Information governance

Wednesday February 3, 2010
Information governance key to new performance agenda
Business Matters - By Susanna Lim



IN November 2009, Ernst & Young released its report, Lessons from change, which provides insights from an extensive global research programme into what companies are doing to respond to current challenges and drive performance improvement.

Based on our conversations, a new agenda for success is beginning to emerge. The global economy may be stabilising but that does not mean companies expect a return to the “normal” conditions of the previous decade.

Many respondents expect a tougher future economy, and consequently, a changed business agenda.

In Lessons from change, eight performance goals were identified for companies to prepare for the rebound and to succeed in the new era.

These eight goals are interlinked and make up the “performance wheel”.

In this article, we will focus on two of these goals:

Optimise the flexibility of your operations: Increase business responsiveness through greater flexibility and resource management.

Revitalise the way you manage risk: Understand the business’ risk complexity and depth to align a strong control framework.

Our study showed that nearly 60% of respondents sought greater efficiency through (i) increased alliances and business relationships; (ii) cost reduction programmes; and (iii) use of technology (and service providers).

Correspondingly, we will illustrate the performance goal of establishing a broader governance, risk and control framework.

We will also consider the often neglected areas of information and outsourcing risks which are gaining more prominence in the new performance agenda.

Governance and risk management

Business is fundamentally about taking risk and risk management is about ensuring risks are appropriately measured and controlled.

In our recent study, Future of risk, respondents cited increase in the following risks: financial, strategic, compliance and operational risks.

Earlier research on Fortune 1000 companies indicated that on average, 4% of revenue is spent on risk management.

Getting the right risk balance is a challenge as governance and risk frameworks are not always robust, nor comprehensively executed.

The scope may be too narrow, overly-concerned with regulatory compliance and may exclude information risks and third party risks.

In addition to infrequent assessments, there have been cases where risk management focused on internal operations rather than external operations, which is where most risks arise, including supply chain and outsourced functions such as back-office, information systems or e-commerce.

Management has grown cognisant of this, with over 80% of respondents now incorporating risk management into strategic decision-making.

Reputational risk, information risk, fraud risk and third party risk have also received a higher degree of attention.

Businesses are also paying more attention to information governance, security and outsourcing risks.

We have seen a shift in the sourcing and deployment of technology to support business flow of information.

Information and systems are now accessed by business partners, customers and service providers, leading to a rise in both internal and external threats.

Ernst & Young’s recent 12th Annual Global Information Security Survey identified improving information risk management as the top IT priority.

Out of over 1,900 respondents, 89% plan to spend more or at least the same amount on risk management in the current financial year.

Correspondingly, the effort to comply with greater complexity and the number of regulations has increased. Malaysian companies, as with other countries, need to revisit their data management and security practices to meet the introduction of data protection and privacy regulations.

The survey also identified a growing concern with reprisals from recently separated employees as well as increased external attacks on websites and networks.

A robust information governance or risk framework, including the monitoring of external information and outsourcing risks, is a straightforward yet comprehensive way to assess and mitigate information security, integrity and availability risks.

However, companies may face challenges to obtain adequate skilled resources and budget to manage information risks in the current era.

In order to revitalise information risk management effectively and efficiently, organisations need to consider leading practices, including:

i. an integrated information-centric business risk framework, which:


aligns processes (internal and external) with information flows


has more in depth assessments to identify and manage systems, data, risks and controls


enforces comprehensive IT policies across the organisation, service providers and business partners

ii. enhanced information security responsiveness through:


a risk-based security strategy to help prioritise initiatives


identification of regulations, compliance and validation of controls


leveraging on technology and co-sourced security resources to address gaps, if any

Information governance must be revitalised to support your business and will take on a new importance in the performance agenda to help organisations across the globe thrive in the new market.


Susanna Lim is a partner with Ernst & Young Advisory Services Sdn Bhd