This specialist article describes the term information governance and the connection with information management in companies. Information governance is a sub-category of corporate governance and deals with  optimally managing information-related risks in companies and organizations.


We live in a world flooded with data and never before in history has the amount of information increased so rapidly. And there is no end in sight. The cloud, social networks, Industry 4.0, the Internet of Things and the ever-increasing penetration of our lives through rapidly advancing digitization will continue to ensure exponential growth rates. The flood of emails and overflowing servers make even SMEs struggle today. The management and control of company information is becoming more and more time-consuming and expensive.

Errors in information management pose a risk to companies and their managers.



Information Governance (IG), as a sub-category of ​​corporate governance, is a cross-sectional matter consisting of the areas:

1.) Information management

2.) IT governance (systems / infrastructure)

3.) Information Risk Management

4.) Security & rights management

5.) Compliance

Information governance describes the processes, organizational measures and technologies that are required to manage company information during its entire life cycle (generation, acquisition and reception, distribution, use, archiving or deletion) in accordance with the company’s strategic guidelines and external and internal regulations. The aim is the active, controlled and controlled handling of information stocks.

Information governance is more than a dull set of rules or framework. It focuses on how an organization’s safety, regulatory compliance and adheres to ethical standards in the management of their information assets. IG is a long-term, multidisciplinary initiative and affects all areas of a company and their representatives.



The wrong answer is: Everything is taken care of by the IT department. Today, IT departments are usually happy when they keep the systems they need every day correctly maintained and securely up and running. There is little time left for long-term conceptual initiatives.

A threat of complete information overload is looming. The associated risks (operational, legal and financial) must be avoided and, at the same time, innovation and competitiveness must be increased. Information stocks are one of the most important production factors and at the same time represent a risk (e.g. data protection, data loss, tax audits, discovery processes, legal hold etc.).

The following facts make correct information governance necessary:

1.) Not all information can be kept forever.

2.) Not everything can be deleted immediately.

3.) Many employees urgently need help with structuring information.

4.) The probability of electronic house searches increases (e.g. antitrust proceedings, discovery).

5.) It doesn’t get any easier or easier, as the amount of information is increasing rapidly.

6.) Chaos in e-mail, shared server drives and many other applications are reason enough on their own.

7.) IG as a part of corporate governance is becoming an increasingly important duty as part of proper business management.



Which principles have to be observed in an implementation?

1.) IG is a permanent, multidisciplinary process in which representatives from all areas of the company participate.

2.) Responsibility: responsible persons must be defined for each information stock.

3.) Transparency: all measures how an organization processes information must be documented.

4.) Integrity: it must be proven whether the systems used process information correctly.

5.) Protection: Documentation of all measures that prevent a change, corruption or loss of information.

6.) Compliance: Documentation that information is processed in accordance with external and internal guidelines.

7.) Availability: in the future, any information must be found and made legible in the long term.

8.) Storage: Correct storage must be guaranteed within the applicable time limits.

9.) Disposition: if information is no longer required operationally, it must be correctly archived, deleted or destroyed.

10.) Training and communication are very important components.



Companies with implemented IG gain control of their information assets. They possess a precise policy that documents the creation, use, processing and disposition of their information assests. The implemented measures prevent the loss of valuable company information and ensure correct handling at all company levels.

Employees gain a better understanding of and use common terminology to describe the information stocks. Management can be sure that information is reliable, valid, accurate and quality assured. Access, use and storage meet all compliance and legal requirements.

A first start usually consists of a rough assessment of the degree of maturity of the above-mentioned IG sub-areas. This initially provides the management with an overview of where action is required.


Mag. Markus Lenotti
Managing Partner
Lenotti Advisors GmbH