optimising the value of data and minimising costs by reducing risk (dollar sign);
- technologies, systems and people across organisational silos (cog/gear);
- data and information security (lock);
- people skills and collaborative culture with supporting structures (the information governance committee or equivalent) across organisational silos to meet information governance and organisational objectives, and an external focus on customers and citizens and the handling of their personal information and transparency (people);
- policies and procedures (house).
The house icon services as a reminder that robust information governance requires a top-down strategic approach building on a strong foundation of clear policies and procedures. The information governance framework enables Directors and senior executives to achieve organisational objectives and to optimise the value of data and information while minimising risks and costs by:
- identifying all the areas and technologies– that is, the information governance elements in your organisation;
- putting strategic objectives and priorities in place for managing, controlling and securing the data and information your organisation collects, uses and stores;
- optimising the opportunities of new technologies and innovations to harness value and insights from data;
- implementing appropriate risk management to minimise costs, such as those associated with a data breach and eDiscovery in litigation and legal proceedings.
- implementing measures to protect the organisation’s intellectual property;
- complying with regulatory and legal obligations including, record keeping obligations and, in particular, changing privacy regulations.
The key to good corporate governance is a strong information governance framework aligned to achieve organisational objectives with top-down leadership. Effective information governance is when policies, technologies and people all align and work together to enable data and information to be optimised and regulatory compliance of privacy, record keeping and other information regulations to increase the overall performance of the organisation. The key issues for directors confronting both opportunities from technology innovations, AI and data analytics and challenges arising from cybersecurity, data breach, privacy and other regulatory drivers can be met with strong information governance.
Professor Michael A Adams FGIA(Life) FCIS, Professor of Corporate Law & Governance, School of Law, University of New England and
Susan Bennett, FGIA, CIPP/E, Principal, Sibenco Legal & Advisory, Co-founder and Director of Information Governance ANZ
This article was published in Governance Directions, May 2020, Vol 72, Issue 4.
 Akin Gump, Top 10 Topics for Directors in 2020 – https://www.akingump.com/en/experience/practices/corporate/ag-deal-diary/top-10-topics-for-directors-in-2020-executive-summary.html
 EY Center for Board Matters, Eight Priorities for Boards in 2020 – Harvard Law School Forum on Corporate Governance : https://corpgov.law.harvard.edu/2020/01/14/eight-priorities-for-boards-in-2020/
 King & Wood Mallesons, Directions 2019: Navigating a new order – https://www.kwm.com/en/au/knowledge/hubs/directions-non-executive-directors
 Adams, M; “Top 2018 governance concerns: #SEMTEX” Governance Directions 2018 September
 SEMTEX stands for Strategy; Evaluation of risks; Multi-generational; Technology; Environment/CSR; toxic.
 GIA, The Future of the governance professional, August 2019 – https://www.governanceinstitute.com.au/media/884166/govinst_the-future-of-the-governance-professional_august-2019.pdf
 Op cit fn 8 at page 9
 AUSTRAC v CBA  FCA 930 http://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA//2018/930.html and AUSTRAC media release – https://www.austrac.gov.au/austrac-and-cba-agree-700m-penalty
 AUSTRAC media release https://www.austrac.gov.au/about-us/media-release/civil-penalty-orders-against-westpac
 Adams, M & Bennett, S, 2018, “Corporate governance in the digital economy: The critical importance of information governance” 70(10 Governance Directions
 Information Governance ANZ, IG Industry Survey, July 2019 https://www.infogovanz.com/wp-content/uploads/2020/01/IGANZ2019ReportFinal.pdf
 Information Governance ANZ, IG Industry Survey, August 2017 https://www.infogovanz.com/wp-content/uploads/2020/01/IGANZ_Industry_Survey_AUGUST_2017.pdf
 ARMA International, Information Governance Maturity Index Report 2020 – https://www.arma.org/page/ig-report
 Information Governance ANZ – https://www.infogovanz.com/information-governance/information-governance-optimising-the-lifeblood-of-organisations/