Information Governance – What’s the problem?

Information Governance (a case study)

Information Governance

It’s a sentiment that is all-too-common in my experience – Information Governance (or ‘IG’ to the initiated) is often considered a euphemism for bureaucracy; delays; problems.

In short, Information Governance is something to be endured (and if possible, avoided altogether if you can) if you want something done quickly and easily.  It is an unnecessary distraction from getting things done, particularly where you need to do things ‘at pace and at scale’.

This point of view has always saddened me.  I am a problem solver by nature, and I have always seen my professional discipline, first and foremost, as a way of trying to accurately identify the challenge or issue that people have, in order to design practical and workable solutions which help to deliver the best possible outcome for everyone.  My favourite way to explain my approach to people is by saying “it’s unlikely to be a case of ‘no you can’t’, but it might be a case of ‘not like that’!”

Information Governance therefore provides an opportunity to ensure your problems are fully understood to ensure that any initiative can be given the greatest chance of success.

The Source of Change

Ideas for change will often be influenced by looking to the experience of others and drawing inspiration from their solutions.  If someone else has solved the problem already, ‘why reinvent the wheel?’.  The aspect which is often overlooked however is whether the problem which was solved elsewhere is indeed the same problem you have!

Drawing inspiration from others should be seen as a way of analysing your local problems.  You should look at how others have approached and tackled their challenges and seek to identify both the similarities and differences between their situation and your own.  There are nuances to problem solving and it is important not to fall into the trap of assuming that what has worked for someone else can be directly applied elsewhere.  It might be possible to simply ‘lift and shift’ a solution into your own environment, but the likelihood is that you’ll need to adapt things to suit your situation.

Diagnosis: symptoms and causes

There is an inevitable risk that when trying to address a problem you will identify symptoms rather than the actual cause.  Sometimes, as a by-product of treating the symptoms, you will inadvertently address the cause as well (but this is rare).  More often than not, if all you are doing is treating the symptoms, you are unlikely to make any significant improvements and are likely to only succeed in shifting problems elsewhere.  Worst of all, you could end up making the problem worse!  If you don’t have a good understanding of the problem at handtherefore, you might well hit upon the correct solution…but if you, do this will be more down to luck than judgement!

So, what’s the problem?

I find the best approach is to first ensure the problem you are seeking to address is accurately defined and fully understood.  It must be remembered that problems rarely exist in isolation.

Understanding your environment

Understanding the environment in which you are working allows you to know what tools you have to work with.  In the case of Information Governance, it is important to know what is currently happening, as often there are existing deficiencies which need to be understood (and addressed) as part of any change.  If the fundamentals aren’t in place already, you risk building your new solution on a foundation of sand.

Returning to the idea of drawing inspiration from the experiences of others. When it eventually comes to the task of identifying a solution for your problem. You will need to look at the particular context in which others have implemented change elsewhere.  It is likely that the appropriateness and success of any solution will have been supported by a range of wider determinants.  These may include the active support of senior staff, enthusiasm and engagement amongst stakeholders, underpinning technology, operational skills, workforce, governance frameworks, etc.  Do you have all of these in place?  If the environment into which a solution is to be implemented is different in any way, it will normally be necessary to try and replicate as much of the underpinning enablers as possible in order to replicate the success.

Assessing the change

There will inevitably be wider constraints which exist.  These constraints will often include cost, risk, benefits, quality, scope and time.  Understanding these will also help to support reasoned decision-making – something which is essential under privacy law, as there are now legal requirements relating to accountability.

Information Governance tends not to focus heavily on considerations of cost and time (how convenient you might say!) but the ideas of risk, benefits, quality and scope are key to any assessment around legal compliance.


I rarely experience a ‘hang the consequences’ attitude when it comes to risk, but conversely it is impossible to deliver anything with zero risk.  Adopting a risk-based approach is usually the answer to this conundrum.  The first step is to work out what level of risk is acceptable (a ‘risk appetite’).  This is an essential tool in order to draw a sensible balance between achieving the desired outcome at the end without introducing or increasing risk unreasonably.

The aim of any change will normally be to reduce the overall level of risk being experienced.  Although in an ideal world you would look to try and reduce all risks, the more typical scenario is that you may need to increase risk in some areas slightly in order to reduce risk in others.  Adopting a risk-based approach allows you to take a broader view of risk which focusses not on the reduction of risk everywhere but instead on ensuring that the cumulative level of risk at the end of the process is lower than it was at the start. Something which I often experience is a need to raise privacy risks slightly (perhaps by increasing the availability of personal data to a wider range of users) in order to achieve improved operational service quality or safety (normally by ensuring the right people have access to the right information at the right time).  This balance needs to be seen in the broadest context of risk in order to achieve the desired outcome of reducing risk overall.

To apply a risk-based approach in practice, any potential solution will need to be considered against both a baseline (what is the current risk being tolerated?) and a target (what level of risk are we willing to tolerate?).  Only then will you be able to determine if the end result leaves you better or worse off.  This approach also allows you to make reasonable decisions about the value in undertaking additional actions to reduce risk further (potentially increasing the time or cost to deliver the change): if you have already achieved a tolerable level of risk, further action may be unnecessary, but if you have yet to achieve a tolerable level of risk, further actions will be required (unless you are willing to reassess your risk appetite).


Being clear on the likely benefits of what you are doing is also key to achieving the right outcome.  If a solution has already been identified, but the time and cost to deliver it to an acceptable level of risk and quality turns out to be larger than expected, you will likely need to reassess the benefits to see if it is still worth it.  What may have been seen as a good idea initially when it was thought to be a ‘quick, cheap and easy fix’ could prove to be a terrible one if it transpires that it will actually cost a fortune and take far longer than anticipated to implement for comparatively little benefit.


When it comes to quality, my view tends to be that if a job is worth doing, then it’s worth doing well. I will therefore always advocate doing the best job possible, particularly when it comes to compliance with the law and best practice.  The recommendations however need to be viewed in the context of time, cost, risk and benefit.  It is often possible to make a reasoned argument to reduce the quality of delivery or perhaps to forego certain activities or actions on the basis that this would still be within the established risk appetite.  Where this will allow for delivery on time and on budget, then it becomes easier to justify any compromises which may need to be made on quality.


Scope is always a challenge with any project.  Looking to get the greatest ‘bang for your buck’ is inevitable and where it makes sense to go bigger, better or faster, this should be encouraged.  It is however certainly easier to provide more accurate advice around legal compliance when the scope of a piece of work is identified and agreed early on.  Small changes in scope (for example, expanding an initiative to cover a larger geographical area, encompass a larger number or range of users, or be used to support a broader range of service recipients) all have a potential impact.  If the scope changes, a re-assessment will likely be needed, however where the scope has been well defined initially, it becomes much easier to assess any change in scope and benefits and the impact this may have on risk and quality.

Turning problems into solutions

So, we think we’ve accurately identified the problem, we understand our environment and now we need to find the right solution.  I’m not sure I have ever actually experienced this scenario.  As we have seen, involving Information Governance expertise when analysing a problem and assessing the environment is key to identifying the correct solution.  Where a solution has already been identified without the environment or problem being fully understood, an additional problem has now been introduced: how to make the chosen solution fit.  This often results in a realisation that the ‘solution’ which has been identified may not actually be applicable in the local environment without significant local modifications, or worst of all, that the solution does not in fact address the actual problem at hand.

The skill in turning problems into solutions therefore is to start with the problem itself.  You should only seek to identify and select a solution once the problem has been accurately identified and well understood.  Only then can you be confident that the solution will indeed address your problem, and can be applied in your local environment.  Even in the worst-case scenario, you should at least be confident that any shortcomings that may exist have been identified and taken into account.

Achieving success

If you genuinely understand the problem you are seeking to address, success becomes far easier to achieve.  It allows you to accurately identify the benefits which need to be realised and set a risk appetite to support reasoned decision making around quality, scope, time and cost.  Only then should a solution be sought and agreed upon, taking into account the need for wider enablers which will be needed to ensure success.  Most importantly, engaging Information Governance professionals at the outset of a problem-solving activity can offer significant insight, help identify the most appropriate solutions based on the environment and other constraints, contribute to a risk-based approach and support the eventual success.

At 8foldGovernance we can help you to better identify and analyse your problems, understand your local environment and select appropriate solutions which stand the greatest chance of achieving success.   Contact us today to find out more about how we can help you achieve success.

Find out more about our Services

Information Governance

Consultancy or outsourcing for all of your Information Governance and Quality management needs – GDPR, DPIA’s, ISO standards.

Strategic & Commercial Partnerships

Utilise our extensive network and knowledge of digital health to improve outcomes for patients, forge ahead in your market and develop long standing key relationships.

Digital Health Implementation

Our team can implement your digital health initiative – we specialise in personal health records, integrated digital health devices and registries.

DSP Rapid Toolkit

Our service is designed for organisations with limited or no experience with the DSPT requirements. After reviewing your existing organisational Data Security arrangements we will provide you with guidance on how to ensure compliance with the DSPT standards, assisting in the production of required documentation and completion of the online submission.

Product & Clinical Risk Management

Our team can support you in every aspect of ensuring that you meet the standards related to clinical safety for any IT system supplier.


Leave a Reply

Your email address will not be published.