05: A CIGO Maturity Model


What would a day in the life of a CIGO look like? What would the CIGO’s specific responsibilities be? What would its relationship be to other information functions and other roles within the organization? It quickly becomes clear that answering these questions are organization-specific. In fact, the biggest determinant of day-to-day CIGO activities are primarily dependent upon and organization’s IG maturity.

A CIGO would not, for example, start building a full compliance auditing program at an organization that only had rudimentary policies and procedures in place for just paper records. A more comprehensive set of policies and procedures would need to be developed first.

To reflect this complexity and to create a tool useful to the practitioner and to organizations considering a CIGO, we have developed a a maturity framework to capture three different perspectives on the CIGO’s day-to-day responsibilities and role. The maturity levels are intended to paint a picture of IG maturity in broad brush strokes—Nascent, Intermediate, and Advanced. No organization’s IG program will perfectly correlate to any of these levels. Indeed, an organization may have parts of its IG program at all three. To create the picture for your organization, match the program characteristics to the corresponding CIGO responsibility.

The chart below outlines the responsibilities that a CIGO would have at the three maturity levels. In a Nascent, Intermediate, and Advanced program, those responsibilities would be building the foundation, developing the framework and structure, and maintaining and improving the IG program, respectively. A more detailed description of the IG maturity levels as well as the CIGO’s responsibilities at each level follows. The framework can also be thought of as both descriptive and prescriptive—showing what a CIGO might do day-to-day at each level or showing what a CIGO would need to do to take an organization to the next level.

CIGO Maturity Model 1.0

Level One: Nascent

State of IG

At this level the organization has either no or only a nascent IG program. Many or most facets of IG are either missing entirely or are significantly underdeveloped, but basic RIM and IT functions are in place. There is no formal coordination of information-related activities. To the extent that coordination happens, it is largely unplanned and incidental. There is also no formal IG body (e.g. a steering committee, board, etc.) in place to coordinate IG. Basic policies and procedures are in place for paper records, however, those policies and procedures may be old and out of date. They do not extend to non-paper records, though there is an awareness that they should. Basic IT infrastructure (email systems, shared drives, etc.) is in place, but technology is not being used to effectuate the organization’s IG program. There is no to minimal review of compliance with existing policies and procedures. The organization has minimal or no plans in place for incidents (security breaches, discovery, etc.) and responds to them and other IG concerns as issues arise. The organization’s posture is reactive versus proactive.

The CIGO’s Role

At this level, the CIGO role would likely not be a standalone position. It would sit within one of the other facets of IG and be “shepherded” through its development. The CIGO’s primary role would be building the foundation for IG.

The CIGO would:

  • Identify missing or underdeveloped key facets of IG and begin building out or developing these roles.
  • Begin building alliances and working relationships between the facets of IG and coordinating projects across facets.
  • Create an informal working group, leveraging emerging alliances.
  • Review and revise existing policies and procedures, expanding them, incrementally, to cover more types of information and more uses.
  • Assess current IT infrastructure, including understanding where and how information is being stored and determining the specific needs of the organization to know what technological solutions would add value.
  • Develop an employee education program on existing policies and procedures, and about IG.
  • Begin building known risks into standard policies and procedures, where possible, to routinize response to them.

Level Two: Intermediate

State of IG

At this level the organization has an established but still developing IG program. The CIGO is emerging as a quasi-independent role, but may still be tied closely to one of the other facets of IG. Many facets of IG are in place and reasonably well developed. Some roles need to be filled and some existing facets must mature. A senior IT professional (CIO/CTO) focused on infrastructure and possibly information security (CISO) are in place. Planned coordination of some information-related activities is occurring, but it is not comprehensive over all facets of IG or on all projects. There is a formal IG body that meets occasionally. Policies and procedures have been reviewed and updated and are being extended to non-paper information, but coverage is incomplete. Comprehensive, organization-wide policies and procedures are not yet in place. Some basic technologies are being used for IG. More advanced and comprehensive approaches are being considered. Some compliance monitoring is in place, but the coverage is spotty. The organization is in a reactive posture with respect to some types of incidents but has begun to take a proactive posture with respect to the types of crises it has addressed in the past.

The CIGO’s Role

At this level, the CIGO role would likely still be closely tied to one of the other facets of IG. However, the CIGO would be emerging as a separate and distinct function. The CIGO’s primary role would be building the framework and structure of an effective IG program.

The CIGO would:

  • Continue to shore up existing facets and build out any that are missing to create a comprehensive approach to information and begin assuming a leadership role with respect to primarily information-focused facets of IG.
  • Leverage existing alliances to have IG issues considered from the very beginning of projects. Facilitate the inclusion of other necessary facets in the planning process to encourage active coordination across information-related activities.
  • Lead the existing IG body. Ensure that all facets are represented. Encourage regular and frequent meetings where the various facets can actively plan coordination on new and existing projects.
  • Review and revise policies and procedures to cover information regardless of format. Expand and integrate policies across the organization as warranted.
  • Identify and implement/expand technological solutions to facilitate consistent application of IG policies and procedures.
  • Expand educational programs on policies and procedures. Audit compliance on critical regulatory or legal requirements and expand to audit other information activities.
  • Continue to expand the organization’s incident readiness. Ensure that all regular or anticipated events (e-discovery, investigations, employee departures, etc.) are built into processes, so they are not disrupters of routine.

Level Three: Advanced

State of IG

At this level the organization has a well-developed or advanced IG program. The CIGO is in a top level position, independent of a particular facet of IG and is a co-equal to other top information positions (CIO/CTO, CISO, etc.). The major facets of IG are in place and are well-developed. There is formal, comprehensive coordination of information-related activities. The coordination is part of a formal plan that seeks to maximize the value of information while minimizing risk. There is a formal IG body in place to coordinate IG. It communicates and meets regularly. Comprehensive, organization-wide IG policies and procedures are in place and extend to all types of information regardless of format. They are being reviewed and updated as appropriate. As appropriate, technology is being used to implement IG. Some processes are likely automated. A formal auditing procedure is in place and being executed regularly. The organization has procedures in place to avoid incidents (like breaches) where possible and also to respond to others (e.g. litigation or investigations) as part of the regular IG process.

The CIGO’s Role

At this level the CIGO would be a standalone entity and co-equal to other high level roles like the CIO/CTO and CISO. The CIGO’s primary role would be maintaining and improving the existing IG program with an eye toward optimizing the organization’s use of its information.

The CIGO would:

  • Ensure that the major facets have the resources to maintain and improve their functions. Build out minor IG facets as appropriate to optimize the organization’s use of information. Assume leadership and responsibility for information-focused facets of IG.
  • Be responsible for coordinating and integrating all information-related activities, organization-wide, and continuously improving on a formal plan to do so.
  • Lead the organization’s formal IG governing body that meets regularly to proactively coordinate IG functions.
  • Routinely review and revise policies and procedures. Streamline same to reduce the burden on end-users. Automate steps where possible.
  • Review and expand the use of technology as appropriate to streamline processes, enhance compliance, and to extract business value from information.
  • Conduct regular, formal auditing of all policies and procedures. Automate auditing functions where possible.
  • Maintain and improve the organization’s incident readiness. Expand focus on value-generating processes.

Go to the next Chapter. 
Go to the previous Chapter.

This publication is possible through the generous help of the leading providers of information governance products and services that are Supporters of the Information Governance Initiative.

Acaveo ∙ Actiance ∙ Active Navigation ∙ Catalyst ∙ Consilio ∙ Drinker Biddle & Reath LLP ∙ DTI Global ∙ Exterro ∙ EY ∙ GlassIG ∙ Guidance Software ∙ HP Enterprise ∙ iDiscovery Solutions ∙ Integro ∙ Iron Mountain ∙ kCura ∙ Nuix ∙ OpenText ∙ Preservica ∙ Recommind ∙ Tritura ∙ Veritas ∙ ViaLumina ∙ Viewpointe, LLC ∙ ZL Technologies